While there are many risks for which regulatory capital is a vital panacea, operational risk is not among them. The proposed approach to these capital standards makes it still more clear that regulators don’t trust themselves or banks and thus deploy the only tool they seem to know – ever-higher capital – no matter the cost and, more important, the risk. In fact, the best way to address operational risk is to spend money, not put it in a capital piggybank regulators can shake to hear coins rattle when they worry even though getting the coins out in a hurry will prove devilishly difficult.
The reason why regulatory capital doesn’t do diddly for operational-risk absorption is self-evident when one understands what constitutes operational risk. It’s essentially what God does to banks (natural disasters), what people do to banks (fraud), and what banks do to themselves (fragile systems) and to others (endangering consumers or markets at ultimate legal cost).
None of these risks is meaningfully reduced with more capital and, even if it were, the way the new rules work frustrates the way it might. As our in-depth analysis of the proposed operational risk-based capital (ORBC) rules makes clear, regulators want banks to look back as long as ten years to see how many operational losses they booked, measure business volume over the past three years, ramp up these sums via mysterious “scaling factors,” and then somehow discern what operational risk will be in coming years and how much shareholder equity is essential as a buffer against it.
Even this, just-the-facts description of the proposal compared to what it seeks to address on the operational-risk front demonstrates the challenge – indeed, the absurdity – of using backward judgments of different businesses in a prior business model under varying market conditions as a guide to the future. Even if banks learned nothing by what came before and supervisors are wholly oblivious to it – possible as recent events suggest – this retrospective approach to operational-risk forecasting is flat-out nonsensical.
This is clear when one sees how this rear-view mirror not only misses looming risk, but also ensures that banks are still more unprepared for them. Many forms of operational risk (see above) are the equivalent of losing power. How much money one has stacked away to buy fresh groceries is less meaningful to risk absorption than having spent funds ahead of time for a generator that quickly flips the power back on. And, if I’ve put money away for groceries power outage after power outage, I may well have little to spend for the generator. Both are nice, but the generator is essential. Under the capital rules, banks have funds secured for operational resilience, but the time it takes to mobilize them to find a generator and what they are to eat until the power comes back on is far from clear. I can go for a few days on granola bars; the financial system is at imminent risk if key nodes are disabled for even an instant.
Further, banks are already required to have the equivalent of generators to ensure resilience – there are lots of post-9/11 and Hurricane Sandy rules that say so. One might argue that the ORBC requirements are essential suspenders atop these belts. I would suggest, however, that capital atop the robust contingent planning which supervisors can and should demand is duplicative, not additive.
Worse, it’s destructive. Capital deployed for operational risk is capital that cannot be used for financial intermediation. See fears of a U.S. hard landing now that banks are curtailing credit availability partially in preparation for these new rules to see how this works in real time.
Aren’t there other operational risks – fraud, malfeasance – that warrant prophylactic funding? Yes, but here’s where the retrospective approach to judging operational risk comes fully into its own silliness.
How does fraud in the past in a business a bank no longer offers or to customers now roundly disgraced predict future fraud exposure? Would it not instead make sense to take hard lessons learned and invest in better governance? Banks are of course sure to be exposed to new scoundrels, but wouldn’t they be better able to withstand them if they prevent fraud instead of always cleaning up the mess?
Further, natural disasters and fraud are risks long and very successfully judged by actuarial methodologies that differ in form, content, and scope from the cockamamie, retrospective view proposed for operational risk. Insurance rewards us for not smoking – it does acknowledge residual risk if one has smoked, but it not only assumes that no longer doing so means one is healthier, but also that rewarding the policyholder for positive action creates strong incentives to undertake and then continue it.
In the new rule, actuarial methodologies are ignored with no clue as to why this was done other than that Basel liked its own methodology better. The banking agencies also don’t much like insurance as a risk mitigant because they think it takes too long for insurers actually to pay valid claims. Is it really true that insurance claims-payment record is deficient? All of us know it’s a nuisance to file a property insurance claim. Is this really true for big-bank claims and, if it is, is the record so bad as to create a profound disincentive for adequate up-front insurance in favor of the self-insurance wrought by regulatory capital that comes at greater cost and may be ill-designed to judge real risk?
The same concerns are true of legal risk – that which banks did badly should not be what they continue to do badly if banks build better controls at the behest of supervisors if they won’t do so without prompting. There’s lots of insurance to legal risk, or at least there is for banks without bad records that supervisors can and should discipline with all the tools in their robust toolkit.
Recall too that banks are required to hold legal reserves once operational risk is this arena is identified. Maybe it makes sense to sock funds away for future reserves, but we don’t require this for loan losses because the regulatory-capital standards have buffers and that’s what they’re for.
Indeed, what of all the capital buffers banks must hold even without the ORBC charge? How much is too much?
Reading the proposal provides no answers to any of these questions nor any rationale for the operational-risk proposal beyond statements that operational risk touches everything a bank may do – sort of true, that regulators don’t like models – reasonable if not taken to extremes, and that Basel did it so we should do it too – a touching bit of international togetherness that makes as much sense as doing without question that which the UN, IMF, and countless other well-intentioned global groups are prone to dictate.
Bank regulators and supervisors can and should be tough – indeed they should be a good deal tougher than they have been since the 2008 crisis faded into the mist. But tough is not the same as smart.