The Basle II proposals for a new regulatory capital regime promise to change the approach that banks take to operational risk. But how will that affect the work of credit rating agencies?

Basle II will introduce an operational risk capital charge, encouraging banks to set a figure for operational risks such as fraud, natural disasters or rogue trading. As explained in a recent feature on ERisk, factors such as risk reduction and economic capital are encouraging banks to take the initiative by applying a more quantitative approach and attempting to model op risk. In the next few years, new approaches such as a shift towards historical loss-based methodologies seem likely to occupy many banks’ operational risk managers.

But the rating agencies – the traditional watchdogs of financial stability – remain highly sceptical of this approach. It’s a disjunction that highlights how little attention has been given to the role of the agencies in the whole debate about Basle II. So how do they approach operational risk? And how will the Basle proposals on operational risk – as well as the internal changes at those banks that are trying to develop a more quantitative approach – change the way the main agencies conduct their ratings?

Operational risk is almost unique in that it can destroy a business virtually overnight, as Barings found out after Nick Leeson broke the bank with his unauthorised trading. Or it can deal a severe blow to an institution’s reputation and profitability – something Allied Irish Banks (AIB) is currently discovering. Clearly, it’s a risk category that rating agencies, which aim to quantify the ability of a business to meet its financial commitments in a timely manner, have to take into account.

But how do they do that? After all, rating agencies are not auditors; they make no pretence of going into a business and second-guessing the processes that are in place. Instead, they have to take a “top-down” approach to investigating a bank or other financial institution, by speaking to senior management and relying to some degree on existing audit information.

“What we do is a review of management systems and strategy, relying on audits carried out by others and on conversations with risk managers, among others,” says Walter Pompliano, a director at Standard & Poor’s (S&P) in London. “We look for ownership of risk within a group. If we’re looking at a new business combination, we look at the integration processes, to make sure that all the risks are covered. We ascertain whether there is a person or group charged with looking at operational risk on a group-wide basis, rather than a piecemeal approach to op risk management. We routinely look at business lines and systems changes to make sure they’re not taking on too much credit risk, operational risk or market risk.”

In other words, S&P adopts what might be called a ‘common sense’, qualitative approach to operational risk. Pompliano says the agency is well aware that banks are trying to develop more quantitative methods internally, but says that S&P views this as only one tool. “We don’t believe it should ever be allowed to override good internal controls and systems. We would be unhappy about an organisation that relied solely on a quantitative approach,” he says.

David Andrews of Fitch Ratings agrees: “We have no way of actually quantifying operational risk except for common sense. For example, common sense dictates that a medium-sized Swiss private bank is proportionately more likely to fail or default through operational risk than, say, Barclays.”

Sam Theodore, managing director of European bank ratings at Moody’s, takes a similar view. “The first impulse of some bankers is to try to quantify operational risk,” he says. “They feel that if you can quantify market risk and credit risk, then why not op risk?” This view is a fallacy, he argues, because the critical types of operational risk are not the high-frequency, low-impact risks (such as small but regular errors in back-office processing) that can be modelled to show a normal distribution. Instead, the key is to capture the rare but high-impact ‘outlier’ risks, which are virtually impossible to quantify, but which could potentially destroy the bank – such as a rogue trader losing millions of dollars on unauthorised trades, or a natural disaster striking the bank’s main headquarters at a time when no back-up systems or premises are available.

“We believe in a qualitative approach because you can’t take a meaningful, proactive quantitative approach to operational risk,” says Theodore. Hence, Moody’s takes a similar approach to S&P. “You need direct dialogue with the key players – not just the operational risk manager, but the board, top management, business line departmental heads, and so on.”

Theodore also notes the distinction between the degree of operational risk faced in fully commoditised activities such as retail banking, and the more complex ones such as investment banking: “There is also a big difference between core businesses and new businesses. An investment bank buying a retail bank, for example, will face some new operational risks.”

This is also true of a bank purchasing another institution that is active in a distant market the acquiring bank doesn’t fully understand. “Say a western European bank buys a bank in eastern Europe,” says Theodore. “Does it fully understand what the operational risks are? A Spanish bank buying a bank in Latin America primarily looks at credit and market risk, and may decide to establish fresh limits for how much local lending its new subsidiary can do, for example. But how often do they look as closely at the operational risks involved? On the other hand, it would be an even bigger mistake to just transfer your op risk procedures at, say, a UK bank to a bank in eastern Europe.”

