City and Financial Conference on Operational Risk
12 June 2003
Michael Foot, Managing Director, Financial Services Authority

View presentation slides for this speech

Introduction

  • Thanks for the invite – welcome the opportunity to discuss with you FSA’s perspective on OR issues. Safe to say that a conference like this would not have happened in the last millennium. Idea of spending a whole day on OR, let alone the FSA wheeling out one of its Managing Directors to give the keynote speech, would have been preposterous.
  • Shows the growing importance of this area of risk management – one which has long been in the shadow of others such as market and credit risk.
  • Much of the Conference is on operational risk’s role in the new risk-based capital framework being put forward by Basel and the EU. This is clearly important, but, as Bill Shankly might have said – "Operational Risk isn’t about capital – it’s more important than that".
  • Let me begin by explaining why I say this. I will then go on to set out how we see firms responding to the OR challenge and what our expectations are in this regard. Then I’ll move on to Basel – what’s in the proposals and why and how we envisage implementing them in the UK.

Why is Operational Risk Important

  • Traditional approach of firms has been to tolerate OR – to see it as a cost of being in business. Wrong to say that it has not been managed – it has, but in an ad hoc way, with responsibility delegated to line management who in turn have leant heavily on other functions, such as internal audit and human resources. Focus has been ex-post rather than ex-ante – how to deal with control problems rather than how to identify control weaknesses. But this is changing. Why? Undoubtedly high-profile losses are one reason. We have had sadly had too many reminders over recent years of the losses that different forms of OR can generate across different sectors and activities. These show that, contrary to the old wisdom, OR can be an unacceptably high, or indeed catastrophic, cost of doing business. Secondly, there has been increased regulatory attention. True that Basel has led to an increased focus on OR. This is good. What would not be good is focus on OR purely to meet regulatory requirements. If this happens, then both the industry and we as regulators will have missed a trick somewhere. Thirdly, the wider regulatory environment – increased emphasis on corporate governance and transparency – eg Turnbull. Lastly, a growing recognition of the business benefits for better OR assessment and management - that as with any other form of risk OR that goes unnoticed and unmanaged will lead to volatility of earnings. Mention of OR might not get the FD to sit up and listen. Volatility of earnings certainly will. Also, its early days but we are beginning to see the first signs of market discipline on OR – some comment and pressure from the rating agencies and analysts for firms to disclose more about the extent of OR and how it is managed.
  • So for a number of reasons, OR is and will remain on the agenda. So much so that I think I could safely say that, were Basel and the EU initiatives to keel over and die tomorrow (which I should say I don’t expect to happen), I would still be here next year talking about the importance of sound OR management. Whether I would be speaking to each and every one of you is, however, another matter.

What are firms and the FSA doing in respect of OR?

  • Above explains why firms are taking OR seriously. But what about us? We are concerned about OR because we believe it poses a significant risk to three of our four statutory objectives – maintaining market confidence, ensuring an adequate level of protection for consumers and reducing financial crime. Raising consumer awareness, our fourth statutory objective, isn’t yet on the plate, but when the ordinary man or woman on the street is ready for extreme value theory and leptokurtotic loss distributions then we might go for the full house. So OR is at the very heart of what we are about. Tried to convey this in CP 142 which sets out guidance that applies to a wide range of firms in respect of their management of OR. CP142 is a mix of high level policy in respect of things like firms clearly establishing senior management responsibility for OR management, and more specific guidance on things like outsourcing and business continuity. The guidance in CP142 will come into effect during 2004. But ahead of CP142, we are already building OR into our risk assessment programmes, both for individual firms and for our more thematic work. We now have a team of OR specialists that line supervisors can call on to carry out on-site work to assess OR management in firms – we’ve been doing this for credit and market risk for some time. We’ve also undertaken a industry-wide review of OR management practices. We hope to publish this soon. The purpose of this exercise was to enhance our knowledge of OR and inform our supervisory approach. Discussions with over 20 firms were held. The review shows that significant progress has and continues to be made by firms in managing OR, but that, as a recognised discipline, it remains in its infancy. Another key finding is that there is no one right approach – size and complexity of the organisation shape how firms go about OR management. The lesson for us and Basel – a lesson which I think we have taken on board - is that a one-size fits all approach to OR management would not be appropriate. The review revealed a growing convergence across firms in the use of tools and techniques to manage OR, for example the use of control risk self-assessments and key risk indicators. It also revealed, not surprisingly, that the firms that had made most progress on OR were the ones that had thought through what OR meant for them, and had a clearly articulated vision and strategy – rather than those which simply took the Basel definition and were pursuing OR for compliance reasons.
  • The review also shows that different parts of the financial sector are not at the same stage of development. It is a generalisation to say that banks are ahead of investment firms are ahead of insurance companies and market infrastructure providers. But it wouldn’t be far off. In many respects the importance of operational risks to these firms runs the opposite way. This is a concern. Capital requirements for insurance companies are being reviewed in the EU as part of Solvency 2. Not clear yet whether capital for OR will be part of this – but irrespective of that, the insurance regulators internationally and we at the FSA will be paying closer attention to OR issues.

