Presentation given to the International Bar Association on 22 May 2003
by Andrew M. Whittaker
General Counsel
Financial Services Authority

Introduction

  1. The focus of my presentation today is how the Basle Capital Accord deals with legal risk as a form of operational risk, so that assessments of legal risk form part of the assessment of how much capital a financial institution needs. Is this appropriate, or does it misunderstand the nature of legal risk?

  2. As lawyers, we are all conscious of the importance of legal risk. Many of the most significant events affecting the financial system over the past few years could be characterised as legal risk events. These include concerns about the role of analysts in the US, the misselling of personal pensions in the UK, and the events which led to the closing to new business of the Equitable Life Assurance Society. Legal risk is particularly likely to be high in four circumstances. The first is where the legal risk challenges the firm’s business model or business practices. The second is where it leads to large or uncertain liabilities. The third is where it impacts across the industry as a whole rather than being confined to a single institution. The fourth is where it crystallises rapidly, rather than progressively over a period.

  3. Legal risk can be classified in different ways and for different purposes. It can be seen as an environmental risk, because the legal framework in a particular jurisdiction affects the risk of doing business there. It can be seen as a strategic risk, affecting a strategic decision by a company to move into a particular area of business. Or it can be seen as an operational risk, which is the focus of our discussions today.

  4. The basics of mitigating legal risk are similar to those for mitigating other forms of risk. They require legal risk to be adequately understood and properly identified. They require this understanding and identification of legal risk to be integrated into strategic decisions. They require operational risks to be integrated into risk management systems. And they require contingency planning, so that when a risk appears to be about to crystallise, action can be taken to deal with it rapidly.

Capital Charges and Legal Risk

  1. The focus of our discussion today is the way in which legal risk is to be brought into the new Basle capital adequacy regime. It may be worth reminding ourselves of the current state of play on the regime. A consultation document was issued in April for comment by 31 July this year, with the aim that the Basle standards should be finalised by the end of this year, for implementation by the end of 2006. In addition, very similar standards are to be incorporated into a new EC Directive, the ‘Risk Based Capital for Credit Institutions Directive’, on which we expect a consultative paper to be published soon.

  2. The Basle standards propose, as is well known, the introduction of a three pillar approach, under which minimum capital requirements form the first pillar, backed by a supervisory review as the second pillar, and market discipline through public disclosure as the third pillar. The first pillar sets capital requirements for credit risk, market risk and operational risk. The treatment of credit and market risk is familiar, while that for operational risk is new.

Measurement of operational risk

  1. There are effectively three approaches to the measurement of operational risk in the Basle proposals. The first, which is known as the ‘basic’ approach, simply applies a standard percentage to a measure of the income of the firm as a whole. The second, known as the ‘standardised’ approach, works on the same basis but applying different percentages to different business lines. The third, which is described as the ‘advanced measurement approach’, is more sophisticated. Under this approach, the capital required for operational risk is the sum of the amount of expected loss and the amount of unexpected loss (though expected loss need not be taken into account here if it is taken into account elsewhere). In order to adopt this approach, which is expected to produce lower charges in most cases, the bank must first satisfy its regulator that it meets both the general risk management standards set for all banks, and the qualifying criteria for the advanced approach. These include regular reporting of operational risk exposures and loss experience, regular review of risk management procedures and calculations by internal and external auditors, the use of external as well as internal data, scenario analysis of high severity events, and the bringing into account of environmental and internal control factors.

Legal risk as operational risk

  1. Operational risk is defined both in Basle and the draft directive as ‘the risk of loss resulting from inadequate or failed internal processes, people and systems, or external events, including legal risk’. It may be of high frequency and low severity, or of high severity but low frequency.

  2. This definition is pretty general in its terms. Are there any clues as to what forms of legal risk are intended to be covered? One possible source of guidance is the Basle Committee publication of February 2003 ‘Sound practices for the management and supervision of operational risk’. This gives a list of operational risk types which include, for example:

  • internal fraud, including misreporting of positions and insider trading on an employee’s own account;

  • external fraud;

  • employment practices leading to workers’ compensation claims or other forms of liability;

  • client, product and business practice issues, including fiduciary breaches, improper trading, money laundering, and sales of unauthorised products; and

  • collateral management failures, incomplete legal documentation, and unapproved access to client accounts.

  1. It can readily be seen that these can all be described equally well as forms of legal risk, and as forms of operational risk. It is not necessarily particularly helpful to try to draw a distinction between one or the other in deciding how they should be addressed. Indeed, the Basle proposals do not draw such a distinction.

  2. It should be emphasised that the mere fact that there are legal aspects to operational risk does not mean that there are not also legal aspects to other forms of risk, including market risk, credit risk, and indeed strategic and reputational risk. The fact that the Basle Capital Accord refers to legal risk in the context of operational risk should not be taken to mean that all forms of legal risk must be treated as operational risk - the legal aspects of operational risk should be dealt with alongside operational risk, while the legal aspects of other forms of risk can be dealt with alongside those other forms of risk.

Systems and controls for managing legal aspects of operational risk

  1. What should be done to manage what might be called ‘the legal aspects of operational risk’? There is, so far as I am aware, no authoritative guidance, from the Basle Committee or elsewhere, on the appropriate systems and controls needed to manage legal aspects of operational risk. Fortunately, however, there is a fair amount of guidance on systems and controls to manage operational risk more generally, which can be applied reasonably well to its legal aspects. This guidance is expressed in general terms, to apply to all forms of operational risk. Its overall effect is to require firms to have adequate systems and controls for the management of operational risk. Applying this principle in the current context, it seems to me that what will be expected is that the systems and controls for the management of operational risk should adequately cover its legal aspects. Is there any further guidance that can be given? I would offer two further propositions for consideration. The first is that systems and controls for the management of operational risk should cover its legal aspects expressly, so that the different skills and techniques needed to address legal aspects can be most effectively deployed. The second is that, in additional to looking at the legal aspects of each individual form of operational risk, there should be a separate assessment of the legal aspects of operational risk as a whole, to enable a full picture of the potential impact of a legal risk event to be fully identified.

Conclusion

  1. The general view within the legal profession seems to be a concern on behalf of clients that the Basle proposal to apply capital charges to legal risk as a form of operational risk misunderstands the nature of legal risk. The conclusion from this analysis is rather that the real issue, for banks and their legal advisers, is to be able to devise systems and controls that stand a reasonable chance of making a constructive contribution to the management of the legal aspects of operational risk. This is a challenge which the Basle Capital Accord sets before both financial institutions and their legal advisers.

More Speeches: