See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/32006711

The Treatment of Operational Risk under the New Basel Framework: Critical
Issues’

Article  in  Journal of Banking Regulation · August 2007

DOI: 10.1057/palgrave.jbr.2350055 · Source: OAI

CITATIONS READS
35 2,559

1 author:

Andreas Jobst
World Bank
87 PUBLICATIONS   1,457 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Andreas Jobst on 31 October 2014.

The user has requested enhancement of the downloaded file.

 The Treatment of Operational Risk under the New Basel Framework –
Critical Issues

Andreas A. Jobst#

Working Paper

This Version: April 8, 2007

Forthcoming in the Journal of Banking Regulation (August, 2007).

Abstract

The move of international banking supervision away from rigid controls towards market
discipline, prudential oversight and risk-based capital guidelines has widened the scope of
regulation and has steered much attention to operational risk, which has a greater potential
to transpire in more harmful ways than many other sources of risk. This article provides a
selective discussion of critical constraints on the consistent and cohesive implementation of
the existing capital rules under the New Basel Capital Accord. We explain the working
concept of the current regulatory treatment of operational risk. In particular, we show how
the characteristics of operational risk and flexible operational risk measurement influences
the consistency of risk-sensitive capital rules. The implications of our findings offer advice
for a more effective regulatory framework.

Keywords: risk management, operational risk, risk management, financial regulation, Basel
Committee, Basel II, fat tail behavior, extreme events.

JEL Classification: G10, G21, K20.

#
International Monetary Fund (IMF), Monetary and Capital Markets Department (MCM), 700 19th Street, NW,
Washington, D.C. 20431, USA; e-mail: ajobst@imf.org. The views expressed in this article are those of the author and
should not be attributed to the International Monetary Fund, its Executive Board, or its management. They are the result
of the author’s own analyses on operational risk measurement after having completed his appointment with the Federal
Deposit Insurance Corporation (FDIC), where he participated in the Interagency Operational Risk Working Group. Any errors and
omissions are the sole responsibility of the author. The author is indebted to two anonymous reviewers as well as Rodney
Coleman and Brendon Young for their comments.

-1-

Electronic copy available at: http://ssrn.com/abstract=980750

1 INTRODUCTION
Financial globalization facilitates greater diversification of investment and asset funding across national
financial systems. While this development fosters higher systemic resilience due to more efficient financial
intermediation, enhanced allocation of risk as well as greater asset price competition, it complicates banking
regulation and risk management within banking groups. Globalization increases the potential for markets and
business cycles to become highly dependent in times of stress and makes crisis resolution more intricate while
banks are still lead-regulated at a national level. Given the perceived shortcomings of risk management
standards and the limited capacity of regulators to address these challenges within the scope of existing
regulatory provisions, the Basel Committee on Banking Supervision started deliberations in 1999 concerning
an overhaul of the old regulatory principles and supervisory regulations governing the capitalization of
internationally active banks (Basel Capital Accord). These regulatory efforts aimed at the creation of new capital
rules in response to greater systemic vulnerabilities from the increasing sophistication of financial products,
the diversity of financial institutions, and the growing interdependence of financial markets.

After protracted negotiations and strong criticism by the banking industry of a first regulatory framework
published in May 2004, the new capital guidelines for the International Convergence of Capital Measurement and
Capital Standards (New Basel Capital Accord or short “Basel II”) were eventually published in June 2006 (Basel
Committee, 2004a, 2005b and 2006b), with their implementation expected in over 100 countries by early 2007.
The new supervisory guidelines link minimum capital requirements closer to the actual riskiness of bank assets
in a bid to redress shortcomings in the old system of the overly simplistic 1988 Basel Capital Accord. In a
move away from rigid controls towards enhancing efficient capital allocation through the disciplining effect of
capital markets, improved prudential oversight, and risk-based capital requirements, the new regulations
promote greater consistency of capital adequacy requirements (especially for credit risk) and widens the scope
of prudential standards to capture new areas of risk management.

The New Basel Capital Accord underscores in particular the need to heed new threats to financial stability
from operational risk. Given the increased size and complexity of the banking industry, operational risk
amplifies system-wide risk levels and has a greater potential to transpire in more harmful ways than many
other sources of risk. Although operational risk always existed as one of the core risks in the financial industry,
markedly rising geopolitical risk, deficient corporate governance, and systemic risk from a slush of financial
derivatives have the potential to magnify adverse outcomes resulting from the organization of business
activities, inadequate or failed internal processes and information systems, misconduct by people or from
unforeseen external events. While the old capital standards for calculating bank capital were devoid of any
provisions for exposures to operational risk, the new capital rules include explicit capital charges as part of the
calculation of risk-weighted assets (RWA). Operational risk management is now a salient feature of risk
management in financial institutions.

-2-

Electronic copy available at: http://ssrn.com/abstract=980750

Much of the efforts to regulate the management of operational risk are driven by concerns about the
economic implications of pervasive credit risk transfer across financial institutions and national boundaries in
times of systemic crisis. Regulators are particularly concerned about incentives that encourage greater risk
taking in a benign economic environment but also entail more adverse consequences when stress occurs.
Cost-efficient hedging and price discovery through derivative instruments have become commonplace in
many financial systems around the world. Derivatives, however, concentrate credit risk with some investors,
who take leveraged and largely unfunded bets on high-impact, but low-frequency events associated with credit
risk sensitive assets. Conversely, risk sharing agreements cause greater moral hazard on aggregate as
individuals to become less risk averse. As long as markets remain stable and prove robust, more reliance is
placed on the resilience of the financial system while the mechanism of moral hazard intensifies potential
systemic vulnerabilities to credit risk. At the same time, the organization of such risk transfer through
derivatives involves considerable operational risk from market trading and the conduct of market participants
as regards (i) delayed documentation and confirmation of transactions in the course of the clearing process, (ii)
deficient post-default settlement protocols, (iii) risk associated with unauthorized novations of contracts in
over-the-counter (OTC) markets, (iv) potential for market disruptions from the closeout (netting) of OTC
derivatives transactions following the default of a large market participant, (v) and market risk from multiple
defaults that could overwhelm the existing settlement infrastructure. Amid unprecedented regulatory and
market structure reforms, the growing significance of hedging strategies and fee-based income from trading
activities of internationally active banks in risk transfer markets has thus elevated operational risk into the
limelight of risk management.

2 RESEARCH OBJECTIVE
In general, banking regulation aims to improve capital allocation and strategic decision-making in order reduce
bank failure and strengthen systemic stability. However, regulation of operational risk is quite distinct from
other types of banking risks, because it requires risk management techniques that deal mainly with tail events
(i.e. low probability scenarios with severe consequences) rather than central projections, which reflect aberrant
rather than normal behavior and situations. Empirical evidence suggests that contingencies from operational
risk fall broadly into two categories: high impact events at low frequency, which entail substantial losses,
among events of high frequency but low impact (i.e. modest losses). While banks should generate enough
expected revenues to support a net margin that absorbs expected loss (EL) from predictable internal operational
failures, they also need to hold sufficient capital reserves (or resort to insurance) to cover unexpected loss (UL)
from extreme, one-off operational risk events without historical precedent. Extreme operational risk losses are
exceptional. In fact, their financial implications constitute threats rather risks, which are hard to measure and
even more difficult (or impossible) to predict, because they have never occurred. These threats would be
commonly reduced to a set of well-defined risk factors, whose probability and impact specify the distribution
function of EL and UL.

-3-
Given the fat-tailed behavior of operational risk losses, the concept of capital adequacy is insufficient to guide
the allocation of economic capital with a view to curb risk exposure while allowing banks to operate
profitably. Since any extreme operational risk event has the potential to put a bank out of business, adequate
capitalization or self-insurance against the threat of bankruptcy from operational risk is likely to render
banking activity unprofitable. Thus, effective operational risk management (ORM) in this regard aims to reduce
both the incidence and the financial impact of extreme operational risk events – with an emphasis on the
former. Sensible operational risk regulation would encourage banks to not only limit the financial impact of
loss events on the quality and stability of earnings, but also identify measures that help avoid extreme
operational risk events before they can occur. But such risk management incentives that reward best practices
(rather than penalize poor outcomes) are difficult to specify due to the notoriously elusive nature of
operational risk and the absence of the general risk-return trade-off found in exposures to market and credit
risk. The current regulatory framework for operational risk under the New Basel Capital Accord is bent on a
course that clearly favors capital charges for tail risk instead of awarding capital benefits to banks that
demonstrate sound risk management procedures.

Most research on operational risk in recent past has focused either on the quality of quantitative measurement
methods of operational risk exposure (Degen et al., 2006; Makarov, 2006; Mignola and Ugoccioni, 2006 and
2005; Dutta and Perry, 2006; Nešlehová et al., 2006; Grody et al, 2005; de Fontnouvelle et al., 2004;
Alexander, 2003; Coleman and Cruz, 1999; Cruz et al., 1998) or theoretical models of economic incentives for
the management and insurance of operational risk (Leippold and Vanini, 2003, Crouhy et al., 2004; Banerjee
and Banipal, 2005). Only little attention has been devoted to the interaction effects of qualitative and
quantitative constraints on the measurement of operational risk (Currie, 2004 and 2005) and the mechanics of
consistent capital rules.

The main objective of this article is to investigate the implications of the characteristics of operational risk and
the configuration of ORM on the implementation of balanced regulatory standards supported by sound
regulatory incentives. However, the characteristics of operational risk complicate systematic and coherent risk
management. The diverse nature of risks from internal or external disruptions to business activities and the
unpredictability of their financial impact vary considerably across banks depending on the nature of banking
activities and the sophistication of internal risk measurement standards and control mechanisms. Effective
regulation of operational risk – with a focus on risk prevention rather than damage control – hinges on several
issues: (i) the judicious combination of qualitative and quantitative measures of risk estimation, (ii) the
robustness of these measures, given the rare incidence of high-impact operational risk events without
historical precedence, (iii) the cross-sectional sensitivity of regulatory capital charges to the varied nature of
operational risk, reporting standards and risk management capabilities across banks, and (iv) the capacity to
eschew inconsistent capital requirements and conflicting policy measures across countries.

-4-
The article is structured as follows. We first explain the working concept of the current regulatory treatment
of operational risk and the historical background of important elements of both advanced and standardized
approaches of operational risk estimation under the New Basel Capital Accord. We then deliver insights about
how some elements of current regulatory framework could obscure actual operational risk exposure and
create unwarranted arbitrage opportunities when capital rules fail to reign in the elusive nature of operational
risk and considerable measurement diversity. The implications of our theoretical findings offer instructive and
tractable recommendations for a more effective and circumspect regulatory framework that is better attuned
to the elusive nature of operational risk.

3 THE DEFINITION OF OPERATIONAL RISK AND THE REGULATORY TREATMENT OF

OPERATIONAL RISK

Operational risk is commonly defined as the risk of some adverse outcome resulting from acts undertaken (or
neglected) in carrying out business activities, inadequate or failed internal processes and information systems,
misconduct by people or from external events. This definition includes legal risk from the failure to comply
with laws as well as prudent ethical standards and contractual obligations, but excludes strategic and
reputational risk (Federal Reserve Bank of Chicago Risk Committee, 2005). Operational risk can be further
categorized into internal and external operational risk. Internal operational risk attributes loss exposure to the
potential for failure of people, processes and technology in the course of regular business operations, such as
breaches in internal controls and monitoring, internal and external fraud, legal claims or business disruptions
and improper business practices. These risks are more specifically defined as (i) process risk associated with
operational failures stemming from the breakdown in established processes, failure to follow processes or
inadequate process mapping within business lines, (ii) people risk from management failure, organizational
structure or other human failures, which may be exacerbated by poor training, inadequate controls, poor
staffing resources, or other factors, and (iii) system risk, which reflects the operational exposure to disruptions
and outright system failure in both internal and outsourced operations (Zamorski, 2003). External operational
risk (or external dependency risk) arises from environmental factors, such as a new competitor that changes
the business paradigm, a major political and regulatory regime change, unforeseen (natural) disasters,
terrorism, vandalism, and other such factors that are outside the control of the firm (Mark, 2002).

Regulatory efforts have contributed in large parts to the evolution of operational risk measurement as a
distinct discipline. So far, banks have identified three major methods to quantify operational risk (Basel
Committee, 2006a): (i) relating operational risk to business volume, (ii) various types of self-assessment and (iii) loss
distributions. The basic concept of the first approach to measuring operation risk assumes that the management
of operational risk is critical in business lines with high volume, high turnover (transactions per unit of time),
high degree of structural change, and/or complex support systems, for instance, trading activities, especially if
the business generates low margins, such as transaction processing (clearing and settlement) and payments-
system related activities. Hence, the mere volume of banking activities generates operational risk, whose
-5-
significance, in turn, depends on the nature of the banking activity. Typical volume indicators include fee
income or various processing activities, with gross income being the simplest measure. Alternatively, banks
might complete a qualitative self-assessment of operational risk based on a comprehensive review (policies,
procedures, controls, oversight and audit) of various types of errors in all aspects of bank processes. Finally,
several quantitative techniques to operational risk measurement have been developed primarily for the purpose
of assigning economic capital to operational risk exposures.

The development of an explicit capital charge for operational risk under the New Basel Capital Accord has
particularly sponsored the advancement of quantitative techniques of operational risk measurement. While the
old standards of the “one-size fits all” regulatory framework of the old 1988 Basel Capital Accord were devoid
of any explicit1 provisions for operational risk, the new, more risk-sensitive regulatory capital rules require
(mandatory and “opt-in”)2 banks to determine an appropriate capital charge for operational risk as part of
their RWAs to support risk-adjusted capital requirements (Pillar 1).3 This estimate of operational risk exposure
will directly affect their overall level of RBC.

