1. Introduction

Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events. This definition includes legal risk but excludes strategic and reputational risk. 

The Basel Committee on Banking Supervision (BCBS) released the final set of rules on operational risk capital in December 2017 for streamlining the operational risk management framework. All existing Basel II approaches for measuring minimum operational risk capital requirements are replaced with a single risk-sensitive standardised approach to be used by all banks.

The new standardised approach for operational risk determines a bank’s operational risk capital requirements based on two components: 

• Business Indicator Component (BIC) - incorporates business indicators based on financial statement
• Internal Loss Multiplier (ILM) - incorporates bank’s historical losses

The approach assumes that operational risk increases at an increasing rate with business indicators and that the banks which have experienced greater operational risk losses historically have a higher likelihood of experiencing operational risk losses in the future.

The implementation date for the revised operational risk framework is 1st January 2023

1. Why introduce a new approach

The three broad approaches which have been used for the calculation of operational risk capital charge are the Basic Indicator Approach (BIA), the Standardised Approach (TSA)/ Alternative Standardised Approach (ASA), and the Advanced Measurement Approach (AMA). 

BIA and TSA/ASA offer simplicity and comparability in capital computation. While both BIA and TSA/ASA use Gross Income as a proxy for operational risk exposure, TSA requires Gross Income to be measured separately for each business line. Flagging of income based on Basel business lines makes TSA relatively difficult to implement in comparison to BIA. 

The common missing link in BIA and TSA/ASA in comparison to AMA is the lack of risk sensitivity based on loss experience of the banks. AMA allows for the estimation of regulatory capital based on a diverse range of internal modelling practices subject to supervisory approval. 

The AMA’s principles-based framework was established with a significant degree of flexibility which was expected to considerably taper down over time. However, the inherent complexity of the AMA and the lack of comparability arising from a wide range of internal modelling practices accentuated variability in risk-weighted asset calculations, which in turn lowered the confidence in risk-weighted capital ratios.

The Basel Committee introduced the new Standardised Approach (SA) in order to lay focus on the simplicity and comparability of capital requirements offered by BIA and TSA/ASA while incorporating the risk sensitivity of AMA in the form of internal loss experience. 

2. Standardised Approach

The capital computation methodology of the standardised approach is based on the following components: 

• Business Indicator (BI) - a financial-statement based  proxy  for  operational  risk
• Business Indicator Component (BIC) - calculated by multiplying the BI by a set of regulatory determined marginal coefficients (αi)
• Internal Loss Multiplier (ILM) - a scaling factor that is based on  a bank’s average historical losses and the BIC.

2. High-Quality Data Requirements

The loss data component required for the calculation of ILM has to be based on 10 years of high-quality loss data. The loss data standards include the following requirements:

• Internally generated loss data calculations to be used for regulatory capital purposes must be based on a 10-year observation period
• Internal loss data should be linked to a bank’s current business activities, technological processes, and risk management procedures. Further, all procedures should be documented and regular independent reviews should be conducted by internal and/or external audit functions
• Internal loss data of the bank must be comprehensive and must capture all material activities and exposures from all appropriate subsystems and geographic locations
• The bank must be able to identify the gross loss amounts, non-insurance, and insurance recoveries for all operational loss events
• Aside from the information on gross loss amounts, the bank must collect “date of occurrence’’, “date of discovery” and the “date or dates of accounting”
• The bank must collect information on recoveries of gross loss amounts as well as descriptive information about the drivers or causes of the loss event

ILM Decision Tree

The ILM is a function of Business Indicator Component (BIC) and Loss Component (LC) where the LC must be based on 10 years of high-quality annual loss data.

As a part of the transition, in case a bank does not have 10 years of high-quality loss data, a minimum of five years of loss data may be used. However, in case of a lack of five years of high-quality loss data, capital may solely be calculated on BIC. The supervisors may ask a bank to calculate capital requirements using fewer than five years of losses when  supervisors believe that the losses are representative of the bank’s operational risk exposure and the ILM is greater than 1

Supervisory Discretion

The new standardised approach provides a lot of discretion to the national supervisors. Supervisory discretions in context to ILM are listed below.

