In halcyon days gone by, we expressed a lot of doubt about a Basel II capital charge for “operational risk.” Arguing that it couldn’t be quantified by any model known to man and that Basel had better things to do, we suggested that ops-risk be addressed through improved supervision. But, Basel II blundered on and imposed an operational-risk capital charge. We revisit this now because ops-risk has reared its way-ugly head in the foreclosuregate imbroglio. This is a costly reminder of how misplaced capital rules can be and, we think, an important lesson to keep in mind as Basel III heads for the rulebook.
What’s operational risk? One could say it’s the catch-all for anything regulators can’t pigeon hole as credit-, market-, interest-rate, or reputational risk. It’s the unpleasantness that results when computers go awry, traders press the wrong button, swindlers get hold of the signing pen, or someone sues a bank for a whole lot of money. It’s incontrovertible that these risks cost money just like other risks. The problem is that the costs are even harder to quantify. Thus, when capital for ops-risk is premised on models or other assumptions, it’s prone to even more errors than when best guesses are elsewhere deployed.
Case in point, albeit a grim one: 9/11. That was operational risk in its most cataclysmic form, as the global financial system teetered in large part due to the damage done to vital settlement-and-clearing systems. We now know about continuous-operations risk all too well, but how to model it? Insurers can’t – that’s why it’s catastrophic risk – but banks are still obliged to do so under these capital rules. Recent history is replete with lots of other, fortunately less tragic, cases of operational risk: Bernie Madoff’s peccadilloes, the SocGen trader’s downward spiral, and so forth. Modelling works reasonably well when it comes to the average amount of fraud that will run through a credit-card book or likely outages on a computer system, but it’s still a long way off from any reliable quantitative measure of the type of operational risk that really counts when it comes to safety and soundness, let alone systemic risk.
Further complicating this capital charge, ops-risk can’t be hedged like credit and similar risks. Rating agencies don’t judge operational risk and rate it in ways regulators can compare and contrast – perhaps a singular blessing, albeit one that makes it hard objectively to reward banks that do a better job of operational risk management than sloppy ones. The only mitigant grudgingly accepted in the rules is insurance, but the final standards give only limited credit for getting insurance coverage. As a result, banks are basically held up for a capital charge that gives them little incentive to do much but pay up.
Now, on to the most recent case of operational risk: foreclosuregate. Could the capital charge do diddly to prevent it? In a word, no.
What model could have foretold that third-party agents like law firms were—allegedly, we hasten to add—missing a few beats here and there in the foreclosure-filing process? How to count the cost of robosigners? Build this in advance after someone tells the risk managers and capital counters about it? Of course not, since no one would ever tell risk management anything about the type of practices that have gotten mortgage servicers into such a pickle. Was senior management wise? We very much doubt it, so all the “controls” supposedly imposed on the top brass and boards of directors are to naught.
Could a gross-income type of ops-risk charge have buttressed banks better than the models-driven capital charge? This remains the Basel II “standardized” ops-risk requirement, one that will carry on under Basel III. Here, it might not matter how much anyone knew or who was at fault because a cookie jar of ops-risk dedicated capital might be at hand. However, all this does is worsen the blunt-force impact of operational-risk capital – everyone pays up no matter how well or badly they manage this risk without whatever modest benefit comes under the “advanced measurement approach.” Under the cookie jar, ops-risk remediation efforts – always complex and never cheap – might be entirely foregone. At the least, supervisors must play non-stop catch-up.
So, what to do? Many aspects of Basel II that require a rewrite have been neglected as Basel III rushes to up the ante in the wake of the global crisis. As we’ve said before, this will lead to a pile-up of capital and liquidity charges with scant consideration of the correlation impact of all the requirements and their total cost. This is especially problematic in the U.S., where the Dodd-Frank Act builds in still more requirements atop those to come in Basel III. It might seem revisionist or even radical, but it’s time to take capital requirements that haven’t worked and show little promise ever of doing so out of the capital equation. Let capital count for what it can and supervisors do what they must – the two aren’t the same and trying to make them so means that capital is over-burdensome and supervision over-lax, all at the same time.