Basel
ii in the United States of America
From the
Basel ii
Compliance Professionals Association (BCPA),
the largest association of Basel ii Professionals in the
world
Final Rule, USA: Risk-Based Capital Standards:
Advanced Capital Adequacy Framework — Basel II
Operational risk data and assessment system
A bank
must have an operational risk data and assessment system
that incorporates on an ongoing basis the following four
elements: internal operational loss event data, external
operational loss event data, results of scenario
analysis, and assessments of the bank’s business
environment and internal controls.
These
four operational risk elements should aid the bank in
identifying the level and trend of operational risk,
determining the effectiveness of operational risk
management and control efforts, highlighting
opportunities to better mitigate operational risk, and
assessing operational risk on a forward-looking basis.
A
bank’s operational risk data and assessment system must
be structured in a manner consistent with the bank’s
current business activities, risk profile, technological
processes, and risk management processes.
The
proposed rule defined operational loss as a loss
(excluding insurance or tax effects) resulting from an
operational loss event.
Operational losses included all expenses associated with
an operational loss event except for opportunity costs,
forgone revenue, and costs related to risk management
and control enhancements implemented to
prevent future operational losses.
The
definition of operational loss is an important issue, as
it is a critical building block in a bank’s calculation
of its operational risk capital requirement under the
AMA.
More
specifically, the bank’s estimate of operational risk
exposure – the basis for determining a bank’s
risk-weighted asset amount for operational risk – is an
estimate of aggregate operational losses generated by
the bank’s AMA process.
Many
commenters supported the agencies’ proposed definition
of operational loss and viewed it as appropriate and
consistent with general use within the banking industry.
Some
commenters, however, opposed the inclusion of a specific
definition of operational loss and asserted that the
proposed treatment of operational loss is too
prescriptive.
In
addition, some commenters maintained that including a
definition of operational loss is inconsistent with the
New Accord, which does not explicitly define operational
loss.
In
response to a specific question in the proposal, many
commenters asserted that the definition of operational
loss should relate to its impact on regulatory capital
rather than economic capital concepts.
One
commenter, however, recommended using the replacement
cost of any fixed asset affected by an operational loss
event to reflect the actual financial impact of the
event.
Because operational losses are the building blocks in a
bank’s calculation of its operational risk capital
requirement under the AMA, the agencies continue to
believe that it is necessary to define what is meant by
operational loss to achieve comparability and foster
consistency both across banks and across business lines
within a bank.
Additionally, the agencies agree with those commenters
who asserted that the definition of operational loss
should relate to its impact on regulatory capital.
Therefore, the agencies have adopted the proposed
definition of operational loss unchanged.
In the
preamble to the proposed rule, the agencies recognized
that there was a potential to double-count all or a
portion of the risk-based capital requirement associated
with fixed assets.
Under
the proposed rule, the credit-risk-weighted asset amount
for a bank’s premises would equal the carrying value of
the premises on the financial statements of the bank,
determined in accordance with GAAP.
A
bank’s operational risk exposure estimate addressing
bank premises generally would be different than, and in
addition to, the risk-based capital requirement
generated under the proposed rule and could, at least in
part, address the same risk exposure.
The
majority of commenters on this issue recommended
removing the credit risk capital requirement for
premises and other fixed assets and preserving only the
operational risk capital requirement.
The
agencies are maintaining the proposed rule’s treatment
of fixed assets in the final rule.
The
New Accord generally provides a risk weight of 100
percent for assets for which an IRB treatment is not
specified.
Consistent with the New Accord, the final rule provides
that the risk-weighted asset amount for any on-balance
sheet asset that does not meet the definition of a
wholesale, retail, securitization, or equity exposure is
equal to the carrying value of the asset.
Also
consistent with the New Accord, the final rule continues
to include damage to physical assets among the
operational loss event types incorporated into a bank’s
operational risk exposure estimate.
The
agencies believe that requiring a bank to calculate both
a credit risk and operational risk capital
requirement for premises and fixed assets is justified
in light of the fact that the credit risk capital
requirement covers a broader set of risks, whereas the
operational risk capital requirement covers potential
physical damage to the asset.
The
agencies view this treatment of premises and other fixed
assets as consistent with the New Accord and have
confirmed that the approach is consistent with the
approaches used by other jurisdictions implementing the
New Accord.
A bank
must have a systematic process for capturing and using
internal operational loss event data in its operational
risk data and assessment systems.
The
final rule defines a bank’s internal operational loss
event data as its gross operational loss amounts, dates,
recoveries, and relevant causal information for
operational loss events occurring at the bank.
Under
the proposed rule, a bank’s operational risk data and
assessment system would include a minimum historical
observation period of five years of internal operational
losses.
With
approval of its primary Federal supervisor, however, a
bank could use a shorter historical observation period
to address transitional situations such as integrating a
new business line.
A bank
also could refrain from collecting internal operational
loss event data for individual operational losses below
established dollar threshold amounts if the bank could
demonstrate to the satisfaction of its primary
Federal supervisor that the thresholds were reasonable,
did not exclude important internal operational loss
event data, and permitted the bank to capture
substantially all the dollar value of the bank’s
operational losses.
Several commenters expressed concern over the proposal’s
five-year minimum historical observation period
requirement for internal operational loss event data.
These
commenters
recommended that the agencies align this provision with
the New Accord,
which allows for a three-year historical observation
period upon initial AMA implementation.
While
the proposed rule required a bank to include in its
operational risk data and assessment systems a
historical observation period of at least five years for
internal operational loss event data, it also provided
for a shorter observation period subject to agency
approval to address transitional situations, such as
integrating a new business line.
The
agencies believe that these proposed provisions provide
sufficient flexibility to consider other situations, on
a case-by-case basis, in which a shorter observation
period may be appropriate, such as a bank’s initial
implementation of an AMA.
Therefore, the final rule retains the five-year
historical observation period requirements and the
transitional flexibility for internal operational loss
event data, as proposed.
In
relation to the provision that permits a bank to refrain
from collecting internal operational loss event data
below established thresholds, a few commenters sought
clarification of the proposed requirement that the
thresholds must permit the bank to capture
“substantially all” of the dollar value of a bank’s
operational losses.
In
particular, they questioned whether a bank must collect
all or a very high percentage of operational
losses
or whether smaller losses could be modeled.
To
demonstrate the appropriateness of its threshold for
internal operational loss event data collection, a bank
might choose to collect all internal operational loss
event data, at least for a time, to support a meaningful
analysis around the appropriateness of its chosen data
collection threshold.
Alternatively, a bank might be able to obtain data from
systems outside of its operational risk data and
assessment system (for example, the bank’s general
ledger system) to demonstrate the impact of choosing
different thresholds on its operational risk exposure
estimates.
With
respect to the commenters’ question regarding modeling
smaller losses, the agencies would consider permitting
such an approach based on whether the approach meets the
overall qualification requirements outlined in the final
rule.
In
particular, the agencies would consider whether the bank
satisfies those requirements pertaining to a
bank’s
operational risk quantification system as well as its
control, oversight, and validation mechanisms.
Such
modeling considerations, however, would not eliminate
the requirement for a bank to demonstrate the
appropriateness of any established internal operational
loss event data collection thresholds.
A bank
also must establish a systematic process to determine
its methodologies for incorporating external operational
loss event data into its operational risk data and
assessment systems.
The
proposed and final rules define external operational
loss event data for a bank as gross operational loss
amounts, dates, recoveries, and relevant causal
information for operational loss events occurring at
organizations other than the bank.
External operational loss event data may serve a number
of different purposes in a bank’s operational risk data
and assessment systems.