This is the type of issue the agencies believe cannot be subjected to anything even resembling quantitative analysis. Andrews of Fitch Ratings echoes this view. “We don’t take a quantitative approach, simply because we have no idea of how to make a quantitative assessment of operational risk at banks,” he says. “Instead, we take a qualitative view, looking at the results of a standard set of questions on operational risk.” He says Fitch is especially interested in operational risk at institutions such as private banks and asset management firms, as this is the main risk that they face.

Reputational risk – an area specifically excluded from the Basle Committee’s definition of operational risk – is one that the agencies watch closely. “The capital markets can be very unforgiving, and putting your franchise at risk can result in a loss of confidence even from retail customers,” says S&P’s Pompliano. “It’s very hard to quantify, but it’s important because it can lead to an institution getting taken over or failing.”

Moody’s Theodore predicts that, as issues of brand and franchise become increasingly important, reputational risk will take on a more central role: “We discuss the market franchise of a bank, and the impact on its reputation and brand of the various decisions a bank takes. For example, what will the impact be of closing branches and laying off people, or of getting involved in subprime lending in the same country or state where they have a big retail presence?”

Andrews says Fitch looks closely at the kind of precautions banks have taken to cover their reputational risk, although he concedes that this approach can raise the issue of moral hazard: “We would ask whether they have blanket bond guarantees to cover employee fraud or incompetence in transactions. If they have this kind of cover, it might help to mitigate the reputational outcome, although it would not eliminate it. It can’t stop these things from happening, however, and you could even argue that having this kind of cover can actually create moral hazard.” But Fitch’s view is generally that having this kind of cover shows management is taking reputational issues seriously.

The agencies are uniformly sceptical about the quantitative approach to operational risk some banks are taking – and in their concerns about the way the Basle II proposals approach op risk. But they also know that if or when the proposals are finally adopted, they are likely to lead to the banking industry adopting a more quantitative approach to op risk, and it’s a move the agencies must take into account.

“The fact that operational risk will impact on capital once Basle II comes into effect has led many institutions to reassess how they control it in cross-group functions. How they manage that change is a big issue right now, and we try to gain an impression of how they handle this issue,” says S&P’s Pompliano.

The agencies all have their own view of the Basle proposals (for industry feedback on Basle II, and other coverage of the proposals, see ERisk’s Basle II Resource Center), but Pompliano says S&P agrees with the building block, or business line, approach to operational risk, which is the basis of its existing approach to op risk. The agency also has concerns about the lack of hard data on which to base a more sophisticated, qualitative approach to op risk, and is cautious about the use of sophisticated models that attempt, for example, to put a value-at-risk number against op risk or that are over-dependent on historical loss data. And it’s worried about the capital incentives for banks to transfer to untested sophisticated modelling.

S&P is also concerned about what it calls the “circular” nature of the operational risk charge proposed by the Basle Committee. “They seem to have taken the view that there is a certain amount of capital that has to be allocated, and that setting the operational risk charge is a question of deciding how much of that overall figure to allocate to that type of risk. We think there is a great deal of variation from institution to institution, and during various periods in the life of an institution. For example, during a period of downsizing, or conversely of acquisition and integration, operational risk is likely to be much higher, with a consequent need for a higher level of capital,” says Pompliano.

Given these fairly extensive misgivings, it seems fairly clear that S&P is likely to stick with its ‘common sense’ approach to op risk – and the other agencies give a similar message. But is this approach working? One, admittedly very crude, measure might be to ask whether rating agencies are actually downgrading banks based on concerns about operational risk, and whether this is happening before major op risk disasters take place, or afterwards.

Moody’s Theodore says the agency has certainly downgraded institutions on the basis of operational risk – and sometimes on the basis of reputational risk – in the past. Fitch’s Andrews concedes it has rarely, if ever, been the sole reason for a credit downgrade by the agency, although it has shown its concerns about operational risk at certain institutions. S&P’s Pompliano, meanwhile, says his agency currently has AIB on Credit Watch with negative implications, “as we are concerned about the outcome of the internal investigation on the reported currency trading fraud. An apparent breakdown of internal controls is something we would always be worried about from an operational risk point of view”.

This might suggest that the rating agencies tend to be reactive rather than proactive when it comes to op risk, but Pompliano says there have been other instances where S&P has indicated its concerns in advance. “We have looked at two institutions planning a merger or acquisition, and signalled our concerns about integration risk. That’s a fairly common occurrence, especially with the amount of consolidation going on at the moment. We’ve had our suspicions that controls were not what they should be at some merging institutions, and that has pushed ratings down.”

©2010 Sungard. All rights reserved. Legal Information

Home | About Ambit ERisk | Solutions | Collateral | Contact Us | Search
Risk Reports Case Studies RMA Ambit ERisk Whitepaper Economic Capital Training And Workshop Events	About Ambit ERisk Solutions Collateral