The new capital rules for operational risk have been defined in the new guidelines on the International
Convergence of Capital Measurement and Capital Standards (Basel Committee, 2004a, 2005b and 2006b) based on
previous recommendations in the Working Paper on the Regulatory Treatment of Operational Risk (Basel Committee,
2001c), the Sound Practices for the Management and Supervision of Operational Risk (Basel Committee, 2001a, 2002
and 2003c) (see Box 1). Operational risk loss is measured as the financial impact associated with an
operational event that is recorded in the institution’s financial statements consistent with the Generally Accepted
Accounting Principles (GAAP). Operational risk losses should include all out-of-pocket expenses associated with
an operational event but should exclude opportunity costs, foregone revenue, or costs related to investment
programs implemented to forestall subsequent operational risk losses.

1 With regard to U.S. banking regulation, Seivold et al. (2003) argue that operational risk and other risks were implicitly
accounted for in the calibration of the minimum capital ratio thresholds for the various Prompt Corrective Action categories
defined in Subpart B of Part 325 of the Federal Deposit Insurance Corporation (FDIC) Rules and Regulations (e.g. 4%
Tier 1 capital to average adjusted balanced sheet assets for the “adequately capitalized” designation). Subpart B was
issued by the FDIC pursuant to section 38 of the Federal Deposit Insurance Act and establishes a framework for
supervisory actions for insured depository institutions that are not adequately capitalized.
2 National supervisory authorities of substantial discretion (“supervisory review”) in determining the scope of

implementation of Basel II framework. For instance, the Advanced Notice on Proposed Rulemaking (ANPR) on Risk-Based
Capital Guidelines: Internal Ratings-Based Capital Requirement (2003a) by U.S. regulators requires only large, internationally
active banking organizations with total assets of U.S.$250 million or more and total on-balance sheet foreign exposures
of U.S.$10 billion or more to adopt the Basel II guidelines on capital rules. These banks would also need to apply
advanced approaches for credit risk and operational risk (i.e. advanced internal ratings-based approach (IRB)) and advanced
measurement approaches (AMA)). Other banks may voluntarily apply those approaches (“opt-in banks”).
3 Under the Basel Capital Accord, financial institutions determine their overall level of risk-based capital (RBC) from

aggregating the amount of risk-weighted assets (RWA). Prior to its revision, RWAs were computed from pre-specified
percentage allocations for on- and off-balance sheet exposures to credit risk and some market risks only. The risk weight
refers to the amount of funds a bank must set aside to back up potential losses from credit, market and operational risks
of an exposure depending on its rating, maturity and debtor classification.

-6-
Box 1. The Evolution of the Advanced Capital Adequacy Framework for Operational Risk

The regulatory guidelines for operational risk have evolved from concerns about the soundness of traditional
operational risk management (ORM) practices in economic capital models amid greater complexity of financial
intermediation. Under the proposed revisions for the New Basel Capital Accord (“Basel II”) on the
International Convergence of Capital Measurement and Capital Standards (Basel Committee, 2004a, 2005b and 2006b),
and supplementary regulatory guidance in Sound Practices for the Management and Supervision of Operational Risk
(2001a, 2002 and 2003c) and the Working Paper on the Regulatory Treatment of Operational Risk (Basel Committee,
2001c), the Basel Committee established a regulatory capital framework (“New Advanced Capital Adequacy
Framework”) for operational risk that encourages the comprehensive identification, monitoring, measuring
and managing of operational risk to protect the banking sector from systemic failure. While the old Basel
Capital Accord did not account for operational risk, the new capital rules requires banks to estimate an explicit
capital charge for their operational risk exposure in keeping with the development of a more risk-sensitive
regulatory framework that aligns minimum capital requirements closer to the actual riskiness of bank assets.

The Basel Committee first initiated work on operational risk in September 1998 (Basel Committee, 1998) (see
Figure 1), when it published results of an informal industry survey on the operational risk exposure in various
types of banking activities. These findings contributed to the Committee’s decision to replace the 1988 Basel
Accord in its first paper on A New Capital Adequacy Framework (1999). It highlighted the growing realization of
the significance of risks other than credit and market risks (Basel Committee, 2005a), such as operational risk,
which had been at the heart of some important banking problems in the past. The Committee proposed to
develop either uniform capital charges for such other risks based on a measure of business activities (such as
revenues, costs, total assets or internal measurement systems) or differentiated charges for businesses with
high operational risk.4

In January 2001, the Basel Committee (2001d) released its first consultative document on operational risk in
its first revision of Basel Capital Accord, followed by the Working Paper on the Regulatory Treatment of Operational
Risk (2001c), which was prepared by the Risk Management Group of the Basel Committee to inform the
Committee’s dialogue with banks, regulators and interest groups on the development of a Pillar 1 capital
charge for operational risk. The Basel Committee subsequently devised first draft implementation guidelines
for Sound Practices for the Management and Supervision of Operational Risk (2001a) in view of a second period of
consultation in July 2002 (in response to extensive industry feedback it received during the second Quantitative
Impact Study (QIS-2) from May 2001 to January 2002). Theses supervisory principles established the first
regulatory framework for the evaluation of policies and practices of effective management and supervision of
operational risk, requiring banks of any size and scope to adopt clear strategies and oversight by the board of
directors and senior management, a strong operational risk and internal control culture (including clear lines of
responsibility and segregation of duties), effective internal reporting, and contingency planning. At the same
time, the Committee also acknowledged that the exact approach for ORM chosen by an individual bank
would be defined the nature and complexity of its activities.

The QIS-2 represented the second round of industry consultations on operational risk amid regulatory efforts
to re-examine the industry’s exposure to operational risk. The second tranche of QIS-2 (Operational Risk Loss
Data) focused on operational risk, in particular information concerning individual operational risk loss events,
the banks’ quarterly aggregate operational risk loss experience, and a wider range of potential exposure
indicators tied to specific BLs. Actual operational loss data from participating banks helped the Basel
Committee develop a calibration of the regulatory operational risk capital for the Basic Indicator and Standardized
Approaches (BIA and TSA)5, and hence assess with greater accuracy the overall impact of the proposed revision

4 In addition to relevant qualitative factors, such as the integrity of control processes and internal measures of operational
risk, the Committee also pointed out that particular regard would need to be paid to the capital arbitrage potential, to any
disincentives to better risk control that might thereby be created, and to the capital impact for particular types of banks.
5 The introduction of a volume-based capital charge coincided with an alternative volume based charge developed in the

EU Regulatory Capital Directive.

-7-
of the existing Basel Accord. Subsequent revisions of the guidelines on Sound Practices for the Management and
Supervision of Operational Risk in July 2002 and February 2003 (Basel Committee, 2002 and 2003c) concluded
the second consultative phase.

QIS-3 from October 2002 to May 2003 ushered in the third and final round of consultations on operational
risk. In the corresponding Technical Guidance on operation risk (“Section V. Operational Risk”) the Basel
Committee presented three methods for calculating operational risk capital charges in a continuum of
increasing sophistication and risk sensitivity (Basic Indicator Approach (BIA), (traditional) Standardized Approach
(TSA), and Advanced Measurement Approaches (AMA)) to encourage banks to move along the spectrum of
available approaches as they develop more sophisticated operational risk measurement systems and practices.
The adoption of AMA also reflected the evolving propensity of the Basel Committee to be more prepared to
accept the partial use of advanced methods6 for operational risk than they have for credit risk. The capital
rules for operational risk represent a move away from rigid controls towards risk-based capital guidelines with
broad regulatory expectations about the development of comprehensive control processes for operational
risk. Banks would now be allowed to choose a measurement approach appropriate to the nature of banking
activity as well as the organizational structure and business environment subject to supervisory review (Pillar 2 of
Basel II).

The consultative document (Third Consultative Paper or “CP 3”) in April 2003 (Basel Committee, 2003b) made
further modifications to the proposed revisions of the existing rules on global banking standards. It included –
subject to the discretion of national banking supervisors – the Alternative Standardized Approach (ASA), which
was based on a measure of lending volume rather than gross income as exposure indicator of the capital
charge for retail and commercial banking. Additionally, compliance with the roll-out provisions for
operational risk was made substantially more difficult by the enhanced qualifying criteria for the Standardized
Approach. In particular, institutions were required to have a dedicated operational risk function and to track
relevant operational risk data (including losses) by BL. Commentators asserted that the significant hardening
of the qualitative criteria might have shifted the cost benefit analysis in favor of a cruder approach and
dissuaded banks from moving to the Standardized Approach, given little difference between the Basic Indicator
and Standardized Approaches in terms of the pure regulatory capital charge generated.

The variety of approaches to operational risk capital underscored the Committee’s acknowledgement of
essential flexibility for the implementation of the proposed capital rules under the New Basel Capital Accord.
However, such flexibility required national regulators to exercise considerable judgment in the way they would
accommodate the new regulatory framework for operational risk in their local financial system. So national
discretion was limited to the extent that it did not override the fundamental precepts of capital rules for
operational risk, impinge on the consistent adoption of the new regulatory regime, or undermine the Accord’s
fundamental objective of ensuring adequate bank are capitalization.7 Nonetheless, the scope of
implementation varied significantly by country. Some national banking supervisors reserved their right of
supervisory review (Pillar 2) by selecting only a certain type of measurement approach to operational risk as they
developed draft rules and guidelines for the implementation of the revised risk-based capital standards under
the New Basel Capital Accord. For example, in the Joint Supervisory Guidance regarding the implementation of
Operational Risk Advanced Measurement Approaches for Regulatory Capital (2003), the federal banking and thrift

6 However, institutions planning to use AMA will have to capture “a significant part” of the institution’s operational risk

on implementation.
7 The concern about the delicate trade-off between flexibility and consistency across signatory countries of the New Basel

Capital Accord would also enter into an inter-sectoral debate about the management and regulation of operational risk.
In August 2003, the Joint Forum of banking, securities, and insurance supervisors of the Basel Committee issued a paper
on Operational Risk Transfer Across Financial Sectors (2003a), which compared approaches to operational risk management
and capital regulation across the three sectors in order to gain a better understanding of current industry practices. In
November 2001, a Joint Forum working group made up of supervisors from all three sectors had already produced a
report on Risk Management Practices and Regulatory Capital: Cross-Sectoral Comparison (2001b) on the same issues, drawing on
interviews with market participants, rating agencies and analysts, as well as on its own experience.

-8-
regulatory agencies8 in the U.S. set forth that AMA would be the only permitted quantification approach for
U.S.-supervised institutions to derive risk-weighted assets under the proposed revisions to the risk-based
capital standards. These provisions outlined the expectations for banking institutions that use AMA for
calculating the operational risk capital charge and later entered the Notice of Proposed Rulemaking (NPR)
regarding Risk-Based Capital Guidelines: Internal Ratings-Based Capital Requirement (2006b), which defines the
qualification requirements.9

The relevance of supervisory review for prudential oversight and the flexibility of advanced risk measurement
approaches under the New Basel Capital Accord also fueled industry concerns about consistent regulatory
governance of the cross-border implementation of AMA. In January 2004, the Basel Committee issued a
technical paper on the Home-Host Recognition of AMA Operational Risk (Basel Committee, 2004b) to address
these concerns expressed by a number of organizations in their comments on the Third Consultative Paper. The
Basel Committee proposed a “hybrid approach” about how banking organizations that calculate group-wide
AMA capital requirements might estimate operational risk capital requirements of their international
subsidiaries. Pursuant to this approach, and subject to supervisory approval, a significant internationally active
banking subsidiary of a banking organization wishing to implement AMA and able to meet the qualifying
quantitative and qualitative criteria would have to calculate its AMA-based capital requirements on a stand-
alone basis, whereas other internationally active subsidiaries that are not deemed to be significant in the
context of the overall group receive an allocated portion of the group-wide AMA capital requirement. The
stand-alone AMA capital requirements may include a well-reasoned estimate of diversification benefits of the
subsidiary’s own operations, but may not consider group-wide diversification benefits, given the Committee’s
assertion that capital can move freely within a consolidated organization. Where such subsidiaries are part of a
group that wishes to implement an AMA on a group-wide basis, significant subsidiaries were also allowed to
utilize the resources of their parent or other appropriate entities within the group to estimate their Pillar 1
capital charge operational risk.10 On February 7, 2007, the Basel Committee augmented the existing guidelines
related to the information sharing and capital allocation underpinning the home-host recognition concept.
The consultative document Principles for Home-host Supervisory Cooperation and Allocation Mechanisms in the Context of
Advanced Measurement Approaches (AMA) (Basel Committee, 2007) set forth principles that (i) establish a
regulatory framework for information sharing in the assessment and approval of AMA methodologies and
responsibilities of banks in the area of information sharing (including the factors influencing information
sharing, as well as its scope, frequency and mechanics) and (ii) promote the development and assessment of
allocation mechanisms incorporated as part of a hybrid AMA in terms of risk sensitivity, capital adequacy,
subsidiary level management support, integration into Pillar 1, stability, implementation, documentation,
internal review and validation, and supervisory assessment.

8 The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit
Insurance Corporation (FDIC), and the Office of Thrift Supervision (OTS) issued the ANPR and the Joint Supervisory Guidance on
an interagency basis.
9 The NPR was published as the Proposed Supervisory Guidance for Internal Ratings-based Systems for Credit Risk, Advanced

Measurement Approaches for Operational Risk, and the Supervisory Review Process (Pillar 2) Related to Basel II Implementation (2007),
which stipulated that the implementation of the new regulatory regime in the U.S. would require some and permit other
qualifying banks to calculate their risk-based capital requirements using the internal ratings-based approach (IRB) for credit
risk and AMA for operational risk (together, the “advanced approaches”). The guidance provided additional details on
the advanced approaches and the supervisory review process to help banks satisfy the qualification requirements of the NPR.
The proposed AMA guidance identifies supervisory standards that banks should follow to implement and maintain an
acceptable AMA framework, while the proposed Pillar 2 guidance addresses the three fundamental objectives in the
supervisory review process: the comprehensive supervisory assessment of capital adequacy, the compliance with
regulatory capital requirements, and the implementation of an internal capital adequacy assessment process (ICAAP)
(Anonymous, 2007).
10 Pursuant to this provision, the stand-alone AMA calculation of significant subsidiaries could rely on data and

parameters calculated at the group level, provided that those variables were adjusted as necessary to be consistent with
the subsidiary’s operations.

-9-
In June 2004, the Basel Committee released the first definitive rules on the regulatory treatment of operational
risk as an integral part of risk-adjusted capital requirements under Pillar 1 of its revised framework for the
International Convergence of Capital Measurement and Capital Standards (2004a). In keeping with the Third Consultative
Paper (Basel Committee, 2003b), the Committee stressed the importance of qualitative and quantitative
standards for banks that wished to apply AMA for ORM, in particular as regards scenario analysis of internal
data, exogenous control factors for operational risk exposure and the construction of internal measurement
models to estimate unexpected operational risk losses at the 99.9th percentile.

After publication of the proposed version for the New Basel Accord, national banking agencies in several
member countries, such as Germany, Japan and the U.S., decided to conduct further national impact studies
or field tests during 2004 or 2005 independent of the Basel Committee on Banking Supervision in order to
seek further industry comment, particularly as regards the competitive implications and effects on capital of
the proposed new framework. These efforts varied significantly across countries. In the U.S., the Federal
Financial Institutions Examination Council (FFIEC)11 completed QIS-4 from October 2004 to January 2005,
which also included a section on operational risk (Section XIV) in order to assess the potential impact of the
proposed regulatory regime in the International Convergence of Capital Measurement and Capital Standards (2004) and
Sound Practices for the Management and Supervision of Operational Risk (2003) on capital for U.S. banking
organizations.12 Concurrent to QIS-4, the U.S. bank and thrift regulatory agencies jointly initiated the Loss
Data Collection Exercise (LDCE)13 from June to November 2004 in a repeat of earlier surveys in 2001 and 2002
(see Tab. 2). The LDCE was conducted as a voluntary survey14 that asked respondents to provide internal
operational risk loss data used to compute capital estimates under QIS-4.15 The collection of more recent data

11 The Federal Financial Institutions Examination Council (FFIEC) was established on March 10, 1979, pursuant to title X of
the Financial Institutions Regulatory and Interest Rate Control Act of 1978 (FIRA), Public Law 95-630. The FFIEC is a
formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal
examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and
the Office of Thrift Supervision (OTS) and to make recommendations to promote uniformity in the supervision of financial
institutions.
12 For instructions on the U.S. QIS-4, please refer to http://www.ffiec.gov/qis4/qis4_instructions.pdf (FFIEC). For a

broad summary of the QIS-4 results in the U.S., see the Fourth Quantitative Impact Study 2006 published by the Federal
Reserve Board (2006). More information about similar studies in Germany and Japan can be found at
http://www.bundesbank.de/bankenaufsicht/bankenaufsicht_basel_qis4.en.php (Deutsche Bundesbank) and
http://www.fsa.go.jp/inter/bis/bj_20050419.html (Japanese FSA).
13 More information about the 2004 LDCE can be found at http://www.ffiec.gov/ldce/ (FFIEC). After conclusion of

the LDCE, U.S. bank regulators published the Results of the 2004 Loss Data Collection Exercise for Operational Risk (2005).
Some findings have also been published at www.bos.frb.org/bankinfo/conevent/oprisk2005/defontnouvelle.pdf and
www.bos.frb.org/bankinfo/qau/pd051205.pdf by the Federal Reserve Bank of Boston. See also de Fontnouvelle (2005).
14 The general objective of this voluntary survey was to examine both (i) the overall impact of the new regulatory

framework for operational risk on U.S. banking organizations, and (ii) the cross-sectional sensitivity of capital charges to
the characteristics of internal loss data and different ORM systems. The LDCE asked participating banks to provide all
internal loss data underlying their QIS-4 estimates (instead of one year’s worth of data only). A total of 23 U.S.
commercial banks participated in the LDCE, and twenty of these institutions also submitted information under QIS-4.
Banking organizations were asked to report information about the amount of individual operational losses underlying
their past QIS estimates (instead of one year’s worth of data only) as well as certain descriptive information (e.g., date,
internal business line (BL), event type (ET), and amount of any recoveries) regarding each loss that occurred on or before
June 30, 2004 or September 30, 2004.
15 The LDCE in 2004 was only undertaken by U.S. regulatory authorities, as opposed to previous supervisory requests

for internal data on operational risk-related loss events in QIS studies (2002 and 2001), which were completed by various
regulators worldwide. As opposed to prior LDCEs, the 2004 exercise did not require a standard time period for the loss
submission and a specified minimum loss threshold. Banks were also requested to define own mappings from internally-
defined BLs and ETs – as units of measure – to the categorization under the New Basel Capital Accord for reporting
purposes (instead of standardized BLs and ETs). A unit of measure represents the level at which a bank’s operational risk
quantification system generates a separate distribution of potential operational risk losses (Seivold et al., 2006). A unit of
measure could be on aggregate (i.e. enterprise-wide) or defined as either a BL, an ET category, or both. The Basel
(continued)
- 10 -
on individual losses over a larger time horizon (through September 30, 2004) was designed to probe the
completeness of internal loss data underlying the QIS-4 results on regulatory capital for operational risk. The
LDCE also allowed banking regulators examine the degree to which the QIS-4 results (and their variation
across banks) were influenced by the characteristics of internal data or exogenous factors that institutions
consider in their quantitative methods of modeling operational risk or their considerations of qualitative risk
assessments.

The Basel Committee completed its final quantitative impact study (QIS-5)16 between September 2005 and
June 2006 after several modifications to its earlier version of the New Basel Capital Accord (Basel Committee,
2004a). Also this time, operational risk exposures were examined. Banks with partial AMA estimates for
operational risk were asked to report the fraction of the AMA capital charge calculated according to the
Standardized or Basis Indicator Approaches. After having received further industry comments on the latest
round of consultations, the Basel Committee defined The Treatment of Expected Losses by Banks Using the AMA
Under the Basel II Framework (Basel Committee, 2005c), before it eventually released the implementation
drafting guidelines for Basel II: International Convergence of Capital Measurement and Capital Standards: A Revised
Framework (Basel Committee, 2005b). These guidelines were later issued again a complication of documents
that constitute the regulatory framework of the New Basel Capital Accord (Basel II: International Convergence of
Capital Measurement and Capital Standards: A Revised Framework – Comprehensive Version (Basel Committee,
2006b).17 In its latest publication on Observed Range of Practice in Key Elements of Advanced Measurement Approaches
(AMA) (Basel Committee, 2006a) the Basel Committee describes emerging industry practices in relation to
some of the key challenges banks face in their efforts to adopt AMA standards of operational risk
measurement. As opposed to the quantitative impact analysis, the report is focused on bank, and not
supervisory, practice in areas of internal governance, data and modeling based on cross-sectional evidence
from members’ supervisory work, benchmarking exercises, discussions with bank management, and other
sources.

The new capital rules stipulated by the Operational Risk Subgroup (AIGOR) of the Basel Committee Accord
Implementation Group define three different quantitative measurement approaches for operational risk (see Tab.
1) in a continuum of increasing sophistication and risk sensitivity based on eight business lines (BLs) and
seven event types (ETs) (see Tabs. 4 and 5) as units of measure (Basel Committee, 2003a). Risk estimates from
different units of measure must be added for purposes of calculating the regulatory minimum capital
requirement for operational risk. Although provisions for supervisory review (Pillar 2 of Basel II) allow signatory
countries to select approaches to operational risk that may be applied to local financial markets, such national
discretion is confined by the tenet of consistent global banking standards. The first two approaches, the Basic

Committee specifies eight BLs and seven ETs for operational risk reporting in the working paper on Sound Practices for the
Management and Supervision of Operational Risk (2003a). According to AIGOR the eight BLs are: (i) corporate finance, (ii)
trading and sales, (iii) retail banking, (iv) payment and settlement, (vi) agency services, (vi) commercial banking, (vii) asset
management, and (viii) retail brokerage. The seven ETs are: (i) internal fraud, (ii) external fraud, (iii) employment
practices and workplace safety, (iv) clients, products and business practices, (v) damage to physical assets, (vi) business
disruption and system failure, and (vii) execution, delivery and process management. This categorization was instrumental
in bringing about greater uniformity in data classification across financial institutions.
16 For more information, see http://www.bis.org/bcbs/qis/qis5instr.pdf (QIS-5 - Instructions for QIS-5 (September

2005), Section VII. Operational Risk, 34f).

17 This compilation included the International Convergence of Capital Measurement and Capital Standards (Basel Committee,

2004a), the elements of the 1988 Accord that were not revised during the Basel II process, the 1996 Amendment to the
Capital Accord to Incorporate Market Risks (Basel Committee, 2005a), and the November 2005 (Basel Committee, 2005b)
paper on Basel II: International Convergence of Capital Measurement and Capital Standards: A Revised Framework.

- 11 -
Indicator Approach (BIA) and the Standardized Approach (TSA),18 define deterministic standards of regulatory
capital by assuming a fixed percentage of gross income19 over a three-year period20 as a volume-based metric of
unexpected operational risk exposure. BIA requires banks to provision a fixed percentage (15%) of their average
gross income over the previous three years for operational risk losses, whereas TSA sets regulatory capital to
at least the three-year average of the summation of different regulatory capital charges (as a prescribed
percentages of gross income that varies by business activity) across BLs in each year.21 The New Basel Capital
Accord also enlists the disciplining effect of capital markets (“market discipline” or Pillar 3) in order to
enhance efficiency of operational risk regulation by encouraging the wider development of adequate
management and control systems. The current regulatory framework allows banks to use their own internal
risk measurement models under the standards of Advanced Measurement Approaches (AMA) as a capital measure
that is more suitable to accommodate the different risk profiles of individual banks in support of more risk-
sensitive regulatory capital requirements.22

Operational risk measurement via AMA is based on the self-assessment of the frequency and loss severity of
operational risk events and represents the most flexible regulatory approach, subject to several qualitative and
quantitative criteria and pre-specified soundness standards. While qualitative criteria of AMA purport to ensure
the integrity of a sound internal operational risk measurement system for adequate risk management and
oversight, the quantitative aspects of AMA define regulatory capital as protection against both EL and UL
from operational risk exposure at a soundness standard consistent with a statistical confidence level of 99.9%

18 At national supervisory discretion, a bank can be permitted to apply the Alternative Standardized Approach (ASA) if it
provides an improved basis for the calculation of minimum capital requirements by, for instance, avoiding double
counting of risks (Basel Committee, 2004a and 2005b). However, once approved a bank cannot revert to TSA without
supervisory permission. The Basel Committee does not envisage that large diversified banks in major markets would use
the ASA. As opposed to TSA, ASA applies a different exposure factor (total outstanding loans and advances in lieu of
gross income) for retail and commercial banking.
19 In paragraph 650 of the revised framework for banking regulation, the Basel Committee (2005b and 2004a) defines

gross income as net income plus net non-interest income. This measure should be gross of any provisions (e.g. for
unpaid interest); be gross of operating expenses, including fees paid to outsourcing service providers; exclude realized
gains and losses from the sale of securities; and exclude extraordinary or irregular items, as well as income derived from
insurance.
20 The three-year average of a fixed percentage of gross income (in the case of BIA) or the summation of prescribed

capital charges for various BLs (in the case of TSA) exclude periods in which gross income is negative from the
calculation of RWAs.
21 See also Basel Committee (2003c and 2001c).
22 The implementation of New Basel Capital Accord in the U.S. underscores the particular role of advanced approaches

for operational risk measurement as part of the new capital rules. On February 28, 2007, the federal bank and thrift
regulatory agencies published the Proposed Supervisory Guidance for Internal Ratings-based Systems for Credit Risk, Advanced
Measurement Approaches for Operational Risk, and the Supervisory Review Process (Pillar 2) Related to Basel II Implementation based on
previous advanced notices on proposed rule-making in 2003 and 2006. These supervisory implementation guidelines thus
far require some and permit other qualifying banking organizations to adopt AMA for operational risk (together, the
“advanced approaches”) as the only acceptable methods of estimating capital charges under the New Basel Capital
Accord.

