Just scrap operational risk — it can't really be measured
Regulation is never going to have the beauty and brevity of a haiku or a nice tweet, but simplicity is still a virtue and complexity a red flag. The Basel Committee’s Operational Risk rules are mind-bendingly complicated, duplicate other regulations and may actively harm prudential supervision. They are the wrong tool for the job.
Banks hold reserves against things they expect to go wrong and extra reserves against things they don't expect to go wrong but that still might. When regulators think banks get their calculations wrong, they ask for extra reserves on top of that.
Operational risk, however, is the kind of risk where measurements don’t really work.
It covers human errors, process errors, screw-ups, fines and pratfalls. When a bank’s systems are hacked, or its ATMs stop working, or it processes payments for sanctioned despots, or it makes up imaginary numbers to benefit its trading book — that’s operational risk.
During the drafting of Basel II, the high water mark of confidence in models, the committee actually allowed banks to model this risk themselves and added capital cost accordingly. Most of the banks came out quite close together — because it was a pure guess, governed by a defined rule-set — but these guesses were totally inadequate to the actual operational risk losses suffered by banks.
The big bank fines and settlements were governed less by models or foresight and more by whether wrongdoing was done to wholesale clients or consumers, whether losses could be litigated, whether the New York Department of Financial Services was involved and whether bank management fought or capitulated.
Some banks seem to have been more prone to operational risk problems than others, but it’s hard to see how this could be predictable — in the same way that, say, loan losses through the cycle in mortgage lending might be.
Bank of America has paid out the GDP of a medium-sized country in fines and settlements, mostly on the back of its $2.5bn acquisition of Countrywide, but it’s hard to imagine what model could have predicted it. Banks across the world have done hundreds of similar acquisitions of smaller mortgage lenders; few of them turned out to mainly originate lawsuits with a small sideline in lending.
But Basel wants a way to measure it, however absurd the project is.
With the tide in models going out, the committee is now casting about for new ways to calculate the cost.
In 2014, it proposed a system that took the size of institution by revenue, added a few nips and tucks and increased the proportional capital charge.
The astute observer may notice that this isn’t too far away from the “G-SIB” surcharge for the largest banks. The more complicated, interconnected and large a bank is, the higher the capital surcharge it pays.
The G-SIB surcharge increases in linear buckets of 0.5%, while the planned operational risk charge was exponential, but the principle is clear — international bank regulation already requires big banks to hold more capital.
At least the operational risk add on is simple — this is how it works:
To compute the BI for year t, a bank must determine the three-year average of the BI, as the sum of the three-year average of its components:
Now Basel has tweaked the operational risk formula to include a 10 year look-back at historic losses from operational risk. Banks that suffered the largest losses will have the highest operational risk capital requirements.
This isn’t totally off base — drivers who crash their cars have higher insurance premiums — but it’s not totally satisfying, either.
BNP Paribas, one imagines, is now among the more cautious banks about handling Sudanese business. If there is a risk of another multi-billion fine related to Sudan, that risk is more likely to crystallise at any other big firm than BNPP.
Most troubling, though, is the persistent idea that operational risk can be measured and reserved, just like credit risk. The very purpose of banks having capital buffers above the minimum is to cope with the unexpected.
Regulators might well feel the capital requirements generated by operational risk are useful — but it would be far simpler, cheaper and easier just to ask for the extra capital. Measuring what cannot be measured gives a false impression of safety and multiplies complexity.
The next consultation on operational risk should be a single line — the Basel Committee will no longer be calculating it.