Advanced
Measurement Approach (AMA)
For
a bank to receive regulatory approval to implement AMA, it must
pass the “use test” and show that it is using AMA to manage the
day-to-day operational risk resident in its activities. It is
important to remember that all employees in a bank – regardless
of whether they work in production, infrastructure or governance
functions (“user community”) – are responsible for managing
operational risk. We believe there should be certain elements
of all employees’ job descriptions that require them to address
internal control structure-related matters. AMA requires that a
separate department – usually resident in the risk management
discipline – independently measures, monitors and controls
operational risk in a fashion not unlike credit, market and
strategic risks. This department should be comprised of
professionals who are well-versed in business line operations,
have strong risk and control-oriented backgrounds, supplemented
with members who have strong analytical skills.
Although the Basel
definition of operational risk excludes reputation risk, we have
seen instances where banks have included reputation risk as a
subset of operational risk and capitalized for it within the
operational risk charge. Whether included within operational
risk or not, reputation risk become a high profile element of
banks’ risk profiles and should be capitalized for.
Regulators will only
grant banks approval of their AMA programs if they are able to
comparatively calculate operational risk capital under Basic
Indicator or Standardized (other acceptable Risk management
approaches including Enterprise Risk Management (ERM). These calculations are straightforward and should
be coordinated between banks’ risk management and finance
disciplines with technology support if and where required.
The following are the
building blocks of AMA:
1. Baseline Component
o
Internal loss data should be collected
by the user community and then validated for accuracy and
completeness, on a timely basis, by the operational risk
department liaising with finance to ensure that the losses are
properly reflected in the books and records of the bank.
o
Scenarios should be developed by the
user community, as required, and validated for applicability by
operational risk.
o
Key Risk Indicators (KRIs) are
important metrics banks should use to demonstrate that they are
measuring the risks they are managing. In addition, KRIs can be
helpful in assisting participants to develop scenarios
simulating loss events.
o
Expected losses (i.e., calculated by
multiplying the frequency of an event by its severity) result
from calculations based on loss history (i.e., internal loss
data and scenarios).
o
Multipliers – which represent the
estimated volatility of losses - are applied to “expected”
losses to arrive at the baseline component of operational risk
capital. Multipliers represent “unexpected” levels of
operational losses. These multipliers:
Are calculated by loss types such as
client restitution, legal liability, fraud, regulatory fines and
transaction processing errors;
Vary in magnitude depending on the
business line; and
Represent the factor associated with
the difference between the worst-case event or scenario and the
average of the loss history used over a defined period.
Generally speaking, operational loss events
in retail activities occur more frequently but are less severe
(i.e., they are more “expected”, the magnitudes of the
individual events in the loss history tend to be close to the
average and therefore their multipliers are lower), while
operational loss events in wholesale activities occur less
frequently but are more severe - they are more “unexpected”
(e.g., legal settlements, etc.), the magnitudes of the
individual events in the loss history are less homogeneous, and
accordingly their multipliers are higher. Wealth management
operational loss event frequencies and severities fall in
between retail and wholesale and thus their multipliers tend to
be greater than those in retail but lower than those in
wholesale.
o
Loss history should be reviewed at
least annually by the user community and operational risk
department to ensure that one-time events do not skew the data
in a misleading fashion.
o
External loss data should be used as a
tool by a bank to ensure its operational risk program is
robust. A range of consortia and services have emerged
providing external operational risk event information. Before
committing to any arrangements with these providers, we
recommend that banks conduct thorough due diligence to ensure:
(1) the data sourced is relevant given the size and business mix
of the bank; and (2) that if it is asked to share its own loss
data, the bank carefully reviews the nature of what it is
pooling with others so as to maintain confidentiality. Banks
should ensure that the data they purchase adds value and is not
simply the product of “automated media clippings”.
2. Qualitative
Adjustment Component
A bank’s RCSA (Risk and
Control self Assessment) process should be inclusive of all
facets of the user community, focus on key controls across all
categories (e.g., financial, entity-wide, non-financial, etc.),
and leverage existing processes such as those used to provide
assertions enabling SOX 404 certifications. Banks should tailor
their approaches to different control categories. Unlike the
well-established and rigid SOX testing approach for financial
controls, KRIs can be leveraged in order to ensure correlation
with key non-financial controls and to assist the managers in
the user community to monitor (instead of test) key control
performance in concert with KRIs and related thresholds.
Banks need to carefully
develop their RCSA process to assure that RCSA does not become a
bureaucratic exercise that brings the bank to a halt and is
perceived not to add value. Output (i.e., risks and deficiencies
which will be hereafter collectively referred to as “issues”)
from RCSA should be arranged according to severity, so that
capital charges of the right magnitude are assigned in
attributing operational risk capital in the form of qualitative
adjustments (QAs). These QAs should vary according to the
severity of the issue (i.e., a “high” rated issue would attract
a larger capital charge than a “medium” or “low” rated issue)
and be added to the baseline component of capital, where
applicable, in order to arrive at total operational risk
capital. In this way, incentives are provided to the user
community to prioritize and address issues in a risk and/or
severity-ordered fashion.
In order to ensure the
portfolio of QAs is right sized, we have seen instances where
banks have infrastructure and governance representatives attend
production division RCSA working sessions and vice-versa to
ensure consistency and continuity is maintained. We have also
seen programs in which infrastructure and/or governance
functions are attributed QA capital in respect of issues they
are responsible for remediating.
Thereafter that QA
capital would be allocated to production divisions using a
methodology similar to cost allocations. This type of two-step
attribution and allocation creates “constructive tension” in the
organization and serves as a further motivator to address risks
and deficiencies on a timely basis. In addition, we have seen
instances where executives ultimately responsible for risk and
control functions meet to review and consolidate RCSA output to
ensure only the appropriate issues are escalated to senior
management and the Board. In short, organization-wide
transparency of prioritized issues can only benefit a bank.
