The Ops Risk Tail Wagging CCAR

A new CCAR season is upon us and with it comes another cycle of frustration and confusion for operational risk practitioners. Most in the industry have given up on building stress testing frameworks they believe in and which reflect their honest view of a stressed loss forecast for operational risk even though this is exactly what the exercise intends them to do. Instead, institutions’ efforts are guided by a single objective: to placate regulators. This translates into building frameworks that generate loss forecasts large enough to appease examiners and that address a range of conflicting and ill-defined requirements. Tension between regulators and banks is expected and usually healthy given their diverging objectives, but in the case of operational risk stress testing this tension has led to a breakdown. The root cause of the problem lies in that the Fed has not clearly articulated what its expectations are with respect to operational risk. This is in stark contrast to the well-defined expectations for other risks, such as, for example, credit where the projection is the expected loss of a portfolio conditional on a downturn defined by a rich set of macro variables provided by the Fed as part of the CCAR scenarios. SR 15-18/19, released in late 2015, was the last time the Fed provided any formal guidance on operational risk and it was, at best, incomplete. In it, the Fed took a stance on some specific technical points such as the fact that loss distribution approaches borrowed from the AMA framework were not to be used anymore to project stress losses and that institutions should increase their use of scenarios. Unfortunately, it provided no specifics on how scenarios should be used and on what the role of modeling should be. It clarified a few technical points while remaining mostly silent on the broader more conceptual question of what the objective of the exercise is. The oral feedback received by firms over the course of the past few years has not been much clearer and often has been inconsistent across institutions. The end result is a confusing situation characterized by a wide range of practice and a lack of consistency in the various estimation frameworks. This is in direct contradiction to the objective of the regulatory submission which is to provide a consistent view of the impact of the same scenario across different institutions.

It is undeniable that operational risk is different from the more traditional banking risks such as credit and market because of the large tail events that characterize it. These tail events dominate the data and overshadow other patterns in the data, such as any macroeconomic correlation that may exist. These unique characteristics of operational risk make it necessary to rethink the intent of the exercise and adapt it to the needs of the risk. Simply adjusting the instructions used for other risks will not work, as the facts have made very clear. The dominance of rare idiosyncratic events and the weakness of the macroeconomic correlation result in forecasted losses from macro models that are perceived as too benign, particularly when compared to aggregate losses that institutions have experienced historically. The question then is, if these milder forecasts are an accurate depiction of what to expect in a downturn, why are they not sufficient in the eyes of the regulators? There are two answers to this question. First, they are perceived to not be in the spirit of the exercise which is to provide a stressed scenario view of the firm. Second, regulators, have been conditioned by the capital numbers for operational risk which are driven by extreme tail events and as a result expect any operational risk number to be extremely high. However, these tail events are idiosyncratic events, and the objective of CCAR is to understand the impact of systemic events, which in this context are defined by a macroeconomic shock. If the Fed is not satisfied with the outcome of frameworks that are built to answer the question that is asked by CCAR, then rather than trying to force institutions to inflate their numbers by pulling on various levers, such as pushing for the incorporation of scenarios in a haphazard manner, or claiming a lack of coverage of risks when a bank fails to include an estimate for every potential threat it faces (which would imply that it expects all such threats to unrealistically materialize in the same nine quarter period) it should rethink its whole approach for operational risk. There are a few possible solutions the Fed could adopt. Here are the three that I see as most practical:

1.    Macro only

Accept that operational risk losses are only moderately stressed in a downturn and let banks reflect that in their regulatory submissions, while pushing for a more stressful outcome in the BHC submissions through the incorporation of the idiosyncratic scenario which is meant to reflect the unique threats an institution is facing. While intellectually more coherent, this solution would not sit well with regulators and, to be fair, would not be in the spirit of the exercise. Even if most large operational risk losses are idiosyncratic, the impact of the materialization of such a loss would be very different for an institution if it happened during an economic downturn rather than when the economy is booming.

2.    Standardized objective for scenarios

A second solution would have institutions run more standardized scenarios and aim for a specific target set by the regulator, say the scenario or combination of scenarios need to reflect a one in 100-year event for the institution. Those estimates would be added to the macro estimates to generate the projected stress loss. This approach would introduce a level of standardization in terms of the targeted level of stress while allowing banks to pick their scenarios. For this approach to be successful, more standardization in how scenarios are quantified would be required. Interestingly, banks have taken it upon themselves to create a more comparable and standardized approach to scenario quantification (the ABA is preparing to launch phase 2 of a project in which banks are working together to define the drivers of risk for these idiosyncratic risks). The idea being that the drivers of cyber risk are similar for each bank, how these drivers are calibrated can change, but not the manner in which the risk should be quantified.

3.    Systemic Scenarios

This is the solution I personally prefer, it is based on the idea of emulating the logic used for financial risks which is to identify the drivers of the risk, stress them and then ask institutions to forecast their performance with those stressed values. In the case of operational risk this would mean to create a set of standardized, realistic scenarios, which every institution would have to consider. Those operational risk scenarios would be presented alongside the macro scenarios and complement the picture. For example, if the Fed is concerned from a systemic point of view with a potential large-scale cyber-attack, it should include such a scenario as part of its description of the severely adverse scenario. Every bank would then add an estimate of its impact to its macro stressed operational forecast and the results across the industry would be directly comparable.

After close to a decade of stress testing, it is time for the industry to get some clarity on how to appropriately deal with operational risk. Operational risk is different from the traditional financial risks and will require some re-thinking of the general framework. This does not imply an increased burden on the banks, on the contrary adding clarity to the expectations, even if it comes with some additional requirements, will be received with relief by the industry!