Top 10 op risks survey shows industry has sights set on the horizon, even when regulators are looking backwards
How relevant are non-financial losses incurred a decade ago to the threats a bank faces today? It’s a question banks have been asking since the Basel Committee on Banking Supervision’s new standardised approach to calculating operational risk capital first hove into view.
Op risk managers have argued vociferously that the backward-looking nature of the new framework may end up eroding the quality of op risk management among banks. By simply setting capital primarily according to a bank’s size, and crudely scaling it to reflect past losses, risk-weighted assets will inherently not reflect a firm’s current risk profile. This will leave op risk managers staring at the rear-view mirror, the argument goes, rather than scanning the horizon for emerging threats.
With lenders still facing penalties for misdemeanours from a decade ago – UBS this week was fined by Hong Kong’s regulator for due diligence failings on a share prospectus dating from 2009 – by the time losses booked today roll off a bank’s 10-year loss history under the new framework, they may relate to events two decades old or more.
This year’s Top 10 Op Risks survey suggests the backward-looking nature of the standardised approach does not reflect the forward-looking nature of most institutions’ top op risk fears. The new category of data management in Risk.net’s annual survey reveals the rising level of bank concern about the risks of misusing customer data, for example.
The spectre of mega-fines under Europe’s draconian new data protection rules may have focused minds in this direction. And yet no bank has so far incurred a significant fine for a breach of the rules, therefore this particular op risk will not have featured prominently in banks’ historical op risk concerns. If risk managers were worried solely about preventing a repeat of past losses, the top 10 op risks would look very different.
Under a previous approach for calculating op risk capital, the AMA, firms were incentivised to make more forward-looking provision for op risk losses by taking into account changes in their business environment and internal control functions. Even if banks wanted to rekindle this technique, they might not be able: many of the quants responsible for scenario analysis have been moved on, with banks disillusioned by their prospects in op risk modelling.
The fate of the body tasked with drawing up the framework for the standardised approach – Basel’s operational risk working group – remains unclear. Multiple sources suggest the group has not met regularly since the acrimonious final deal on the new standardised approach was reached. Its current remit – it is listed as a subcommittee of Basel’s new working group on operational resilience, confusingly – is unclear.
As with other elements of the revised Basel III framework, the op risk deal saw the representatives from European regulators on the committee ranged against US delegates – the latter camp inherently distrustful of op risk modelling, and aggrieved that Europeans had never held AMA banks to the same tough standards as the Federal Reserve. Sources suggest it was the support of UK regulators which ultimately allowed the US to gain the upper hand, and kill off op risk modelling altogether.
Arguably, though, the deal was reached at the expense of Basel’s aim: a standardised, comparable approach that would end wide disparities in capital standards. When the framework is finally phased in during the mid-2020s, national regulators will have the right to let banks under their jurisdiction effectively ignore past losses, removing any element of risk sensitivity from capital requirements.
Given the form of certain national regulators in this regard, it doesn’t take much to see a race to the bottom developing between jurisdictions eager to give their capital-constrained lenders a helping hand.
The schism runs beyond mere politics: it has scuppered initiatives which might have helped improve the quality of banks’ op risk management. After the passage of the standardised approach, the op risk working group is said to have shelved other projects it was working on, such as an update to 2014’s Principles for the sound management of operational risk.
As it is, banks are saddled with out-of-date guidance they have been forced to adapt and revise themselves: the three lines of defence framework, for instance, which has required near-constant revisions at larger firms to make it functional, or Basel’s two-decade-old op risk taxonomy, which features such risks as cheque kiting fraud.
Under the circumstances, it is understandable that op risk managers might find themselves following the title of John Osborne’s most famous play.
A BIS spokesperson did not offer comment when reached.