5.4.3 The Basel approach to operational risk

211. Operational risk has been defined as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”.1 In the capital guidelines for the International Convergence of Capital Measurement and Capital Standards (Basel II)2 the definition of operational risk explicitly excludes strategic and reputational risk.

212. Jobst (2007) categorizes operational risk into internal and external operational risk. “Internal operational risk attributes loss exposure to the potential for failure of people, processes and technology in the course of regular business operations, such as breaches in internal controls and monitoring, internal and external fraud, legal claims or business disruptions and improper business practices. […] External operational risk […] arises from environmental factors, such as a new competitor that changes the business paradigm, a major political and regulatory regime change, unforeseen (natural) disasters, terrorism, vandalism, and other such factors that are outside the control of the firm”.3 Jobst then further categorizes internal operational risk into “(i) process risk associated with operational failures stemming from the breakdown in established processes, failure to follow processes or inadequate process mapping within business lines, (ii) people risk from management failure, organizational structure or other human failures, which may be exacerbated by poor training, inadequate controls, poor staffing resources, or other factors, and (iii) system risk, which reflects the operational exposure to disruptions and outright system failure in both internal and outsourced operations”.4 Although this definition is a positive definition, one can also define operational risk using a negative definition, being “losses that are not related to either credit or market events”.5

213. Operational risk can thus be seen as covering a broad range of risks, whereas both credit and market risk cover a specific type of risk. For operational risk, however, the types of risks that can occur are heterogeneous.6 Besides the distinction between internal and external operational risk, we can see two types of operational risks: “Low-frequency large-loss events and high- frequency small-loss events”.7 Although the high-frequency small-loss events can be estimated fairly accurately on the basis of historical data, the main focus of operational risk is on the low-frequency large-loss events, which can threaten the financial solidity of the firm in question.8

214. Basel II9 introduced the concept of operational risk within the Basel capital framework and developed three methods for calculating the operational risk capital requirement in “a continuum of increasing sophistication and risk sensitivity”:10 The Basic Indicator Approach (BIA), the Standardized Approach (SA) and the Advanced Measurement Approach (AMA).

215. Both the BIA and the SA use gross income as a measure for calculating the operational risk incurred by an institution. The basic indicator approach is solely based on the average over the previous three years of the (positive) gross annual income, with a capital charge of 15% of that calculated average gross annual income.11 If an institution complies with certain criteria12 and subsequently obtains supervisory approval, it can use the standardized approach to calculate its operational risk capital charge. Whereas the BIA uses the gross annual income of the entire institution, the SA segments the institution into eight separate business lines13 and requires a specific operational risk capital charge for each business line with the applicable capital charge differing depending on the business line.14 The added risk sensitivity of the SA when compared with the BIA is that the SA applies a different percentage capital requirement to different parts of the business of an institution. The SA therefore contains the assumption that some business lines are “riskier” than other business lines. This added risk sensitivity is limited, however, as the differentiation between the applicable percentages is six percentage points (applicable percentages vary between 12% and 18%). It should be noted that under the SA approach, asset management and retail brokerage activities are considered less risky from an operational risk perspective than other business lines. That is because these business lines are subject to a 12% factor, whereas trading and sales business lines are subject to an 18% factor.

216. Both the BIA and the SA use gross annual income as a “proxy for the scale of business operations and thus the likely scale of operational risk exposure”.15 Since operational risk covers such a broad spectrum of risks, it is difficult to define a single parameter that adequately covers all the various forms of operational risk. Instead, the gross income is used as a proxy to determine the size of the business operations of an institution, which leads to a generalized view of the required capital charge, based on historic operational loss data.16 The Basel Committee on Banking Supervision acknowledges that the proxy of gross income used by the BIA and SA may need further calibration by saying that “the committee intends to reconsider the calibration of the [BIA and SA] when more risk sensitive data [is] available to carry out this recalibration”.17

217. Under the AMA approach, an institution uses its own methodology to assess its operational risk and the capital charge needed. An institution must comply with several general standards18 and quantitative standards19 before it can apply for the AMA approach. Every model used to assess operational risk under the AMA approach is subject to prior supervisory approval.