- 12 -
over a one-year holding period.23 The AMA-based capital charge covers total operational risk losses unless EL
is already offset by eligible reserves under GAAP (“EL breakout” or “EL offset”), such as capital-like
substitutes, or some other conceptually sound method to control for losses that arise from normal operating
circumstances. Risk estimates under AMA can be quantified by means of loss distribution-based approaches
(LDA), which combine the joint and marginal distributions of the severity and the frequency of losses.
Although the Basel Committee does not mandate the use of a particular quantitative methodology, the
estimation of potential operational risk losses under AMA is subject to the use of (i) internal data, (ii) external
data (from “data consortia” of banks and insurance companies or from publicly reported events),24 (iii)
scenario analysis, and (iv) business environment and internal control factors (BEICFs) as quantitative elements (see Box
2).25

Box 2. An Example of the Practical Integration of AMA Soundness Standards

Amid the absence of regulatory guidance about how to incorporate and weigh each of these four required
AMA elements within the modeling framework, the following illustrative example helps conceptualize the
coherent integration of AMA soundness standards.26

Let us assume that a financial institution categorizes its global banking activities into eight BLs. In compliance
with the quantitative criteria of AMA, the risk management group decides to generate a distribution of
potential operational risk losses for each BL as a unit of measure within a one-dimensional representation of
operational risk exposure. For simplicity, we consider only retail banking as the one BL with the longest
history and the largest number of operational risk events. Although the bank has recorded more than 10,000
events over the past five years, with a few extreme losses among a many low-severity events, the collected
internal data might be insufficient to predict the full exposure to operational risk at very high confidence
levels. Risk managers would need to consider the use of external data in order to increase their sample size for
quantitative estimates of operational risk. Moreover, some internal and external risks are not necessarily
represented in the internal data. Imagine that some banks have been affected by rampant regional credit card

23 Many banks typically model economic capital at a confidence level between 99.96 and 99.98%, which implies an
expected default rate comparable to “AA”-rated credit exposures.
24 In order to address these capital requirements and ensure robust internal controls, banks require high-quality

operational loss-event information to enhance their risk modeling and predictive capabilities, banks are examining more
sophisticated approaches of loss data collection. Several private sector initiatives of banks and other financial institutions
have investigated the merits of data collection from internal and external sources (“consortium data” and external data of
publicly reported events) for a more reliable measurement of operational risk exposure in response to new regulatory
guidelines on ORM. The most prominent examples of proprietary operational risk loss event database include the Global
Operational Loss Database (GOLD) by the British Bankers’ Association (BBA), the Operational Risk Insurance Consortium (ORIC)
by the Association of British Insurers (ABI), OpBase by Aon Corporation, and the operational risk database maintained by the
Operational Riskdata eXchange Association (ORX). In several instances, financial services supervisors themselves have
facilitated greater exchange of information about the historical loss experience of banks, such as U.S. bank regulators in
their joint Loss Data Collection Exercise (LDCE) led by the Federal Reserve Bank of Boston. These pooled loss
distributions of external data are prone to cross-sectional bias unless different internal control systems and different loss
experienced from various-sized banks are taken into account (Matz, 2005).
25 U.S. federal bank regulators also specify five years of internal operational risk loss data and permit the use of external

data for the calculation of regulatory capital for operational risk in their Advanced Notice on Proposed Rulemaking (ANPR) on
Risk-Based Capital Guidelines – Implementation of the New Basel Accord (2003). In contrast, the Basel Committee (2005b and
2004a) requires only three years of data after initial adoption of AMA and then five years. Moreover, for U.S.-supervised
financial institutions, AMA is the only permitted quantification approach for operational risk according to APNR.
26 See also Seivold et al. (2006).

- 13 -
fraud, while banks with a similar specialization in retail banking (but in other areas of the country) have
incurred high legal costs after having been sued for breaches of customer information.27 The business volume
of retail banking (such as revenues, costs or total assets) might have also grown significantly over the last year
due to a rapidly expanding deposit base, new product offerings and the acquisition of several banks, which
might increase expected operational risk exposure to frequently occurring failures in back-office processing. In
this case, risk managers would augment internal data with available external data of other banks (after
adjusting for differences in business environment and internal control factors (BEICFs)) and/or use this information
to develop scenarios of future exposure to operational risk by assuming changes to the historical loss profile.
Finally, the operational risk quantification system would consolidate operational risk estimates derived from
the combination of different statistical measurement methods and qualitative self-assessment, including capital
adjustments based on diversification benefits and risk mitigation, in order to substantiate the capital charge for
operational risk exposure in compliance with existing regulatory provisions.

The quantitative criteria of AMA also offer the possibility of capital adjustment. Banks may be permitted to
recognize any diversification benefits from the correlation (or more specifically, “tail dependence”) between
extreme internal operational risk losses underlying individual risk estimates across different units of measure.
Any correlation assumptions must be derived from appropriate quantitative and qualitative techniques, which
take into account the uncertainty surrounding any such correlation estimates (particularly in periods of stress).
Banks may also attune the overall operational risk exposure to the risk mitigating impact of insurance by up to
20% under the AMA soundness standards. In addition to capital adjustment through risk mitigation and
diversification benefits, scenario analysis and BEICFs are the two other quantitative elements of AMA, which
help identify and assess the level of operational risk and the effectiveness of accompanying internal controls.
Although there is no industry consensus on BEICFs, several key approaches have emerged over the recent
past: (i) risk and control self-assessments (RCSA) for capital allocation and adjustment, (ii) key risk indicators (KRIs),
such as employee turnover or organizational restructuring, and short-term key performance indicators (KPIs)
related to the profit-loss statement.

LDA has emerged as one of the most expedient statistical methods to derive the risk-based capital charge for
operational risk in line with the four quantitative elements of AMA (with certain capital adjustments). The
historical experience of operational risk events suggests a heavy-tailed loss distribution, whose shape reflects
highly predictable, small loss events left of the mean with cumulative density of EL (see Fig. 2). As loss
severity increases, higher percentiles indicate a lower probability of extreme observations with high loss
severity, which constitute UL. While EL attracts regulatory capital, the low frequency of UL exposure requires
economic capital coverage. If we define the distribution of operational risk losses as an intensity process of time t,

the expected conditional probability EL ( T − t ) = E  P ( T ) − P ( t ) P ( T ) − P ( t ) < 0  specifies EL over time

horizon T, while the probability UL ( T − t ) = Pα ( T − t ) − EL ( T − t ) of UL captures losses larger than EL

27These external events would be classified under Level 2 of the BL mapping for retail banking as unit of measure (see
Tab. 3) under the new regulatory framework for operational risk (Basel Committee, 2005b and 2004a).

- 14 -
below a tail cut-off E  Pα ( T ) − P ( t )  , beyond which any residual or extreme loss (“tail risk”) occurs at a

probability of α or less.

This definition of UL concurs with the concept of Value-at-Risk (VaR), which estimates the maximum loss
exposure at a certain probability bound for a given aggregate loss distribution. However, the rare incidence of
severe operational risk losses does not mesh easily with the distributional assumptions of conventional VaR.
The fat-tailed behavior of operational risk defies statistical inference about loss severity as a central projection
when all data points of the empirical loss distribution are used to estimate the maximum loss for a given level
of statistical confidence. Therefore, when extreme losses are more likely than standard limit distributions
would imply, VaR is a rather ill-suited concept for risk estimation and warrants adjustments that explicitly
account for extremes at high percentiles. Extreme value theory (EVT) can redress the shortcomings of VaR in
compliance with existing regulatory capital standards of AMA without imposing additional modeling
restrictions.28 EVT is a general statistical concept that defines a limit law of the asymptotic (upper tail)
behavior of sample maxima (or minima). In the context of risk management, it specifies the limiting behavior
of extreme losses over a given time horizon. If operational risk losses are indeed extreme value, integrating
EVT into the VaR methodology as “EVT-VaR” helps improve the estimation of operational risk under AMA
in extreme quantiles (Jobst, 2007).29

4 REGULATORY INCONSISTENCIES IN STANDARDIZED AND ADVANCED MEASUREMENT

APPROACHES OF OPERATIONAL RISK UNDER THE NEW BASEL CAPITAL ACCORD

4.1 Heterogeneity of operational risk data and regulatory consistency

Although significant progress has been made in the quantification of operational risk, ongoing supervisory
review and several industry studies, such as the presentations by de Fontnouvelle (2005)30 and O’Dell (2005)
as well as the recent publication by the Basel Committee (2006a) on the Observed Range of Practice in Key Elements
of Advanced Measurement Approaches (AMA), indicate that significant challenges remain in the way conflicting

28 Within the general statistical concept of EVT (Balkema and de Haan (1974), Coles (2001), Dekkers and de Haan
(1989); Dekkers et al. (1989); Drees (1995); Falk et al. (1994); Fisher and Tippett (1928); Gnedenko (1943); Jenkinson
(1955); Kotz and Nadarajah (2000); Pickands (1981); Poon et al. (2003); Reiss and Thomas (2001 and 1997); Stephenson
(2002)), the generalized extreme value (GEV) distribution and the generalized Pareto distribution (GPD) are the most prominent
methods to assess parametric models for the statistical estimation of the limiting behavior of extreme observations
(Castillo and Hadi, 1997). While GEV identifies the possible limiting laws of the asymptotic tail behavior associated with
the order statistics of i.i.d. normalized extremes drawn from a sample of dependent random variables, GPD is an
exceedance function that measures the residual risk of a sequence of extremes beyond a predefined threshold for regions
of interest, where only a few or no observations are available. The Peak-over-Threshold (POT) method is the most popular
technique to parametrically upper tail fit based on the specification of a threshold, which determines how many
exceedances shall be permitted to enter the parametric estimation of GPD to maintain convergence of asymptotic tail
behavior (see Appendices 2 and 3).
29 This means that observed extremes decline polynomially to zero probability and not at an exponential rate like a

normal distribution would imply.

30 See also Tab. 2.

- 15 -
economic incentives and prudential standards can be reconciled to support a coherent regulatory framework,
which allows banks to use internal models to calculate capital charges. Although operational risk is
omnipresent, its probability and relative magnitude varies considerably across banks and banking activities.
Furthermore, a wide range of risk measurement methods (quantitative and qualitative) and different ORM
systems induce heterogeneous risk estimates that compromise reliable regulatory guidelines across banks.31
Methodological difficulties of cross-sectional consistency are often magnified by notorious data limitations,
which forestall risk estimates for very granular units of measure.32 Recent efforts by the biggest U.S. financial
institutions33 to seek simplified capital rules in the attempt to ward off additional restrictions on flexible self-
assessment methods34 do not only elucidate that current implementation guidelines and capital rules are still
found wanting, but also underscore the importance of consistent regulatory standards.

4.2 Advanced Measurement Approaches (AMA)

The stringent quantitative criteria of AMA appear to have been deliberately chosen by the Basel Committee to
encourage better monitoring, measuring and managing of operational risk in order to protect the banking
sector from systemic failure (Basel Committee, 2004a, 2005b and 2006b).35 Given the high percentile level at
which banks are required to estimate operational risk exposure under AMA soundness standards, data
limitations preclude the direct empirical estimation of operational risk, because meaningful results from
quantitative self-assessment require a large enough sample of observations. This situation leaves banks with
little choice but to accept significant estimation uncertainty in their efforts to approximate operational risk
exposure – unless they gather sufficient empirical loss data to manage the delicate trade-off between reliability
and accuracy of risk estimates. For exceedance function-based methods of quantitative self-assessment, such
as the Peak-over-Threshold (POT) method under EVT, this means finding enough loss data that substantiate a
threshold quantile close to the critical percentile level under regulatory standards. Since the current soundness
standards of AMA fail to acknowledge the high sensitivity of point estimates to such a threshold choice,
higher estimation risk at the required level of statistical confidence implies costs from inefficient capital

31 Under the current regulatory framework, AMA-based risk estimates would normally yield more reasonable conclusions
about operational risk exposure than standardized approaches, which include contestable assumptions about the volume-
based dependence of operational risk.
32 Although the use of external loss data in self-assessment approaches helps banks overcome the scarcity of internal loss

data, pooled loss data entail potential pitfalls from survivorship bias, the commingling of different sources of risk and
greater mean convergence of aggregate historical loss. Survivorship bias in pooled operational risk loss data arises when
failed banks drop out of the sample, projecting an average historical loss experience below the actual aggregate
operational loss exposure.
33 In August of 2006 representatives of Bank of America, J.P. Morgan Chase, Wachovia and Washington Mutual aimed to

convince the Federal Reserve Board that they should be allowed to adopt a simplified version of the New Basel Capital
Accord (Larsen and Guha, 2006), mainly because additional restrictions have raised the attendant cost of implementing
more sophisticated risk measurement systems for such advanced models to a point where potential regulatory capital
savings are virtually offset.
34 Under the proposed new capital rules for operational risk banks can reduce regulatory capital for unexpected

operational risk if they have advanced risk management systems in place.

- 16 -
allocation. The difference between point estimates at the 99.9th percentile and the closest in-sample point
estimate indicates the amount of additional capital subject to less reliable out-of-sample estimation when actual
data availability confines loss thresholds to lower quantiles beyond which any observation is deemed extreme.

AMA provides incentives for banks to overhaul their risk management capabilities to minimize estimation risk
from low loss threshold due to insufficient loss data. However, the cost of improved data collection and more
sophisticated ORM would need to be offset by capital savings vis-à-vis explicit volume-based measures of
operational risk under standardized approaches in order to at least maintain indifference between different
regulatory approaches.36 Evidence from a cursory examination of balance sheet data of U.S. commercial banks
suggests a significant reduction of economic capital from AMA-based self-assessment of operational risk. The
standardized measure of 15% of gross income under BIA and TSA of the New Basel Capital Accord would
result in a capital charge that grossly overstates the economic impact of even the most extreme operational
risk events in the past, such as the physical damage to assets suffered by the Bank of New York in the wake of
the 9/11 terrorist attacks (see Tab. 3). The Top 15 U.S. banks would have lost not even 5% of gross income
on average had they experienced an operational risk event of similar severity in 2004.

4.3 Capital adjustment of operational risk estimates under AMA

The current quantitative criteria of the AMA soundness standards (Basel Committee, 2004a, 2005b and
2006b) allow banks to adjust the regulatory capital charge for UL by up to 20% of their operational risk
exposure (“capital adjustment”) on the grounds of structural dependencies of operational risk events and the
quality of different methods of ORM (see Fig. 2). The Basel Committee specifies two main causes of lower
actual operational risk exposure: (i) diversification benefits from internally determined loss correlations37 between
individual operational risk estimates (“units of measure”) and (ii) the risk mitigating impact of operational risk
insurance.38

The recognition of diversification benefits presumes that all banks have sufficient loss data for the reliable estimation
of consistent (pairwise) correlation of operational risk exposure between different units of measure (see section 3)
defined by either BLs, ETs or both. The correlation of joint extreme outcomes defines any benefit from
diversification that can be reasonably applied to capital requirements for unexpected operational risk losses.

