Basel II And Operational Risk ? A Primer
The operational risk requirements of Basel II (International Convergence of Capital Measurement and Capital Standards) place a heavy emphasis on the identification, assessment, monitoring and control of operational risk. The ultimate requirement for reserving capital against operational losses are closely linked to the actions that a bank needs to take to manage these risks. Keeping a banks capital allocation against Operational Risks is a hands-on business, based on controlling and mitigating risk.
Credit risk is well catered for in exceptional detail. Credit risks are clearly understood by all players, for credit is the reason why banks exist. In the current mad scramble to meet the Basel II requirements, credit risks have been getting the lion?s share of attention while far less attention has been given to the operational risk issues. Basel II is more than just reserving capital against credit and operational risk. Now for the first time, banks have to take into account the operational risk aspects as well.
To start with, Basel II provides a range of options for determining the capital requirements of credit and operational risks. This allows banks and bank supervisors the opportunity to select the most appropriate option for their operations and their financial market infrastructure. Additionally, allowance is made for a limited degree of national discretion in the way in which each of these options may be applied.
Based on the Basel II requirements, I summarize briefly what needs to be done to effectively implement the operational risk aspects of this important international standard.
The starting point is the board of the bank and the creation of an appropriate ?Risk Management Policy?. It should be remembered that bank boards generally do not have members with operations experience. Very often board members are drawn from business areas within the bank whose primary concern is revenue generation. Operational risk controls cost money and generally reduce profits ? which means that they are not really a popular boardroom subject. Bank boards need to be educated and coaxed into the role they have to play in the mitigation of Operational Risk.
To effectively implement operational risk controls it is first necessary to identify the risks and then to establish appropriate written board policies and procedures to reduce these. These policies are the foundation for the development of risk control measures and need to be established for the whole range of operational issues including products, processing, IT & security and business continuity.
Risk mitigation can only be effective if a centralized risk management unit controls the whole risk reduction process. Most banks internal risk functions are fragmented and split over numerous areas (such as IT security, internal audit, physical security etc.) that tends to render a common risk policy ineffective. A critical element in the whole approach to operational risk control is the centralization of this function at a director level within the bank.
Once the appropriate policies are in place the next step is to undertake a risk assessment. Risk assessment is the process that identifies and evaluates the internal and external factors that could adversely affect the achievement of a banking organization?s operational, information and compliance objectives. In the full sense of the word this should cover all the risks such as credit, market, liquidity and operational risk. For our purposes we limit our focus on operational risk alone. Under Basel II operational risk is defined as ?? the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events?. This definition includes legal risk, but excludes strategic and reputational risk.
Basel II is specific on the actions that need to be taken in operational risk management. These actions are based on international risk containment standards, most of which have been developed through the Bank for International Settlements. There is a strong emphasis on detailed definitions and documentation relating to the use of the methods, the development of policies and their implementation. There is less focus on technology and more on doing.
Once the Risk Assessment has been completed the previously defined risk reduction policies need to be implemented.
Implementing Basel II is not a once off operation. It is an ongoing process aimed at limiting a bank?s exposure to risks. In the operational area reducing and containing operational risks so as to control the amount of capital that will have to be reserved. This ongoing process can only be achieved through the following steps;
? Fine-tune Operational Risk controls ? New products, process and techniques will need to be brought under appropriate controls. Existing controls will need to be reviewed and changed where necessary.
? Feedback on Policy ? Experience will indicate whether the Operational Risk policy is both effective and appropriate. This may result in the need to refine the Policy and the Controls over time.
About the Author: Stanley Epstein is a Principal Associate and Director of Citadel Advantage Ltd., a consultancy dealing in bank operations and specializing in Operations Risk and Payment Systems. Further information and details can be found at http://www.citadeladvantage.com