Laurent de Castelbajac, Manager
Raky Diack-Guissé, Consultant

Operational risk management originated in the industrial sector and became vital to the financial sector following losses caused by failures of internal controls (Barings, Sumitumo, etc.). Since 2004 the Basel Committee has included operational risk in its calculation of capital requirements. In addition, under the pressure of banking regulations, financial institutions have implemented “active management” mechanisms for operational risk.

BaseI II and operational risk
_______________________

Regulators’ major concern has always been to avoid bank failures due to overexposure to risk. A direct way of limiting that risk entails forcing each bank to reduce the total amount of loans made according to its financial soundness, the latter measured by its capital holdings.

It was with this in mind that in 1988 the Basel Committee established the Cooke ratio¹ , which only covered credit risk. The market risk was integrated into the Cooke ration in 1998. Finally, operational risk became part of the Basel II Committee new solvency ratio (2004): the McDonough ratio.

¹ Ratio of bank solvency or Basel 1 ratio: it requires that each financial institution’s capital represent at least 8% of total loans.
 

In addition, Basel II requires banks to implement “active” management of operational risks.

The Basel II measures allow banks to choose between three different approaches in calculating operational risk (in order of growing complexity): “Basic Indicator,” “Standard,” and “Advanced Measurements².”

The chosen approach must be approved by the regulator. This approval is conditional on the implementation of an “active” risk management system that is all the more restrictive given the complexity of the method. In these conditions, why would a bank be interested in putting out the effort to adopt an advanced approach (AMA)? In fact, there are at least three reasons:
 

> Better management through risks: AMA enables more detailed knowledge of known and potential risk.
> Capital savings: provided that the risk level³ (“known” and “potential”) is actually reduced by active measures, the need for capital requirements will decrease relative to the basic approach, which in turn allows for an increase in lending.
> Reduction of direct losses resulting from known risk.

2 Advanced Measurement Approaches or AMA
3 In the move to AMA, the decrease in the capital requirement is not in fact systematically guaranteed, even if this is generally the case.

The current situation of banks
________________________

Currently, nearly two-thirds of French banks employ the standard method or higher. That means that in these banks an active risk management framework has been put in place, including at least an operational risk manager, a loss event database, and risk mapping.

The 2007 French Banking Commission report⁴ on the progress of banks in operational risk management raises several interesting questions about the current approaches.

4 First assessment of the authorization process of internal approaches within the context of the new solvency ratio.

Risk mapping

The report reminds us that risk maps are most often derived from processes maps. The principal problem encountered is the difficulty in maintaining an exhaustive map approved by the professional experts.
Furthermore, the criteria allowing a choice of so-called “significant” risks have not been formalized, which leaves a great deal of room for subjectivity.

Rating (evaluating) risks

As for risk rating in terms of seriousness and probability, progress remains to be made in terms of consistency of rating practices, reproducibility, and reliability.

Loss event database

The French Banking Commission report focused in particular on the data collection process. Indeed, there are doubts about the exhaustiveness of recorded incidents. Loss events are not in fact systematically declared (the degree of exhaustiveness may vary according to the event type, the institutional culture, etc.).

Finally, the data collection rules differ from one institution to another and may have a non-negligible impact on risk analyses inferred from the loss event database.

A classic example of this is the loss threshold: certain institutions report event down to a single euro, others prefer higher thresholds.

Even if it was published in 2007, the report provides a good picture of one of the difficulties of the current approaches.


Improving the risk management framework
___________________________________

Operational Risk Management mechanisms have several objectives:

> Ensure a capital measurement accepted by the Banking Commission and advantageous to the bank (at an equal risk level),
> Provide an accurate and precise picture of the level of risk,
> Genuinely reduce known losses,
> Actually lower potential losses,
> And all this at a reasonable cost.

It is therefore advisable to optimize the components of the approach to that end. In this regard, it may be desirables to employ well-tried methods (Six Sigma, Lean – see insets) in order to make certain components more reliable.


Improving operational performance
____________________________

Reducing risk is not an end in itself and by shooting for zero risk a firm simply increases the likelihood of putting the break on business growth. Furthermore, isn’t the best way to eliminate risk simply to close up the business?

Keep in mind that reducing risks is but one of the components that go into improving performance, which also aims at reducing delays, costs, and errors.

However, any approach to improving processes depends on knowledge of the business.
Mapping business activities and processes is in fact one of the by-products of the Basel II plans. Moreover, the event database offers precious information about known malfunctions.

The Operational Risk Management techniques implemented by banks can thus be reused and serve as the basis for a genuine approach to improving performance, which should aim not only at reducing risks but also at reducing operating costs, errors, and increasing customer satisfaction.

For not-yet fully developed processes with a great potential for improvement, these objectives can be easily pursued at the same time.

We are currently seeing a fundamental movement tied to the growing industrialization of banking processes. Most big banks have thus begun to launch programs inspired by the Lean and Six Sigma methodologies.

Only the future will show if the approaches will end up becoming the norm in banks as has been the case in industry or if the banking “industry” will remain an exception. •

EXEMPLE: EVENT DATABASE

The loss event database is a quintessential measurement instrument that provides a picture of past known risks. It is still necessary that the events be faithfully reported, that information is relevant and exploitable, that the risk measurement is reproducible, and that the effort that goes into reporting is reasonable.

The controls are supposed to address the causes of risks. They have often been defined by the professional experts following good sense and the principle of trial-and-error (which is part control “self-evaluation” plays).

> The event data collection and processing process may be, as with any process, optimized in terms of cost and timeframes, with a classic approach like “Lean.” Furthermore, the loss event database gains in accuracy, objectivity, and reproducibility through certain Six Sigma methodological tools.
> Determining the appropriate controls is at the heart of the Six Sigma method. Starting from a known, identified, and calculated risk, one can determine the underlying causes (and not only the apparent causes) of the risk and, in this way, provide the most appropriate controls.