35 I thank Rodney Coleman (Imperial College, London) for this point.

36 Within the leading banks, economic capital would generally be set in excess of the level forced on them by regulators.
Therefore, especially larger banks would be inclined to apply internal risk measurement models due to higher cost savings
vis-à-vis standardized approaches (TSA and ASA).
37 In general, risk measures for different operational risk estimates (by BL and/or ET) must be added for purposes of

calculating the regulatory minimum capital requirement. However, banks may be permitted to use internally determined
correlations in operational risk losses across individual operational risk estimates, provided it can demonstrate to the
satisfaction of the national supervisor that its systems for determining correlations are sound, implemented with integrity,
and take into account the uncertainty surrounding any such correlation estimates (particularly in periods of stress). The
bank must validate its correlation assumptions using appropriate quantitative and qualitative techniques.

- 17 -
However, several factors may induce cross-sectional variation of the incidence and magnitude of extreme
operational risk losses of the same BL or ET of different banks or across different BLs or ETs within the
same bank. The combination of different exposures associated with different sources of operational risk, the
diversity of banks, which differ in size and sophistication of their activities (“exogenous variation”), and
dissimilar policies and procedures to identify, process and monitor operational risk events as part of the ORM
process39 (“endogenous variation”) conspire to defy both a consistent measure of correlation at high
percentiles and an equitable collection of sufficient loss data40 for each unit of measure (see Tabs. 4 and 5).41
O’Dell (2005) reports that operational risk estimates submitted by U.S. banks as part of the LDCE in 2004
showed little convergence to common units of measure and requirements on the data collection due to
different granularity of risk quantification.42 Hence, limited data availability, insufficient homogeneity of loss
reporting, and different configurations of units of measure compromise the efficacy of correlation as a
consistent and tractable measure of diversification benefits – especially for a fair comparative assessment of
adequate capital adjustment.

From a fundamental perspective, diversification benefits also negate the additive nature of operational risk and
challenge the long-standing assumption of independent extreme losses. Unlike credit or market risk, banks
cannot trade off higher operational risk against the benefit of greater returns or mitigate extreme losses by
diversifying business activities across areas that have historically exhibited distinct patterns of loss frequency.
If the independence condition is relaxed, diversification benefits from correlation would imply joint
asymptotic tail behavior of operational risk losses at percentiles far removed from central projections.
However, the estimation of structural dependence of two or more marginal extreme value distributions is not
a straightforward exercise and involves a considerable degree of uncertainty. Capital adjustment due to
diversification effects is meaningful only if dependencies are measured consistently and reliably at the required
level of statistical confidence and can be assessed without idiosyncratic bias caused the availability and
reporting of extreme operational risk loss data.43 Some methods (Stephenson, 2002; Poon et al., 2003) have
been proposed to estimate the joint asymptotic tail behavior of marginal extreme value distributions based on
multivariate limiting distributions of normalized extremes. However, the implications of these models have
not been sufficiently tested with regard to their impact on quantitative assumptions and regulatory incentives

38 The recognition of such capital adjustment is limited to 20% of the total operational risk capital charge (see Tab. 5).
39 Banks have developed quite different methods for determining operational risk capital with varied emphasis given to
the categorization of BLs and ETs as defined by the Basel Committee.
40 Data issues result from many banks collecting historical operational risk losses exceeding a specified threshold only.
41 Measuring operational risk relative to an exposure factor, e.g. gross income, does little to mitigate these implications

from cross-sectional variation.

42 AIGOR also found that the measurement of operational risk is limited by the quality of internal loss data, which tends

to be based on short-term periods and includes very few, if any, high severity losses (which can dominate the bank’s
historical loss experience) (Basel Committee, 2003c).
43 BL-specific risk ownership or some other form of ORM might temper loss sharing across different areas of banking

activity with less than perfectly correlated loss experience in response to a particular operational risk event.

- 18 -
of the proposed capital rules for operational risk. For instance, the correlation of extremes might be sensitive
to the level of statistical confidence associated with the estimation of operational risk as well as different loss
profiles, loss severity and modeling techniques. The wide dispersion of the magnitude of capital adjustment of
U.S. commercial banks in a recent survey (O’Dell, 2005) testifies to the significance of these considerations
for adequate regulatory standards. The current regulatory provisions for capital adjustment are silent on all
these constraints on the consistent measurement of diversification benefits.

AMA soundness standards also fail to specify the limitations of the risk mitigating impact of insurance on the
associated degree of appropriate capital adjustment of operational risk exposure. In the current form, banks
can reduce their capital charge for operational risk exposure in the form of a general insurance offset
independent of the applied methodology for the estimation of operational risk measures under AMA.
However, proper risk mitigation from insurance would need to be embedded within the AMA estimation
model at the event level in order to account for (i) the probability of coverage, (ii) the probability of timely
payout, (iii) insurance deductibles, (iv) insurer default (counterparty risk), and (v) policy limits for certain types
of events (Inanoglu, 2006).

Overall, the implementation of capital adjustment is weakly defined in the current regulatory guidelines, which
offer appreciable gains from regulatory arbitrage if banks optimize the structural dependencies of extremes
conditional on different loss profiles by type of operational risk, the definition of units of measure and the
manner in which operational risk events and their economic impact are reported and assessed.

4.4 Home-host recognition under AMA

The concept of home-host recognition of operational risk estimates (Basel Committee, 2007 and 2004b) stipulates
how banking organizations that calculate group-wide capital requirements under AMA for consolidated
banking activities could determine the individual regulatory capital charge for international subsidiaries. An
initial version was adopted in 2003 in response to concerns expressed by banks in their comments on the
Third Consultative Paper (Basel Committee, 2003b) about practical impediments to the cross-border
implementation of AMA for operational risk estimates of consolidated banking activities and the associated
allocation of regulatory capital within a banking group. In February 2007, the Basel Committee augmented the
existing guidelines related to the implementation of home-host recognition in matters of supervisory
cooperation and allocation mechanisms in order to alleviate some of these concerns (Basel Committee, 2007).

Under the working principle of home-host recognition, a banking group is permitted – subject to supervisory
approval – to use a combination of stand-alone AMA calculations for significant internationally active banking
subsidiaries that meet the qualifying criteria and soundness standards, whereas other internationally active
banking subsidiaries are assigned a relative share of the group-wide AMA capital requirement. In calculating

- 19 -
stand-alone AMA capital requirements, subsidiaries may incorporate a well-reasoned estimate of
diversification benefits of their own operations, but may not consider group-wide diversification benefits.44

But the flexibility of this “hybrid approach” for banking groups that wish to implement AMA on a group-
wide basis cuts both ways. The calculation of AMA capital requirements on a stand-alone basis is sensible only
if significant internationally active subsidiaries are specialized in certain banking activities45 or are subject to
additional regulatory measures imposed by national banking supervisors of the host nation. Whenever both
the banking group and the foreign subsidiary engage in very similar banking activities, and the subsidiary’s
operations could be considered a subset of the parent’s general scope of business, the exercise of calculating
AMA on a stand-alone basis seems pointless. In this case, significant subsidiaries would remove own
operational risk events from the group-wide sample of internal loss data, thereby reducing the reliability of
operational risk estimates of the banking group without an offsetting benefit for the subsidiary. Operational
risk estimates from a stand-alone approach would amount to re-scaled group-wide estimates on average, even
though estimated UL might diverge, given that extreme operational risk events are largely independent of
business volume. Although the Basel Committee permits these subsidiaries to utilize the resources of their
parent (or other appropriate entities within the group) and rely on data and parameters46 calculated at the
group level, these provisions imply that subsidiaries share the group-wide operational risk exposure – a
premise that reverses the economic logic of the stand-alone approach. The separate estimation of operational
risk at the subsidiary level only makes sense if internal loss data reflected a distinct historical loss experience
and/or quantitative and qualitative criteria specific to the relevant subsidiary, such host country regulations
that warrant a different treatment of operational risk. 47

The current configuration of the home-host recognition of AMA extends the opportunity of regulatory
arbitrage to significant internationally active subsidiaries that perform banking activities similar to the banking
group but exhibit a more favorable historical loss experience and/or a more flexible definition of units of
measure than the banking group. Banking groups would adopt the hybrid calculation of AMA if their stand-
alone AMA operational risk estimate below an allocated portion of the group-wide capital charge. Such capital
savings are judicious only if lower operational risk exposure and genuine operational risk diversification offset

44 The restricted application of diversification benefits reflects different types of operational risk exposures across a
banking group and doubts about the free flow of funds on a group-wide level in the event of an operational risk event.
45 In many instances, the type of banking activity determines scope of operational risk, e.g. investment banks are more

likely to suffer losses from operational risk events caused by acts inconsistent with legal agreements or business
disruptions, whereas retail banks are more exposed to external fraud or liability issues and small claims from failed
transaction processing or relations with trade counterparties and vendors.
46 Theses variables are adjusted as necessary to be consistent with the subsidiary’s operations.
47 The stand-alone AMA approach for significant internationally active subsidiaries seems to imply only marginal

economic benefits, given that parameter estimates on a group-wide level are likely to be more reliable. Unless subsidiaries
identify capital savings from a stand-alone approach due to diversification benefits, they would prefer to be allocated
their Pillar 1 charge for operational risk from the group-wide AMA calculation (like other internationally active
subsidiaries that are not determined to be significant in the context of the overall group).

- 20 -
greater estimation uncertainty from a smaller sample size of internal loss data recorded by a subsidiary.48
Therefore, a consistent use of the stand-alone AMA approach under home-host recognition would benefit
from restricting the use of stand-alone AMA to cases where banking groups and their significant subsidiaries
pursue largely different banking activities, combined with a “regulatory backstop” to possible sample bias in
the form a minimum pro-rated capital charge for operational risk from the group-wide AMA calculation.

4.5 Volume-based measures of operational risk in standardized approaches (BIA, TSA and ASA)

If banks lack the necessary risk management tools or historical information for quantitative self-assessment
under AMA, the New Basel Capital Accord stipulates standardized measurement approaches of operational
risk (BIA, TSA and ASA), which the assume volume-based dependence of operational risk (see Tab. 1). The
proposed regulatory regime under these approaches requires the use of fixed capital multipliers on annual
gross income as explicit measures of how much capital banks need to set aside to cover operational risk
exposure. However, relating operational risk exposure to business volume amounts to an incomplete
regulatory measure that engenders misleading conclusions about operational risk exposure and associated
capital charges.

The proposed standardized approaches to operational risk measurement also fail to discriminate against banks
when they should and treat banks the same when they should not. Banks might specialize in a wide-ranging
set of banking activities with a diverse nature of operational risk exposure and maintain very different
measurement methods, risk-control procedures, and corporate governance standards in their ORM, which
affect both the incidence and the level of operational risk exposure. The distinction of different types of
banking activity notwithstanding, normative volume-based measures under the proposed regulatory regime
disregard how these factors impinge on measures of vulnerability to operational risk. For instance, banks that
engage in business activities with the same operational risk exposure but a different quality of internal controls
could experience vastly different loss profiles.

Moreover, the current definition of standardized measures (BIA, TSA and ASA) with constant capital charge
multipliers on gross income misrepresent the impact of operational risk exposure on the profitability of
banking activity and attribute higher risk exposure to banks with higher gross income. The implicit risk-return
trade-off of volume dependence challenges empirical evidence of operational risk exposure. In the worst case
of a business volume-based measure, a highly profitable bank with ORM practices that are sound but not
sophisticated enough to meet AMA soundness standards, would need to satisfy higher fixed capital charges
than a less profitable peer bank with weaker controls. The association of operational exposure with business

48The parametric approximation of unexpected operational risk losses tends to generate robust mean point estimates at
the critical percentile level of 99.9% under AMA for a reasonably large number of observations, whereas the volatility of
the parameter estimate varies greatly by sample size.

- 21 -
volume also limits the scope of operational risk exposure to operational risk events that can be quantified.
Exogenous shocks would not be captured by this approach.

Even if increasing banking activity might spawn higher operational risk exposure if growth occurs from a low
base,49 more income does not per se entail higher operational risk (Matz, 2005). The fair use of a quantitative
metric based on business volume acknowledges that operational risk is not subject to the conventional risk-
return trade-off associated with other sources of risk. While market and credit risk tend to increase (decrease)
with higher (lower) returns on investment and lending for the same risk-adjusted returns under capital market
efficiency, operational risk does not. Especially extreme operational risk events, such as natural disasters or
similar external events that cause physical damage or system failure, are not a function of business volume.
They tend to follow a random process independent of business activity or the scale of operations – even if
they might exhibit joint asymptotic tail dependence at the margin. A volume-based measure builds adequate
capital coverage only for those banking activities whose risk exposure can be quantified. Standardized
measures are confined to particular ETs in certain BLs, which occur with sufficient regularity and can be
predicted with reasonable certainty, such as credit card fraud in retail banking or settlement errors in
execution, delivery and process management (see Tabs. 4 and 5).

The current method of standardized operational risk measurement in the New Basel Capital Accord seems
incoherent and lacks both discriminatory power and sufficient specificity to adequately define operational risk
exposure. A meaningful and sensible standardized measure indicates the impact of operational risk on the
quality and stability of earnings from various business activities rather than the effect of income generation on
the scale of operational risk. Irrespective of the specification of standardized approaches for the regulatory
treatment of operational risk, the use of gross income as a volume-based metric for operational risk exposure
seems inherently flawed – gross income is not a good indicator of either the scope of banking activities or
expected loss impact of operational risk.

A fixed capital charge should not be defined as a function of income but as a measure of the debilitating effect
of operational risk on the ability of banks to generate income, which serves as scaling factor for loss severity.50
Higher business volume implies a lower impact of extreme operational risk events. Thus, an adequate volume-
based measure would need to be constructed in a way that supports an inverse relation between gross income
and the capital charge for operational risk and upholds a lower marginal rate of increase of operational risk
exposure as banks generate more income. If this relation is linear, the approximation of operational risk

49 Once banking activities have reached a critical mass, changes in business volume do not entail a proportional change in
operational risk exposure.
50 This view coincides with the rating agencies’ view of income generation rather than capital as key determinant of credit

ratings.