Basel

  • All of which brings me to Basel. Basel 2 is arguably the most ambitious reform programme any group of regulators has ever attempted. Its goal is to make capital requirements more risk sensitive, building off banks own methods of measuring risks and allocating capital. We are nearing the end of the process – CP3 was issued at the end of April and the final Accord is expected before the end of the year. The destination has always been clear, but the road has been a long and winding one, and we have had to contend with the odd set of roadworks and diversions along the way. Continuing this analogy, I’m sure some of you here believe the proposals on operational risk to be the regulator’s version of the congestion charge. Operational risk is an integral part of the proposals. The proposals have evolved significantly over the last three years as we have responded to the significant progress the industry has made in building credible OR methodologies. As with other parts of the Accord, there is a spectrum of OR approaches ranging from the simple to the more complex. Like to say a few words on the AMA. Fair to say that, while there has been much progress in managing OR, there has been less progress in quantifying it (I was going to say measuring, but I’m told it’s an emotive term). Certainly there is not the degree of consensus in the industry as there is with market and credit risk on whether OR (in all its forms) can be quantified in the first place, and if so what is the best way to do this. We are keen on a risk sensitive approach to capital for OR. The philosophy of Basel towards the AMA is to encourage the industry to continue with their exploration of ideas and techniques, allowing a consensus to emerge through industry experience rather than regulatory dictat. That said, it needs to be emphasised that it is early days and we are not working with proven technologies here as we are in other fields. We are keen that market thinking develops and believe it will. What we are aiming for is a set of standards and criteria that deliver what we expect of any internal models regime – model soundness, use in the business and consistent application across firms, etc. To be perfectly frank, at this stage this looks some way off, and firms should not underestimate the challenge of being in a position to adopt a more risk sensitive approach. We certainly wont make use of the AMA compulsory for any bank – this is consistent with our general approach to implementation.
  • Supervisors are continuing to think about how AMA will work in practice. A conference in New York at the end of May allowed the regulators to see a number of AMAs in action, and this will inform how Basel and individual national supervisors carry forward this aspect of the proposals to implementation.

Implementation

  • Which brings me to implementation. I hope its now a minority view among you that implementation is still some way off and can safely be left until tomorrow. It can’t. Implementation date is Dec 2006, with a period of parallel running from the start of 2006.
  • We are actively engaged with the industry in discussing our implementation plans. In fact the level of industry participation is unique in major markets (so we are told) and is proving an invaluable input in identifying issues and catalysing discussions. On operational risk, a joint-industry and FSA body with the catchy name ORIAG (Operational Risk Implementation Advisory Group)
    • has done a lot of good work in discussing practical, detailed issues that will arise in implementing the OR proposals. It produced a paper on some of these in January (available on the website). A sub-group of industry members is also looking specifically at the AMA.
  • More generally, we have already issued a statement of how we are taking implementation forward – DP13 which was issued last June. We expect to issue a follow up to this in July, which will provide a lot more detail. Its main focus will be on the internal ratings based approach for credit risk, but there will be some aspects of operational risk covered.
  • The real work on operational risk implementation will ramp up in the second half of this year. Lot more to do, for example on the AMA. We will actively engage the industry on this. We intend to publish PSB text, the vehicle through which Basel will be delivered, some time next year.

Level Playing Field

  • Of course, we will not implement the proposals in a vacuum. One of the greatest challenges facing Basel is how to achieve local flexibility for particular circumstances on the one hand, and broad consistency between countries on the other. And how do we ensure that we do not require internationally active firms to have a different variant of an approach or model in each country to suit the whims of the local regulator. This is not an easy task, particularly for something as inherently flexible as the AMA.
  • Many of these issues, which in Basel parlance are known as ‘home-host’, are not new, but they are of a different order of magnitude to what has gone before. They will require a heightened level of supervisory discussion and co-operation. Mechanisms such as the Accord Implementation Group (AIG) in Basel and the Groupe de Contact in the EU mean are in place to deal with these issues, but be under no illusion that consistency of implementation will be hard to deliver.
  • Of course, issues will arise from time to time as national regulators advance further with their own implementation plans. One such issue is the recent announcement by the US authorities that they will apply Basel 2 only to their largest banking groups, and that only the advanced approaches to credit and operational risk will be available. This gives rise to a number of home/host issues – for example will subsidiaries of UK banks operating in the States be required to be on the AMA? I do not want to dwell on this here as both Howard Davies from our side and Roger Ferguson from the Fed have in recent speeches eloquently covered this ground. I raise it as an example of the sorts of issue that will inevitably arise and I can say in this specific example that we are having a fruitful discussion with the US authorities on how all of this will work in practice.

Conclusion

  • Hope I’ve given you a flavour of the FSA’s perspective on OR, in the Basel sense of the word and in its more general application to a wider range of firms. Conscious that I haven’t even mentioned the EU and issues like whether the Basel regime should map over to investment firms. Save that for another time.

More Speeches: