Is Basel trying to destroy Operational Risk Management?
Just this week, the Basel Committee on Banking Standards (BCBS) published two documents on Operational Risk Management which are stunning in their banality.
The first is a revision to the “principles for the sound management of operational risk”, the second is a new initiative called ‘principles for operational resilience’, which is linked to a new principle in the revision.
Both of these documents are masterpieces of ‘cut and paste’ without any deep analysis as to a) why change is needed (which it is), and b) what theories and/or empirical evidence are being used to justify changes, merely ‘here they are, discuss’.
The changes appear to be lacking in any deep thought about the very real problems the BCBS is trying to resolve, and there appears to a clear lack of knowledge in the areas that they trying to regulate[1].
While it must be admitted that both documents are described as ‘’Consultative’ requesting feedback by 6 November 2020, we have been caught by this trick before. Operational Risk professionals have been here before and, above all others, should recognize the ‘Framing Effect’ , colloquially setting up a situation where the person posing the question gets the answer that they want.
The ‘framing’ here is ‘everything is basically OK – only a few tweaks here and there and everything will be just fine, honest’.
In reality, Operational Risk Management is in crisis, invariably missing large-scale Operational Risk Events[2] (OREs), such as PPI and GFC, but also because even its own members[3] are undermining their work by jumping on bandwagons such as ‘non-financial risk’ and ‘operational resilience’ .
CAUTION: We have been here before!
Standardised Measurement Approach
For those with a short memory, remember the fiasco that was the ‘consultation’ in 2016 on the last major change to ORM, i.e. the introduction of the ‘Standardised Measurement Approach’ (SMA) for computing Operational Risk Capital (ORC).
In the guise of simplifying calculation of ORC (which was indeed in need of some change), the BCBS proposed a new formula that was neither based on theory nor on empirical evidence. The suggested SMA method was based on a set of arbitrary formula with arbitrary parameters, which were never justified by theory or observations.
The new formulae were panned by OR theorists and practitioners[4].
Nonetheless, after the consultation, the BCBS adopted the original proposal merely making minor changes to formulae and parameters again without justifying any of the underlying logic. The consultation was a sham, but an expensive sham as the industry is spending millions to implement the necessary change for no discernible benefits.
Basel regulators do not seem to realize that their (half thought through) suggestions actually cost real money, because they never consider, never mind measure, the cost-benefits of their regulation. Note having started in 2016, the latest date for implementation of SMA is 2023, a whole 7 years after the original ‘thought bubble’.
Financial institutions should not fall for that con-trick again.
Principles for the sound management of operational risk
The revised Principles for the sound management of operational risk gives a sort of rationale for the proposed changes to the principles. In 2014 (yes SIX years ago) the BCS had a review of the principles that found that “several principles had not been adequately implemented, and further guidance would be needed to facilitate their implementation in the following areas:
“a) risk identification and assessment tools, including risk and control self-assessments (RCSA), key risk indicators, external loss data, business process mapping, comparative analysis, and the monitoring of action plans generated from various operational risk management tools;
b) change management programmes and processes (and their effective monitoring);
c) implementation of the three lines of defence, especially by refining the assignment of roles and responsibilities;
d) board of directors and senior management oversight;
e) articulation of operational risk appetite and tolerance statements; and
f) risk disclosures.”
In other words, the Principles are not working!
Now one would assume that given such a long time for thought, the BCBS would have done a significant amount of research into each of these topics – far from it, the analysis (where it exists) is superficial at best.
Nowhere is this shallowness more obvious that in the topic of “three lines of defence”, a concept that has proven to be seriously flawed in practice, see, for example, the case of Danske Bank.
The new Principles do not address the concept of 3LOD, other than that banks should do something with three lines off defence. There is absolutely no analysis of why there are real problems with 3LOD , why the concept may not work and has not worked in practice in some/many firms. In other words, a complete lack of justification of why changes are necessary.
In the document, there are numerous examples of what looks like arbitrary, or if not arbitrary then not properly justified, proposals, but one example should suffice
Principle 1 (role of the Board)
In the latest document, the role of the Board is described in principle
“Principle 1: The board of directors should take the lead in establishing a strong risk management culture, implemented by senior management. The board of directors and senior management should establish a corporate culture guided by strong risk management, set standards and incentives for professional and responsible behaviour, and ensure that staff receives appropriate risk management and ethics training.”
In the previous iteration of this document the role of the Board is described thus:
“Principle 1: The board of directors should take the lead in establishing a strong risk management culture. The board of directors and senior management9 should establish a corporate culture that is guided by strong risk management and that supports and provides appropriate standards and incentives for professional and responsible behaviour. In this regard, it is the responsibility of the board of directors to ensure that a strong operational risk management culture exists throughout the whole organisation.”
At first glance, the principles are the same but on closer examination they are different in two key respects:
- In the current iteration, the board must “ensure that staff receives appropriate risk management and ethics training.” And
- In the original iteration, the key statement ”it is the responsibility of the board of directors to ensure that a strong operational risk management culture exists throughout the whole organisation” has been removed.
WHY have these changes been made?
For example, there is no definition of ‘ethics’ in the document nor how the concept integrates with Operational Risk. It should be noted that the author has expanded on ethics and ‘codes of conduct’ in relation to Operational Risk, but that is in a whole book on People Risk[5], not a throwaway line in a principles document. The change in the BCBS document is superficial and ill thought through.
The new Principle 1 no longer delineates the responsibility of the board to “ensure that a strong operational risk management culture exists throughout the whole organisation”. This is a critical definition of board responsibilities that should not be dropped, but if such a change is proposed, then someone should at least explain WHY?
This is just shoddy!
A quick analysis shows that changes have been made without explanation or justification throughout the document. There are too many to discuss in this overview, and ultimately not worthwhile unless the BCBS is prepared to listen.
Operational resilience principles
The second document expands on a new principle in the main document
“Principle 10: Banks should implement robust ICT governance that is consistent with their risk appetite and tolerance statement for operational risk and ensures that their ICT fully supports and facilitates their operations. ICT should be subject to appropriate risk identification, protection, detection, response and recovery programmes that are regularly tested, incorporate appropriate situational awareness, and convey relevant information to users on a timely basis.”
While it is hard to argue that it is well past time that IT has been identified as a key operational risk, this principle trivialises the problem. And, trivialising the problem makes it impossible to implement and monitor solutions.
IT risk management is a well-established discipline, with a number of different governance, implementation and cyber security standards, including: ISACA/COBIT , NIST, ISO 27001, BS 31111, ISO 38500, ISO 42010, ITG, TOGAF, as well as FAIR. But none of these, and the complexity associated with this topic, is discussed or referenced.
IT Governance, in particular, is a highly complex topic, trivialised by the bland descriptions in the principles document.
The operational resilience document is little more than a high-level and incomplete wish list that trivialises the amount of work needed to properly manage technology risk in a modern financial institution[6].
Having identified the need for managing technology risk , the BCBS just has not done the work needed to give even the minimal appreciation for what is involved. The approach is amateurish.
Suggested reply to the consultation:
“Please give the rationale, including evidence, for making the changes to the original principles document and expand detail in the operational resilience proposal.”
[1] This is not helped by the fact that it is habitual in such documents that the authors are anonymous and no details of their backgrounds and qualifications are provided.
[2] Mainly because the definition of ‘operational risk’ is no longer relevant – too narrow.
[3] See APRA https://www.apra.gov.au/news-and-publications/apra-sets-out-stronger-more-transparent-approach-to-regulating-and
[4] See Peters G.W., Shevchenko P.V., Hassani B. and Chapelle A. (2016) ‘Should the advanced measurement approach be replaced with the standardized measurement approach for operational risk?’ Journal of Operational Risk, 11 (3) and
McConnell P. J. (2017) ‘Standardised Measurement Approach - Is Comparability attainable?’ Journal of Operational Risk, Vol. 12 No. 1 and
Mignola G., Ugoccioni R. and Cope E. (2016) “Comments on the Basel Committee on Banking Supervision proposal for a new standardized approach for operational risks” Journal of Operational Risk, 11 (3)
[5] See Blacker K. and McConnell P. J. (2015) People Risk Management, Kogan Page April 2015
[6] See McConnell P. J. (2017) Strategic Technology Risk, Risk Books
Consulting n Training - Risk Advisory specifically in the areas of ORM, BCM, ERM, Vendor risk, IS/CS/IT risk, FRM/AML, Compliance risketc
3 年Agree. I don't think a large % of boards/ senior management understand Ops risk (OR). Lots of confusion in the people who prepare n ratify such docs. Weak ops n the resultant frauds/ losses/ penalties are noticed at the time such events happen and forgotten when attention on these gets diluted. Even within Risk Mngmt Verticals (RMV), OR is given poor treatment due to lack of understanding and unwillingness to understand the concepts of OR. Still today the confusion in treatment of credit ops events as credit risk by many firms (although the event may have come primarily from poor onboarding, verification, monitoring angles of credit Ops) as the definition says is difficult to comprehend. There should be much more detailed clarifications on distinction of events from Basel on treatment of overlaps between different risk verticals. Discussions on various RMVs also happen in silos with no cross participation, although a lot of integration, cross participation is needed. Eg- the portfolio strengths n weaknesses of credit are viewed from a lens of macro indicators eventhough the weaknesses may be poor credit operations and ops risk involvement and remarks should been included. Yes from my experience ops risk is not understood.
Kudos to Patrick McConnell for calling out the BIS for sloppy thinking. I wish it were otherwise.
Consulting n Training - Risk Advisory specifically in the areas of ORM, BCM, ERM, Vendor risk, IS/CS/IT risk, FRM/AML, Compliance risketc
4 年Agree totally with the author. Ops risk has already been undermined. It is treated as a separate tool not understood by large number of Senior Management of most of the organizations. Operations stretches across all domains including credit, forex, trade finance, credit risk, market risk etc across all systems, models but my experience in organizations have shown that it is not viewed as the most important component of enterprise risk- but sad that neither Basel gives any thought to it in the required manner or any regulator or management gives much thought to these issues. Only focus is on some formulas as Author says which really do not make much sense in control of Operational risk or talk about RCSA, KRI or loss data which have simply become a tick box with no real value taken out of these results. Sound principles when brought out initially was really a very good article- there was not much needed on this. Instead of spending time on these, thoughts could have been put on- how any operations (liability, asset, treasury, trade finance etc) could be strengthened as well as effective use of Operational risk in enterprise risk management. Good to see some enlightening article. Rgds
Deputy General Manager, HR Operations at IDBI Bank
4 年Very Good Points. The title says everything. A discipline which can be applied to all industries and areas is treated badly and neglected. The risk culture should start while framing policies or guidelines for better understanding and it should be timely implemented. Operational risk is neglected in organisation mainly due the vague guidelines. Unless BCBS have a Resilence plan for Operational Risk Management soon, the discipline will be cornered and will remain in paper. That will be a sad news for many aspirants.
Risk Transformation Lead | Non-Financial Risk
4 年Thomas O'Donnell