Setting ILM as 1 at national discretion 
Supervisors have the discretion to set ILM as one for all the banks in their jurisdiction, at national discretion (banks would still be subject to the full set of Pillar 3 disclosure requirements)

Use of ILM for Banks in Bucket 1 
ILM for banks whose total BI is within the first bucket is assumed as 1. The national supervisors may however, allow usage of internal loss data while calculating capital  requirements for these banks, given that the loss data collection requirements are met by such banks

ILM in case of less than 5 years data
Supervisors may require banks to calculate capital requirements using fewer than five years of losses if the ILM is greater than 1 and supervisors believe the losses are representative of the operational risk exposure of the banks

Loss Data Exclusion
Banks may seek supervisory approval for excluding certain operational loss events from capital computation which are no longer relevant to the risk profile of banks

Minimum threshold for loss data collection
At national discretion, the minimum loss data threshold of €20,000 for inclusion of loss data in capital computation set could be increased to €100,000

3. Loss Data Capture in Banks

The new standardised approach has a 10 year high quality loss data requirement for including ILM in capital calculation. The SA requires high standard loss data to be identified, collected, treated and maintained. Currently, the banks are in different phases of building internal loss data repository subject to the following regulatory requirements:

• The internal loss data collection has been included as a tool for identifying and assessing operational risk as per principles for the sound management of operational risks
• As per Basel 2 guidelines, the internationally active TSA/ASA banks are required to systematically track relevant operational risk data including material losses by business line
• As per AMA requirement, a minimum five-year observation period of internal loss data should be used to generate operational risk measures
• In January 2013, BCBS published the “Principles for effective risk data aggregation and  risk reporting” (BCBS-239) which applies to G-SIBs and is also recommended for D-SIBs. The guidelines focus on strengthening banks’ risk data aggregation  capabilities and internal risk reporting practices in order to enhance their risk management and decision making processes 

As of now, the banks on advanced approaches are likely to be able to fulfill the high quality loss data requirement.

However, the banks on less advanced approaches may have to substantially increase the coverage and depth of internal loss data reporting.

4. Implication for Banks

System and Procedures

AMA, TSA and ASA banks are currently required to collect operational losses and, in many jurisdictions, they are also required to report these losses to supervisors. Impact on the banks as per their current capital computation approach is provided below - 

• BIA Banks - most likely to invest in new systems, processes and procedures, particularly to meet the new standards on Loss Data Component
• TSA/ASA Banks – likely to substantially realign the Loss data collection procedures and increase the depth of information being collected pertaining to the loss incidents
• AMA Banks – most of the banks already have the loss data collection systems in place. However, the banks may still have to review the quality of internal loss data as per the criteria provided by the new Standardised Approach

Capital Requirements

BCBS monitors the effects of Basel III reforms by assessing the impact on capital requirement of the banks through a Quantitative Impact Study (QIS). The QIS evaluates the changes in operational risk Minimum Required Capital (MRC) to arrive at the impact against the existing framework. 

The sample size for the overall impact analysis consisted of 82 Group 1 or large banks (among them 30 G-SIBs) and 31 Group 2 or small banks. 

• The final OR framework generates an aggregate decrease in MRC of approximately 5.7% for all large banks and an increase of 17.1% for the small banks in the sample. 
• Specifically, for the banks following BIA or TSA/ASA approach, the small banks on an average showed 9.7% increase in MRC whereas the large banks showed 4.2% decrease in MRC. It is to be noted that the median shows a decrease in MRC by 1.7% for small banks and a decrease in MRC of 11.9% for large banks.

Strategic Decisions

The marginal increase in BIC due to an increase in BI is different across the buckets i.e., larger banks will face much higher capital charges as compared to smaller ones. Additionally, the overall capital requirement for the banks with similar BI components differs based on the LDC. This lays stress on the consideration of the capital implications and effectiveness of risk management systems as an essential part of any strategic decision related to business growth.

Risk Control Framework

Traditionally, the focus of operational loss event reporting has been on high severity losses. Also, the general stance on the smaller losses has been to accept them as cost of doing business.

The ILM component introduced by the new standardised approach takes into account the average of all historical losses over the preceding 10 years. Further, all losses from past operational risk events are going to be considered equal in the loss multiplier, regardless of the individual loss amount. This means that high frequency and low impact operational losses will require equal consideration from the management and in the overall risk control framework.

5. Shortcomings of SA

Backward Looking

AMA incentivised banks to make more forward-looking provision for operational risk losses by taking into account the changes in their business environment and internal control functions. However, the new standardised approach takes average historical losses into account which may not be as relevant in accounting for the emerging risks. Losing focus on emerging risks, combined with the fact that banks may no longer employ scenario analysis as an ORM tool, may lead to a situation where the overall quality of operational risk management is deteriorated.

Long Loss Data Window

The loss data collection window of 10 years is bound to penalize the lenders for operational risk incidents dating back up to a decade. And since all risks throughout the loss data window are given equal weight in the new standardised approach, the repercussions on capital requirement due to an operational risk incident occurring today would at least continue for a decade. 

Overstated Comparability

The framework was designed keeping in view the comparability of capital computation approaches across banks and jurisdictions. However, ILM is subject to a lot of supervisory discretions including the discretion to not consider ILM component in capital computation. This attaches a lot of caveats to the initial aim of comparable OR capital across the banks.

6. Next Step