For
example, external operational lossevent data may be a
particularly useful input in determining a bank’s level
of exposure to operational risk when internal
operational loss event data are limited.
In
addition, external operational loss event data provide a
means for the bank to understand industry
experience and, in turn, provide a means for the bank to
assess the adequacy of its internal operational loss
event data.
While
internal and external operational loss event data
provide a historical perspective on operational risk, it
is also important that a bank incorporate forward
looking elements into its operational risk data and
assessment systems.
Accordingly, under the final rule, as under the proposed
rule, a bank must incorporate business environment and
internal control factors into its operational risk data
and assessment systems to assess fully its exposure to
operational risk.
In
principle, a bank with strong internal controls in a
stable business environment would have less exposure to
operational risk than a bank with internal control
weaknesses that is growing rapidly or introducing new
products.
In
this regard, a bank should identify and assess the level
and trends in operational risk and related control
structures at the bank.
These
assessments should be current and comprehensive across
the bank, and they should identify the
operational risks facing the bank.
The
framework established by a bank to maintain these risk
assessments should be sufficiently flexible to
accommodate increasing complexity, new activities,
changes in internal control systems, and an increasing
volume of information.
A bank
must also periodically compare the results of its prior
business environment and internal control factor
assessments against the bank’s actual operational losses
incurred in the intervening period.
A few
commenters sought clarification on the agencies’
expectations regarding a bank’s periodic comparisons of
its prior business environment and internal control
factor assessments against its actual operational
losses.
One
commenter expressed concern over the difficulty of
conducting an empirically robust analysis to fulfill the
requirement.
Under
the final rule, a bank has flexibility in the approach
it uses to conduct its business environment and internal
control factor assessments.
As
such, the methods for conducting comparisons of these
assessments against actual operational loss experience
may also vary and precise modeling calibration may not
be practical.
The
agencies maintain, however, that it is important for a
bank to perform such comparisons to ensure
that
its assessments are current, reasonable, and
appropriately factored into the bank’s
AMA framework.
In
addition, the comparisons could highlight the need for
potential adjustments to the bank’s operational risk
management processes.
A bank
also must have a systematic process for determining its
methodologies for incorporating scenario analysis into
its operational risk data and assessment systems.
As an
input to a bank’s operational risk data and assessment
systems, scenario analysis is especially relevant for
business lines or operational loss event types where
internal data, external data, and assessments of the
business environment and internal control factors do not
provide a sufficiently robust estimate of the bank’s
exposure to operational risk.
Similar to business environment and internal control
factor assessments, the results of scenario analysis
provide a means for a bank to incorporate a
forward-looking element into its operational risk data
and assessment systems.
Under
the proposed rule, scenario analysis was defined as a
systematic process of obtaining expert opinions from
business managers and risk management experts to derive
reasoned assessments of the likelihood and loss impact
of plausible high-severity operational losses.
The
agencies have clarified this definition in the final
rule to recognize that there are various methods
and
inputs a bank may use to conduct its scenario analysis.
For
this reason, the modified definition indicates that
scenario analysis may include the well-reasoned
evaluation and use of external operational loss event
data, adjusted as appropriate to ensure relevance to
a
bank’s operational risk profile and control structure.
A
bank’s operational risk data and assessment systems must
include credible, transparent, systematic, and
verifiable processes that incorporate all four
operational risk elements (that is, internal operational
loss event data, external operational loss event data,
scenario analysis, and business environment and internal
control factors).
The
bank should have clear standards for the collection and
modification of all elements.
The
bank should combine these four elements in a manner that
most effectively enables it to quantify its exposure to
operational risk.
Return
to Table of Contents
Return to
Index
Read more
about our
Certified Basel
ii Professional (CBiiPro)
program
Read more
about our Certified Pillar 2 Expert
(CP2E)
program
Read more about our
Certified Pillar 3 Expert
(CP3E)
program
Read
more about our Certified
Stress Testing Expert (CSTE)
program
 | |
