The Head of Operational Risk of this leading European financial services group explained the rationale for the adopted approach: “Our regulator’s requirements, based on those of the Basel Committee of Banking Supervisors, are clear – financial institutions, irrespective of approach to Pillar 1 capital, are required under Pillar 2 to assess the adequacy of their Pillar 1 capital, taking into account various non-Pillar 1 factors and including reputational impact. The question we had to address was how to verify what is essentially a revenue based metric with risk-based variables”.
Pillar 1, under the Standardised Approach uses a measure which adopts a percentage of three year gross income by business line activity as the basis for determining the required amount of capital to be set aside for operational risk. It assumes that the greater the gross income, the more capital should be set aside, i.e. the greater the risk.
“With the assistance of our operational risk advisors, RiskBusiness, we decided that the most appropriate approach was to identify relevant scenarios, assess the potential impact of such scenarios and then use the scenario analysis output as an input into an OpVar model to establish the required Pillar 2 capital number” he stated. “We accepted that the Pillar 1 and Pillar 2 numbers could be significantly different, given one was a gross income value and the other a risk-based value, but there is no other viable alternative for ICAAP. Using the output of our annual RCSA process, our internal loss event database and by including specific management concerns, we developed a list of potential risk areas to be considered for scenario purposes. We then used the RiskBusiness Scenario Library to identify relevant scenarios to be assessed”.
But herein lies the challenge – the selection of scenarios was not arbitrary – it took into account inputs from the annual RCSA process, from the firm’s internal loss database, from its business environment assessment and from a specific assessment of material risks affecting the Group, specifically those which had reputational implications.
The bank had subscribed to the KRI Library in 2006 and had worked with RiskBusiness on its RCSA program since late 2007. Mike Finlay, CEO at RiskBusiness explained the process: “Given that the bank already employs the RiskBusiness Taxonomy for operational risk classification, using the RiskBusiness Scenario Library as the source of relevant scenarios was an obvious decision – the Scenario Library uses the same underlying Taxonomy and thus individual scenarios could be transposed directly onto the identified risk areas. What was more difficult was to devise the process by which peer pressure and bias could be removed from the actual scenario assessment process”. By adopting a group briefing approach followed by iterative individual assessment sessions with anonymised feedback between sessions, executive management completed the assessment of the set of identified scenarios.
“What was of enormous value to us was the degree to which this process increased risk awareness. Many senior executives had never had the time to consider how significant different types of operational risk could become – by assessing these scenarios, a completely different perspective was introduced and this has certainly increased both risk awareness and risk understanding”, stated the Head of Operational Risk. “In the first iterations, participants were more certain around frequency that they were on impact. But once we started providing group feedback, participants began reassessing their earlier responses and a greater risk awareness became apparent”.
To develop a scenario-based OpVar number, RiskBusiness introduced the bank to its strategic partner, CIRANO, the Canadian inter-university “thinktank” which specialises in finding answers to difficult problems. Bryan Campbell, Vice President, Finance Group at the Centre for Interuniversity Research & Analysis of Organizations (CIRANO) and Associate Professor of Economics at Concordia University led the CIRANO team which converted the scenario output into an OpVar number. As the responses of the participants in the scenario assessment process could be divided into two groups, typical and extreme, the OpVar process essentially developed a “typical” operational risk capital number and an “extreme” or worst possible case operational risk number. The question then facing the bank was whether the Pillar 1 capital figure fell within this ICAAP range.
“Waiting for the modelling results was a nervous time,” says the Head of Operational Risk. “After all our efforts in building a value-additive operational risk process within the Group and in increasing risk awareness, what if the Pillar 2 capital was significantly different to the Pillar 1 capital number?” The bank was attempting to validate a non-risk measure with a risk-based approach – this is new, the first time to anyone’s knowledge that this has been attempted – but there is no other alternative if the bank was to comply with the Pillar 2 requirements of stress-testing its capital adequacy numbers.
The final result was that the Pillar 1 capital number was close to the “typical” OpVar Pillar 2 capital number for operational risk. “This is extremely encouraging,” responded the Head of Operational Risk. “It would seem that we are on the correct path with our operational risk program – now we have the challenge of increasing participation in our scenario analysis program and in addressing other, non-capital specific areas as well, such as business resilience, information security and the identified worst case operational risks”. The Pillar 2 ICAAP results for operational risk were then combined with the ICAAP output for the other Pillar 2 risks in preparation for the annual ICAAP submission to the relevant regulator.