- 22 -
exposure through constant capital charge multipliers is reasonable. Nonetheless, volume-based measures
remain largely confined to quantifiable types of operational risk.

Whenever banking supervision fails to capture the actual mechanics underpinning risk-taking incentives, we
tend to observe regulatory arbitrage. Standardized approaches to operational risk are likely to be no exception.
Some volume-based approaches (TSA and ASA) feature different capital charge multipliers for various BLs.
Different capital charge multipliers should reflect the different impact of operational risk losses on the income
generation from a certain types of banking activity. BLs with the historically lowest margins should be assigned
the highest capital charge multipliers. Empirical evidence suggests that operational risk losses seem to have a
high impact in transaction processing (clearing and settlement) as well as payments-system and trading related
activities. Hence, the existing differentiation of TSA and ASA implies a general sensitivity of income generation
from different banking activities to operational risk by assuming low (high) margins (and attendant high (low)
impact of losses) in BLs with high (low) multipliers. However, the premise of a consistent volume-based
metric disqualifies the uniform cross-sectional distinction of operational risk exposure, since some banking
activities are not inherently more prone to operational risk than others. Volume-based measurement methods
that allow no or little discriminatory treatment of the historical loss experience ignore the considerable
variation of loss severity within and across banks. Although TSA and ASA recognize the stratification of
operational risk by BL (as opposed to BIA), they fail to consider cases when banks incur small (large)
operational risk losses in BLs where an aggregate volume-based measure would indicate high (low) operational
risk exposure.51

Since capital savings are greater the smaller the multiplier on gross income, banks would rationally prefer to
report lower (higher) gross income in BLs with higher (lower) capital charge multipliers. If operational risk
losses could be re-allocated independent of their classifications by BL, the standardized measure of a volume-
based capital charge encourages banks to consolidate losses in BLs with higher capital charge multipliers in
order to maximize (minimize) gross income in BLs with lower (higher) capital charge multipliers (see Tab. 1).
Interestingly, this arbitrage incentive would defeat the purpose of discriminating volume-based measures that
impose higher fixed capital charges on BLs with historically low margins. Since capital charge multipliers are
higher the greater the likely impact of unexpected operational risk losses on gross income, banks magnify
operational risk exposure if they accumulate losses in BLs with high capital charge multipliers. The most
efficient arbitrage strategy to allocate operational risk losses would satisfy the following marginal rate of

(
substitution (MRS), MRS K{TSA , ASA} = GI BL1 × β BL 2 ) (GI BL 2 )
× β BL1 , of a selected pair of BLs (BL1 and BL2)

with capital charge multipliers β BL1 ≠ β BL 2 and gross income GI BL1 , GI BL 2 > 0 in order to keep the capital

51Moreover, they also define the severity of operational risk losses without consideration of bank-specific risk
management systems and the presence of risk mitigating circumstances.

- 23 -
charge K under TSA or ASA constant. In this example, the increase of gross income from GI BL1 to GI BL 2

should be offset by the decline of the capital charge multiplier from β BL 2 to β BL1 in line with the assumption

that operational risk does not change with business volume. Since the capital charge multiplier follows a quasi-
step function across various BLs, there is no comprehensive MRS for optimal loss allocation. This arbitrage
strategy would be feasible until a point where the amount of transferred losses from either one or more BLs
with multipliers below the average of 15% (i.e. retail banking, asset management, retail brokerage) wash out
the complete gross income of one or more absorbing BLs with multipliers of more than 15% (i.e. corporate
finance, trading and sales, payment and settlement) to ensure a positive capital charge for each BL (see Tab.
1). BLs with the smallest multipliers offer the largest marginal capital savings and, thus, would receive the
highest possible allocation of the aggregate amount of transferable losses.

In the same vain, the choice of gross income as exposure factor in standardized approaches has also
important economic implications. Under current rules, any change in income generation is subject to a flat
reserve requirement on what is generally consider a type of risk exposure that does not vary with bank
profitability. If unexpected operational risk exposure is indeed independent of business volume, profit-
maximizing banks will hardly be indifferent to a proportional capital charge (in addition to the constant
provisioning for expected operational risk losses), which differs across BLs. If BLs are viewed in isolation, an
uniform measure à la TSA (or ASA) stifles bank activities in BLs with higher capital charge multipliers unless
marginal risk-adjusted returns increase gross income by an amount that offsets the marginal opportunity cost
of bank activities in BLs with a lower operational risk capital charge. At the same time, banks might in fact be
prepared to engage in riskier investing or lending to make up the “flat tax” imposed by an income-based
operational risk capital charge. Conversely, banks would be prepared to divest in BLs if operational risk
charges reduce marginal risk-adjusted returns below the economic cost of capital or if shifting activities in
areas of lower capital charge multipliers reduces risk-adjusted returns by no more than the capital savings.

Despite plausible reservations as regards volume-based measures, fundamental adjustments are imperative to
an unbiased metric of heterogeneous operational risk exposure for comparative purposes. Especially banking
supervisors greatly benefit from the ability to assess the variation of operational risk exposure across different
banks (and possibly within an entire banking system). For instance, Shih et al. (2000) scale actual losses L by a
multiplier defined by the ratio of generated revenue R of two banks with different loss experience,
n
L ′ = L × ( R Bank1 R Bank 2 ) , where n is the scaling co-efficient determined by OLS regression analysis. For
standardized approaches, total outstanding loans and advances in ASA might serve as useful alternatives to
gross income as exposure factors subject to the above constraints of specificity and discriminatory power. For
the measurement of operational risk under AMA, the argument of fundamental adjustment seems to negate
the tenet of individual self-assessment at first glance. However, the potential of cross-sectional survivorship
bias from pooled loss data puts a premium on the consistent data collection and the comparability of
- 24 -
operational risk losses across banks in order to substantiate viable risk measures.52 Since national banking
supervisors have substantial discretion as regards the adoption of some capital rules for operational risk,
controlling for cross-sectional differences through fundamental adjustment is not only in the best interest of
AMA banks but also encourages greater regulatory convergence in the spirit of the New Basel Capital Accord.

4.6 Structural vs. regulatory approaches to operational risk

Both standardized and advanced measurement approaches combine qualitative and quantitative analysis in
order to assess – within a historical frame of reference – the financial impact of both quantifiable types of
operational risk (with available loss data), whose high loss frequency caters to volume- or loss distribution-
based measures (Basel Committee, 2005c), and non-quantifiable operational risk events (mostly without
historical precedent), for which there is and never can be data to support anything but an exercise of
subjective judgment and estimation. While the former type of exposure follows from very predictable
operational risk events, the latter defines aberrant events whose stochastic patterns defy historical forecasting.
This disqualifies existing regulatory approaches, which ascertain the impact of operational risk events on
banking activity based on historical reference rather than causality and the sensitivity of operational risk across
banks and over time. Structural approaches appear to be most suitable to In predictive factor models,
macroeconomic variables can help estimate different kinds of operational risk, such as internal and external
fraud, which might be more likely at times of high unemployment or organizational restructuring.
Nonetheless, exogenous shocks to banking activity, such as natural disasters, continue to elude quantification
and might be best addressed by on-going monitoring of threats and qualitative assessments of the scale and
scope of extreme scenarios associated with high-impact operational risk events.

5 CONCLUSION

In this article, we provided important insights about several constraints on standardized and advanced
measurement approaches of operational risk estimation under existing regulatory standards. Our findings
reveal that effective banking supervision hinges on how the characteristics of operational risk and the
sensitivity of quantitative measurement methods affect the consistent application of capital rules under
different standards of regulatory assessment. Additionally, the severe economic implications of extreme
operational risk events should subordinate quantitative methods to qualitative measures of anticipatory risk
control. However, the current focus of the New Basel Capital Accord on the design of flexible capital rules
that accommodate diverse risk measurement standards distracts from the fact that capital benefits rewarding

52 The Basel Committee and national banking supervisors accept the use of external data, given the apparent data
limitations of operational risk losses and the need to employ a large enough sample to obtain meaningful results if the
loss distribution approach under AMA is applied to BLs where little or no data is available.

- 25 -
good risk management practice are superior to capital charges for tail risk incentive as incentives to marshal
the regulatory treatment of operational risk.

Advanced risk measurement approaches allow banks to tailor internal models of operational risk to their
unique organizational structure and culture. Current provisions for supervisory review (Pillar 2 of Basel II)
permit national supervisory authorities to select operational risk measurement approaches that are appropriate
to their local financial market. However, national discretion in the implementation of risk-sensitive capital rules
might debilitate an equitable and cohesive regulatory treatment of operational risk exposure and dissuade an
essential degree of conformity.53 At the same time, measures that encourage banks with different mandates to
adhere to common soundness standards would condition the flexibility from risk-sensitive capital rules on the
principle of consistent management and supervision of operational risk. Standardized approaches rule out
problems associated with the inconsistent implementation or ambiguous interpretation of capital rules and
regulatory forbearance, but they could create disincentives to enhanced risk control and system-wide bank
capitalization for operational risk exposure. Especially the current practice of uniform capital charges based on
gross income as exposure factor simplifies the causality of some sources of operational risk, mainly because it
implies a positive relation between loss severity and income generation and ignores the endogenous and
exogenous variation of bank activities.

Although quantitative measurement approaches have evolved into a distinct discipline that appeals to the
usage of economic capital as determinant of risk-based regulatory standards for sound banking practices, the
elusive nature of operational risk events defies purely quantitative approaches and necessitates a qualitative
overlay in instances of extreme events, whose implications might be hard to predict and impossible, or at best,
difficult to measure because they have never occurred. Given significant data limitations, stringent regulatory
standards amplify considerable model risk of quantitative approaches as risk estimates at high percentile levels
require a large enough sample of operational risk events. However, the combination of quantitative and
qualitative approaches warrants profound knowledge of critical limitations and analytical scope of different
measurements methods in order to assess mutually offsetting shortcomings and complementary capabilities.
While qualitative self-assessments are prone to bias and rely on broad assumptions in support of general yet
unconditional estimates, quantitative models predict future losses conditional on the historical loss experience
and often fail to account for the dynamic process of extreme outcomes. Clearly structural models based on
macroeconomic factors and key risk indicators (KRIs), augmented by risk and control self-assessments (RCSA) would
help inform better forecasts of future losses from operational risk and foster a more accurate allocation of
regulatory capital.

53Note that implicit capital redundancies between standardized and flexible approaches ultimately depends on the overall
soundness of the banking system and the opportunity cost of capital savings associated with flexible approaches.

- 26 -
The general purpose of safeguarding banking system stability is not to encumber the activities of an individual
organization and make it risk averse but to allow it to operate within boundaries of common regulatory
standards that mutualize risk and limit externalities from bank failures. Therefore, effective regulation and
prudential banking supervision could be compared to motor racing. Risk-sensitive regulation establishes that
banks allocate economic capital to support highest possible profitability whilst remaining safe. In the spirit of
our metaphor, the generation of sufficient and stable income corresponds to the car’s speed and the driver’s
skill to negotiate dangerous turns, while capital adequacy reflects the essential quality of the protective safety
system and the dexterity of the servicing crew to avert excessive harm amid the cut-throat competition of
professional racing. However, driving skills and velocity tend to be more critical determinants of race
performance than technical support and safety systems, both of which providing little more than just marginal
competitive advantage. Even with a superior safety system, a race car driver will never be among the top
finishers and eventually drop out of the competition unless his superior talent and training allow high engine
power and aerodynamic design to sustain a winning speed. That said, inadvertent driving errors, technical
sabotage or sheer recklessness could result in severe high-speed crashes, causing irreparable damage or even
potentially fatal outcomes despite existing safety precautions and proper technical equipment. For banks, this
would mean that while the ability to generate sufficient income serves as prime indicator of future financial
health and reigns supreme as the overriding business objective, extreme (operational) risk events might create
situations with little prospect of business recovery – even if capital levels appear adequate by historical
standards of the most severe losses. The role of capital in the context of income generation and disastrous
events can be appreciated from the consideration of gambler’s ruin. Too little capital puts a bank at risk, while
too much capital will result in the bank not achieving the required rate of return on capital. An increase of
capital will not necessarily improve the soundness of banks, whose survival is ultimately determined by the
most profitable execution of business activities subject to ex ante risk control and disaster backup that prevent
the occurrence of operational risk events whose loss severity could cease banking activities altogether
(Diebold and Herring, 2002). Thus, the concept of capital adequacy appears incidental to the importance of
corporate governance, which qualifies income generation as a gauge of banking soundness within an effective
regulatory framework for operational risk.

Although a vast majority of banks worldwide will continue to operate under the old Basel Capital Accord,
which does not have an explicit operational risk capital charge, the risk management principles under the new
regulations can be used, to some degree, by any institution in order to raise awareness for operational risk and
minimize its impact on banking performance. Also rating agencies uphold more rigorous risk management
practices in line with the regulatory regime of ORM under the New Basel Capital Accord in their external
assessment of credit quality of banks, and, thus, motivate indirect regulatory compliance via the economic
incentive of lower capital costs. It is incumbent on regulators to institute effective supervisory vigilance and
inculcate a strong sense of perpetual improvement of effective ORM in addition to quantitative elements of

- 27 -
operational risk regulation. The intricate causality of operational risk will continue to require intensive
collaboration between supervisors and banks as regards the implementation of “structural” regulatory
guidelines that better reflect the incidence and impact of operational risk events. Regulation is only effective if
it strives to maintain a close identity of view and purpose in a bid to guide economic capital allocation.

6 REFERENCES
Alexander, C. (ed.) (2003). Operational Risk: Regulation, Analysis and Management. Financial Times - Prentice Hall

Anonymous (2007), “Capital Standards: Proposed Interagency Supervisory Guidance for Banks That Would
Operate Under Proposed New Basel II Framework,” US Fed News (28 February).

Balkema, A. and L. de Haan (1974), “Residual Life Time at Great Age,” Annals of Probability, Vol. 2, 792-804.

Banerjee, S. and K. Banipal (2005), “Managing Operational Risk: Framework for Financial Institutions,”
Working paper, A.B Freeman School of Business, Tulane University (November).

Basel Committee on Banking Supervision (2007). Principles for Home-host Supervisory Cooperation and Allocation
Mechanisms in the Context of Advanced Measurement Approaches (AMA) – Consultative Document. Bank for
International Settlements (February).

Basel Committee on Banking Supervision (2006a). Observed Range of Practice in Key Elements of Advanced
Measurement Approaches (AMA). BCBS Publications No. 131, Bank for International Settlements
(October) (http://www.bis.org/publ/bcbs131.htm)

Basel Committee on Banking Supervision (2006b). Basel II: International Convergence of Capital Measurement and
Capital Standards: A Revised Framework - Comprehensive Version. BCBS Publications No. 128, Bank for
International Settlements (June) (http://www.bis.org/publ/bcbs128.htm).

Basel Committee on Banking Supervision (2005a). Amendment to the Capital Accord to Incorporate Market Risks.
BCBS Publications No. 119, Bank for International Settlements (November)
(http://www.bis.org/publ/bcbs119.htm) [earlier versions were published in January 1996 and
September 1997].

Basel Committee on Banking Supervision (2005b). Basel II: International Convergence of Capital Measurement and
Capital Standards: A Revised Framework. BCBS Publications No. 118, Bank for International Settlements
(November) (http://www.bis.org/publ/bcbs118.htm).

Basel Committee on Banking Supervision (2005c). The Treatment of Expected Losses by Banks Using the AMA
Under the Basel II Framework. Basel Committee Newsletter No. 7, Bank for International Settlements
(November).

Basel Committee on Banking Supervision (2004a). International Convergence of Capital Measurement and Capital
Standards: A Revised Framework. BCBS Publications No. 107, Bank for International Settlements (June)
(http://www.bis.org/publ/bcbs107.htm).

Basel Committee on Banking Supervision (2004b). Principles for the Home-Host Recognition of AMA Operational
Risk Capital. BCBS Publications No. 106, Bank for International Settlements (January)
(http://www.bis.org/publ/bcbs106.htm).

Basel Committee on Banking Supervision (2003a). Operational Risk Transfer Across Financial Sectors. Joint Forum
Paper, Bank for International Settlements (August) (http://www.bis.org/publ/joint06.htm).

- 28 -
Basel Committee on Banking Supervision (2003b). The New Basel Accord, Consultative Document (“Third
Consultative Paper (CP3)”). Bank for International Settlements (April)
(http://www.bis.org/bcbs/bcbscp3.htm).

Basel Committee on Banking Supervision (2003c). Sound Practices for the Management and Supervision of Operational
Risk. BCBS Publications No. 96, Bank for International Settlements (February)
(http://www.bis.org/publ/bcbs96.htm).

Basel Committee on Banking Supervision (2002). Sound Practices for the Management and Supervision of Operational
Risk. BCBS Publications No. 91, Bank for International Settlements (July)
(http://www.bis.org/publ/bcbs91.htm).

Basel Committee on Banking Supervision (2001a). Sound Practices for the Management and Supervision of Operational
Risk. BCBS Publications No. 86, Bank for International Settlements (December)
(http://www.bis.org/publ/bcbs86.htm).

Basel Committee on Banking Supervision (2001b). Risk Management Practices and Regulatory Capital: Cross-Sectoral
Comparison. Joint Forum Paper, Bank for International Settlements (November)
(http://www.bis.org/publ/joint04.pdf).

Basel Committee on Banking Supervision (2001c). Working Paper on the Regulatory Treatment of Operational Risk.
BCBS Publications (Working Paper) No. 8, Bank for International Settlements (September)
(http://www.bis.org/publ/bcbs_wp8.pdf).

Basel Committee on Banking Supervision (2001d). Consultative Document - Operational Risk (Supporting Document
to the New Basel Capital Accord). BCBS Publications (Consultative Document) No. 7, Bank for
International Settlements (January) (http://www.bis.org/publ/bcbsca07.pdf).

Basel Committee on Banking Supervision (1999). A New Capital Adequacy Framework. BCBS Publications No.
50, Bank for International Settlements (June) (http://www.bis.org/publ/bcbs50.htm).

Basel Committee on Banking Supervision (1998). Operational Risk Management. BCBS Publications No. 42,
Bank for International Settlements (September) (http://www.bis.org/publ/bcbs42.htm).

Castillo, E. and S. A. Hadi (1997), “Fitting the Generalized Pareto Distribution to Data,” Journal of the American
Statistical Association, Vol. 92(440), 1609-20.

Coleman, R. and M. Cruz (1999), “Operational Risk Measurement and Pricing ,” Derivatives Week, Vol. 8, No.
30 (July 26), 5-6.

Coles, S. G. (2001). An Introduction to Statistical Modeling in Extreme Values. Springer Verlag, London.

Crouhy, M., Galai, D. and M. Robert (2004), “Insuring versus Self-insuring Operational Risk: Viewpoints of
Depositors and Shareholders,” Journal of Derivatives (Winter), 51-55.

Cruz, M., Coleman, R. and G. Salkin (1998), “Modeling and Measuring Operational Risk,” Journal of Risk, Vol.
1, No. 1, 63-72.

Currie, C. V. (2005), “A Test of the Strategic Effect of Basel II Operational Risk Requirements on Banks,”
School of Finance and Economics Working Paper No. 143 (September), University of Technology,
Sydney.

Currie, C. V. (2004), “Basel II and Operational Risk - Overview of Key Concerns,” School of Finance and
Economics Working Paper No. 134 (March), University of Technology, Sydney.

- 29 -
Degen, M., Embrechts, P. and D. D. Lambrigger (2006), “The Quantitative Modeling of Operational Risk:
Between g-and-h and EVT,” Working paper, ETH Preprint, Zurich (19 December).

Dekkers, A. L. M. and L. de Haan (1989), “On the Estimation of Extreme-Value Index and Large Quantile
Estimation,” Annals of Statistics, Vol. 17, 1795-1832.

Dekkers, A. L. M., Einmahl, J. H. J. and L. de Haan (1989), “A Moment Estimator for the Index of an
Extreme-Value Distribution,” Annals of Statistics, Vol. 17, 1833-55.

Diebold, F. and R. J. Herring (2002), “Assessing and Managing Operational Risk,” 5th Annual Risk
Roundtable, Wharton Financial Institutions Center, University of Pennsylvania (18-19 April).

Drees, H. (1995), “Refined Pickands Estimators of the Extreme Value Index,” Annals of Statistics, Vol. 23,
2059-80.

Dutta, A. and J. Perry (2006), “A Tale of Tails: An Empirical Analysis of Loss Distribution Models for
Estimating Operational Risk Capital,” Working paper No. 06-13, Federal Reserve Bank of Boston
(July).

Embrechts, P., Hoenig, A. and A. Juri (2001a), “Using Copulae to Bound the Value-at-Risk for Functions of
Dependent Risk,” Preprint, ETH Zurich.

Embrechts, P., Lindskog, F. and A. McNeil (2001b), “Modelling Dependence with Copulas and Applications
to Risk Management,” Preprint, ETH Zurich.

Falk, M., Hüsler, J. and R.-D. Reiss (1994). Laws of Small Numbers: Extremes and Rare Events. DMV-Seminar,
Birkhäuser, Basel.

Federal Reserve Bank of Chicago Risk Committee (2005). Legal/Reputational Risk - Banking Information. Federal
Reserve Bank of Chicago
(http://www.chicagofed.org/banking_information/legal_reputational_risk.cfm).

Fisher, R. A. and L. H. C. Tippett (1928), “Limiting Forms of the Frequency Distribution of the Largest or
Smallest Member of a Sample,” Proceedings of the Cambridge Philosophical Society, Vol. 24, 180-90.

de Fontnouvelle, P. (2005), “The 2004 Loss Data Collection Exercise,” presentation at the Implementing an
AMA for Operational Risk conference of the Federal Reserve Bank of Boston (May 19)
(http://www.bos.frb.org/bankinfo/conevent/oprisk2005/defontnouvelle.pdf).

de Fontnouvelle, P., Rosengren, E. S. and J. S. Jordan (2004), “Implications of Alternative Operational Risk
Modeling Techniques,” SSRN Working Paper (June)
(http://www.algorithmics.com/solutions/opvantage/docs/OpRiskModelingTechniques.pdf).

Gnedenko, B.V. (1943), “Sur la Distribution Limite du Terme Maximum d’une Serie Aleatoire,” Annals of
Mathematics, Vol. 44, 423-53.

Grody, A. D., Harmantzis, F. C. and G. J. Kaple (2005), “Operational Risk and Reference Data: Exploring
Costs, Capital Requirements and Risk Mitigation, “ Working paper (November), Stevens Institute of
Technology, Hoboken, NJ.

Inanoglu, H. (2006), “Practical Implementation of Op Risk: Quantitative Issues,” Seminar presentation at the
International Monetary Fund (IMF), Monetary and Capital Markets Department (MCM) (September
5).

Jenkinson, A. F. (1955), “The Frequency Distribution of the Annual Maximum (or Minimum) Values of
Meteorological Elements,” Quarterly Journal of the Royal Meteorology Society, No. 87, 145-58.

- 30 -
Jobst, A. (2007), “Operational Risk – The Sting is Still in the Tail But the Poison Depends on the Dose,”
Journal of Operational Risk, Vol. 2, No. 2 (forthcoming).

Kotz, S. and S. Nadarajah (2000). Extreme Value Distributions. Imperial College Press, London.

Larsen, P. T. and K. Guha (2006), “US Banks Seek Looser Basel II Rules,” The Financial Times (3 August).

Leippold, M. and P. Vanini (2003), “The Quantification of Operational Risk,” SSRN Working paper
(November).

Makarov, M. (2006), “Extreme Value Theory and High Quantile Convergence,” Journal of Operational Risk, Vol.
1, No. 2.

Mark, R. M. (2002), “Operational and Infrastructure Risk,” Presentation at a symposium in preparation for the
conference “The Information Technology Revolution - Implications for Financial Services and Public
Policy” (March 6-8), Black Diamond Risk Enterprises, Toronto.

Matz, L. (2005), “Measuring Operational Risk: Are We Taxiing Down the Wrong Runways ?” Bank Accounting
and Finance, Vol. 18, No. 2, 3-6 and 47.

Mignola, G. and R. Ugoccioni (2006), “Sources of Uncertainty in Modeling Operational Risk Losses,” Journal
of Operational Risk, Vol. 1, No. 2 (Summer).

Mignola, G. and R. Ugoccioni (2005), “Tests of Extreme Value Theory,” Operational Risk, Vol. 6, No. 10
(October).

Nešlehová, J., Embrechts, P. and V. Chavez-Demoulin (2006), “Infinite Mean Models and the LDA for
Operational Risk,” Journal of Operational Risk, Vol. 1, No. 1, 3-25.

O’Dell, M. (2005), “Quantitative Impact Study 4: Preliminary Results – AMA Framework,” presentation at the
Implementing an AMA for Operational Risk conference of the Federal Reserve Bank of Boston (May
19) (http://www.bos.frb.org/bankinfo/conevent/oprisk2005/odell.pdf).

The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve
System (FRB), the Federal Deposit Insurance Corporation (FDIC), and the Office of Thrift
Supervision (OTS) (2006b). Risk-Based Capital Guidelines: Internal Ratings-Based Capital Requirement.
Notice of Proposed Rulemaking (25 September)

The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve
System (FRB), the Federal Deposit Insurance Corporation (FDIC), and the Office of Thrift
Supervision (OTS) (2006a). Risk-Based Capital Guidelines: Internal Ratings-Based Capital Requirement.
Advanced Notice of Proposed Rulemaking (4 August)
(http://www.federalreserve.gov/BoardDocs/Press/bcreg/2006/20060206/attachment.pdf and
http://www.fdic.gov/regulations/laws/publiccomments/basel/anprriskbasedcap.pdf).

The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve
System (FRB), the Federal Deposit Insurance Corporation (FDIC), and the Office of Thrift
Supervision (OTS) (2005). Results of the 2004 Loss Data Collection Exercise for Operational Risk (May).

The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve
System (FRB), the Federal Deposit Insurance Corporation (FDIC), and the Office of Thrift
Supervision (OTS) (2003). Operational Risk Advanced Measurement Approaches for Regulatory Capital. Joint
Supervisory Guidance (2 July).

Pickands, J. (1981). Multivariate Extreme Value Distributions. Imperial College Press, London.

- 31 -
Poon, S.-H., Rockinger, M. and J. Tawn (2003), “Extreme Value Dependence in Financial Markets:
Diagnostics, Models, and Financial Implications,” The Review of Financial Studies, Vol. 17, No. 2, 581-
610.

Reiss, R.-D. and M. Thomas (2001). Statistical Analysis of Extreme Values, from Insurance, Finance, Hydrology and
Other Fields. Birkhauser, New York

Reiss, R.-D. and M. Thomas (1997). Statistical Analysis of Extreme Values. Birkhäuser, Basel.

Rootzén H. and N. Tajvidi (1997), “Extreme Value Statistics and Wind Storm Losses: A Case Study,”
Scandinavian Actuarial Journal, Vol. 1, 70-94.

Seivold, A., Leifer, S. and S. Ulman (2006), “Operational Risk Management: An Evolving Discipline,”
Supervisory Insights, Federal Deposit Insurance Corporation (FDIC)
(http://www.fdic.gov/regulations/examinations/supervisory/insights/sisum06/article01_risk.html).

Shih, J., Samad-Khan, A. and P. Medapa (2000), “Is the Size of Operational Loss Related to Firm Size?”
Operational Risk Magazine (January).

Smith, R. L. (1990), “Extreme Value Analysis of Environmental Time Series; An Example Based on Ozone
Data (with Discussion),” Statistical Science, Vol. 4, 367-93.

Stephenson, A. G. (2002), “EVD: Extreme Value Distributions,” R News 2(2), 31-32.

Zamorski, M. J. (2003), “Joint Supervisory Guidance on Operational Risk Advanced Measurement

Approaches for Regulatory Capital – Board Memorandum,” FDIC, Division of Supervision and
Consumer Protection (July)
(http://www.fdic.gov/regulations/laws/publiccomments/basel/boardmem-oprisk.pdf).

- 32 -
7 APPENDIX

Risk Management Group of the Basel Committee

Operational Risk Subgroup (AIGOR) of the Basel Committee Accord Implementation Group
1st Consultative Phase 2nd Consultative Phase 3rd Consultative Phase

Operational
Operational The
TheInternational
International The
TheInternational
International
BIS Publications

Risk
Risk Consultative
Consultative Working
Working The
TheNew
New Convergence
Convergenceof of Convergence
Convergenceof of
Manage- Document Sound
SoundPractices
Practicesfor
forthe
the
Manage- Document-- Paper
Paperonon Basel
Basel Capital
Capital Capital
Capital
ment
ment Operational
Operational the
the Management
Managementand and Accord
Accord–– Measurement and
Measurement and Measurement
Measurement andand
(09/1998)
(09/1998) Risk
Risk Regulatory
Regulatory Supervision
Supervisionofof Operational
Operational Consultative
Consultative Capital
CapitalStandards:
Standards: Capital
Capital
and
and (Supporting
(Supporting Treatment
Treatment Risk Document
Document AARevised
Revised Standards:
Standards:AA
Risk
AANew
New Document
Documentto to of
of (Third
(Third Framework
Framework Revised
Revised
Capital
Capital the
theNew
New Operational
Operational Consultative
Consultative Framework
Framework––
(three
(threeversions
versionson
on
Adequacy
Adequacy Basel Capital
Basel Capital Risk
Risk Paper
Paper(CP3))
(CP3)) (two
(twoversions
versionson
on AAComprehensive
Comprehensive
12/2001,
12/2001,07/2002,
07/2002,and
and02/2003)
02/2003)
Framework
Framework Accord)
Accord) (09/2001)
(09/2001) (02/2003)
(02/2003) 06/2004
06/2004and
and Version
Version
(06/1999)
(06/1999) (01/2001)
(01/2001) 11/2005)
11/2005) (06/2006)
(06/2006)

Principles
Principlesfor
Impact Studies

QIS for
QIS2:
2: Risk
Risk QIS
QIS3:
3: The
The
& Guidelines

Principles
Principles QIS
QIS4: 4: QIS
QIS5:
5: Observed
Observed Home-Host
Home-Host
Operational
Operational Management
Management Operational
Operational Operational
Operational Treatment
Treatment
for
forthe
the National
National Operational
Operational Range
Rangeofof Supervisory
Supervisory
Risk
RiskLoss
Loss Practices
Practicesandand Risk
RiskLoss
Loss Risk
Risk ofof
Home-Host
Home-Host impact
impact Risk
RiskLoss
Loss Practice
Practiceinin Cooperation
Cooperation
Data/
Data/ Regulatory
Regulatory Data
Data Transfer
Transfer Expected
Expected
Recognition
Recognition studies
studies Data
Data Key
KeyElements
Elements and
andAllocation
Allocation
“Tranche
“Tranche22forfor Capital:
Capital: [Section
[SectionV,V, Across
Across Losses
Lossesby by
ofofAMA
AMA and
andfield
field [Section
[SectionVII,
VII, ofofAdvanced
Advanced Mechanisms
Mechanismsinin
Operational
Operational Cross-
Cross- Technical
Technical Financial
Financial Banks
Banks
Operational
Operational tests
tests Instructions]
Instructions] Measurement
Measurement Context
ContextofofAdv.
Adv.
Risk”
Risk” sectional
sectional Guidance]
Guidance] Sectors
Sectors Using
Usingthethe
Risk
RiskCapital
Capital (2004-
(2004- (09/2005-
(09/2005- Approaches
Approaches Measurement
Measurement
(05/2001-
(05/2001- Comparison
Comparison (10/2002-
(10/2002- (08/2003)
(08/2003) AMA
AMA
(01/2004)
(01/2004) 2005)
2005) 06/2006)
06/2006) (10/2006)
(10/2006) Approaches
Approaches
01/2002)
01/2002) (11/2001)
(11/2001) 05/2003)
05/2003) (11/2005)
(11/2005) (02/2007)
(02/2007)

Joint
JointSupervisory
Supervisory Federal
FederalFinancial
FinancialInstitutions
Institutions NPR
NPRonon Proposed
ProposedSupervisory
Regulatory

Guidance Supervisory
Guidanceon Examination
ExaminationCouncil Risk-Based
Guidance

on Council Risk-Based Guidance

Operational Guidancefor
forAdvanced
Advanced
OperationalRisk
Risk (FFIEC)
(FFIEC) Capital
Capital Measurement
U.S.

Advanced LDCE Guidelines: Measurement

Advanced LDCE Guidelines: Approaches
Measurement (06-11/2004 ApproachesRelated
Relatedto
to
Measurement (06-11/2004)) Internal
InternalRatings-
Ratings- Basel
Approaches BaselIIII
Approachesfor for and
and Based
BasedCapital
Capital Implementation
Regulatory Implementation
RegulatoryCapital
Capital QIS
QIS4,4,Section
SectionXIV
XIV Requirement
Requirement (02/2007)
(07/2003) (10/2004-01/2005) (09/2006) (02/2007)
(07/2003) (10/2004-01/2005) (09/2006)

Figure 1. The evolution of the regulatory treatment of operational risk.

Probability density function

Probability

Capital
Deduction Risk Capital for Operational Risk Exposure
(up to 20%)

VaRα=0.01%
at 99.9% quantile
(probability bound)
Mean of
distribution

Expected Loss (EL) Unexpected Loss (UL) Extreme

Loss
Aggregate Losses (Loss Severity)

Figure 2. Loss Distribution Approach (LDA) for AMA of operational risk under the New Basel
Capital Accord.

- 33 -
 Operational
Cost-Benefit Computation Regulatory capital charge Remarks/Requirements
Risk Measure1
Basic Indicator A fixed percentage of Capital charge (KBIA)= [Σ years(1-n) Σ(GI1,…,n*α)]/N, Figures for any year, in which annual
Approach (BIA) average annual gross where gross income is negative or zero
income over the previous GI = annual (positive) gross income2 over the previous three should be excluded from both the
Bank-wide measure three years. years (“exposure factor”), numerator and denominator. No
n = number of the previous three years (N) for which gross specific criteria for use of BIA are set
Supervisor-specific parameters. income is positive, and by the Basel Committee (2005b and
α = 15%, which is set by the Basel Committee, relating the 2006b), but banks are encouraged to
industry wide level of required capital to the industry wide comply with the Committee’s guidance
level of the indicator (“multiplier”). on Sound Practices for the Management and
Supervision of Operational Risk (2003c).
(Traditional) The three-year average of Capital charge (KTSA)={Σyears(1-3)*max[Σ(GI1-8*β1-8),0]}/3, β equals 18% for the BLs corporate
Standardized the summation of the where finance (β1), trading & sales (β2),

risk sensitivity
Approach (TSA) regulatory capital charges GI1-8 = GI for each of the eight BLs (“exposure factor”), payment & settlement (β5); 15% for
across each of the BLs in β1-8 = fixed percentage relating the level of required capital to commercial banking (β4) and agency

No or little flexibility,
but ease of use and low
Business line (BL) each year. the level of the gross income for each of eight BLs defined by services (β6); and 12% for retail
measure the Basel Committee. banking (β3), asset management (β7),
Supervisor-specific parameters. and retail brokerage (β8).
Alternative Same as TSA, but applies Capital charge (KASAK)={Σyears(1-3)*max[Σ(GI1-2,5-8*β1-2,5-8),0]}/3 Same as TSA, but banks may aggregate
Standardized different exposure factor +{Σyears1-3*max[Σ(LA3-4*m*β3-4),0]}/3, retail and commercial banking using
Approach (ASA) to retail banking and where β3-4 values of 15%. Similarly, those
commercial banking. GI1-2,5-8 = GI for each of the eight six BLs other than banks that are unable to disaggregate
Business line (BL) retail/commercial banking (“exposure factor”), their gross income into the other six
measure Supervisor-specific parameters. β1-2,5-8 = fixed percentage relating the level of required capital BLs can aggregate the total gross
to the level of the gross income for each of six BLs other than income for these six BLs using β1-2,5-8
retail/commercial banking defined by the Basel Committee, values of 18%.
LA3-4 = total outstanding loans and advances3 (non-risk
weighted and gross of provisions) for each retail banking and Use of ASA falls within the discretion
commercial banking (“exposure factor”), of the national supervisor. Once a
β3-4 = fixed percentage relating the level of required capital to bank has been allowed to use ASA, it
the level of the gross income for retail banking and cannot revert to TSA without
commercial banking, and supervisory permission.
m = 0.035 as fixed factor that replaces GI as exposure
indicator.

- 34 -
 Advanced Generated by the bank’s AMA includes quantitative and qualitative criteria for the self- Quantitative and qualitative criteria
Measurement internal operational risk assessment of operational risk, which must be satisfied to regarding adequate risk management
Approaches measurement system. ensure adequate risk management and oversight. The and oversight must be satisfied. Under
(AMA) qualitative criteria4 center on the administration and regular the AMA soundness standard, a bank
Bank-defined parameters. review of a sound internal operational risk measurement must be able to demonstrate that its
BL and ET-specific system. The quantitative aspects5 of AMA include the use of operational risk measure is comparable
measure with internal data, (ii) external data, (iii) scenario analysis, and (iv) to that of the internal ratings-based
qualitative and business environment and internal control factors subject to approach for credit risk, i.e. a one-year
quantitative data the AMA soundness standard and requirements for risk mitigation holding period and a 99.9th percentile
standards defined by and capital adjustment. confidence interval).
national supervisor Banks are also allowed to adjust their
capital charge for operational risk
exposure under AMA by (i) the
amount of expected losses (ELs) (“EL
breakout”), (ii) diversification benefits
from loss correlation between

management

High flexibility,
operational loss ETs both across and
within BLs, (iii) and the risk mitigating

and sophisticated risk

impact of insurance on measures of

but potential risk sensitivity

operational risk used for regulatory
minimum capital requirements. Capital
adjustment is limited to 20% of the
total operational risk capital charge
calculated under AMA.

Table 1. Overview of operational risk measures according to the Basel Committee on Banking Supervision (2003a, 2004a, and 2005b and 2006b). 1/ The three main approaches to operational risk
measurement, the Basic Indicator Approach (BIA), the Standardized Approach (TSA) and the Advanced Measurement Approaches (AMA) are defined in Basel Committee (2005b), 140-152
(Section V – Operational Risk). 2/ Gross income (GI) is defined as net interest income plus net non-interest income. This measure should: (i) be gross of any provisions (e.g. for unpaid
interest), (ii) be gross of operating expenses, including fees paid to outsourcing service providers, (iii) exclude realized profits/losses from the sale of securities in the banking book, and
(iv) exclude extraordinary or irregular items as well as income derived from insurance. 3/ For ASA, total loans and advances in retail banking consist of the total drawn amounts in the
following credit portfolios: retail, SMEs treated as retail, and purchased retail receivables. For commercial banking, total loans and advances consists of the drawn amounts in the
following credit portfolios: corporate, sovereign, bank, specialized lending, SMEs treated as corporate and purchased corporate receivables. The book value of securities held in the
banking book should also be included. 4/ The qualitative criteria include (i) an independent operational risk management (ORM) function, (ii) a well-documented and well-integrated, internal
operational risk measurement system, (iii) regular reporting of operational risk exposures and loss experience to business unit management, senior management, and to the board of
directors, as well as (iv) regular reviews and validation of the ORM processes and measurement systems by external auditors. 5/ Besides the soundness standard and risk mitigation (see
above), the quantitative criteria include (i) internal data requirements (i.e. internal loss data must be clearly linked to a bank’s current business activities, technological processes and risk
management procedures and must cover a minimum five-year observation period (though a three-year historical data window is acceptable when AMA is applied for the first time)), (ii)
the use of external data (on actual loss amounts, information on the scale of business operations where the event occurred, information on the causes and circumstances of the loss
events or other information) when there is reason to believe that the bank is exposed to infrequent, yet potentially severe, losses, (iii) scenario analysis, as well as (iv) business
environment and internal control factors.

- 35 -
 Aggregate Operational Risk Loss Statistics of LDCE (2004)
Loss Frequency Loss Severity
no. of no. of
Frequency no. of no. of loss Total loss per Avg. loss (EL)
banks with loss Total loss
intervals participating events per bank per bank
com- events of (in U.S.$bn.)
(no. of losses > banks bank (in U.S.$bn.) (in U.S.$'000)
prehensive all banks (3)
U.S.$10,000) (1) (2)/(1) (3)/(1) (3)/(2)
data (2)

0-250 6 2 640 107 0.21 0.04 331

251-1,000 5 2 2,253 451 0.28 0.06 126
1,001-2,500 8 5 13,404 1,676 8.15 1.02 608
2,501+ 4 1 39,469 9,867 17.28 4.32 438
Total 23 10 55,766 2,425 25.92 1.13 465

Table 2. