As clients will shortly see in an in-depth analysis, Basel has decided to launch a “fundamental review” of the capital charge imposed since 2004 for operational risk. A decade later, it says that a pillar of these costly rules is “intuitively” flawed. Funny, I remember writing that in comment letters years before Basel stuck to its now dismantled guns. How could a regulator not only do something that on first blush made so little sense and, then, stick to it for a decade over which, as again Basel itself says, the flawed methodology not only dropped capital as risk clearly rose, but also precipitated several failures? This is more than an academic question. As Basel readies the net stable funding ratio and a raft of other new rules, the global regulator should undertake its own fundamental review.

Operational risk is that which arises from events like man-made and natural disasters (9/11, Fukushima), fraud (Societe Generale, dodgy mortgage brokers), systems risk (cyber-attacks), and legal/reputation risk (where to start?). The operational risk-based capital charge (ORBC) is designed to create a buffer against all of these risks with the same capital also used to absorb credit, market, and other prudential hazards.

In the early 2000s as Basel contemplated ORBC, many commenters – or, at least one I know well – asked a basic question: does capital create a meaningful buffer against ORBC or can it in fact create perverse incentive to be more risky. Just how much capital is enough capital to ensure ongoing services in the midst of a 9.0 earthquake or to insulate a bank against cyber warfare? Severe operational risk cannot be met with capital – in fact, it’s irrelevant a lot of the time. What counts in an operational crisis isn’t capital – it’s resilience, redundancy, and readiness. All of this costs money which drains capital.

In fact, one of the most perverse provisions in Basel’s ORBC rule – not fixed in the new proposal – is that operational-risk mitigants generally count for naught. Banks thus have no regulatory incentive to build back-ups or buy insurance – indeed, they are penalized if they do.  

So, a fundamental question for operational risk-based capital is whether it is capital that regulators should demand as a guarantor of resilience. If I’m right and the more ORBC, the less resilience, the more vulnerable banks will be to the hazards that have often proved far more lethal drivers of systemic risk than the sins any evil-doing banker can wreak unto the financial system.

But, even if capital works, it still has to be based on some understanding of when operational risk rises and how much capital is then warranted as a meaningful buffer. The most jaw-dropping requirement in the Basel ORBC rule and the one it is now trying to repair is that the simplified approaches largely rely on a gross-income measure of operational risk. That is, under the current rules, the more a bank earns in certain business lines, the more its risk is deemed to grow and, thus, the higher its ORBC.

As I remember writing in what I had hoped was moving prose at the time, risk does not linearly correlate with income. In fact, it can increase far more when income drops than when income rises because 1) storms strike financial institutions regardless of how much income they have; 2) customers might not want to do business with banks that make too many mistakes; 3) reduced income drops reserves available to cover risk; and 4) management without income may well look the other way as corners are cut in hope of boosting income.

It’s nice Basel is finally getting around to this. But, the cure may be even worse than the disease. Basel is now proposing to fix its gross-income ORBC requirement with a “business-indicator.” Under this, it’s determined that certain activities based in large part on how big they are pose heightened operational risk and thus should come under higher ORBC.

I won’t trouble you with all the assumptions that go into this approach except to say that it boost the bottom-line ORBC requirement. As is increasingly the case with Basel rules, the new standards don’t trust models or, seemingly, even Basel’s own decade of thinking about operational risk. As a result, the proposal essentially mandates that, if a bank is in certain businesses, then the more of them it does, the riskier it gets. This takes the focus off income and redirect it to activity. However, this is done in so lock-step a fashion as to be largely indifferent to actual operational risk and what makes it worse and when. Apparently, as long as the final number is higher than it was before, banks are somehow safer.

Basel could just have left the flawed ORBC charge as is and hoped no one would notice. That it’s trying now to fix it is laudable even though one must still question why this is happening a decade after the flawed rule was finalized and why the “fundamental review” erects a still more convoluted capital framework atop a flawed edifice instead of tearing it down. Basel’s new mantra is simplicity, but the ORBC “simplified” approaches are anything but. Adding new costs to those sunk into this ill-designed construct will do nothing but make banking still less prepared to absorb the next bout of operational risk.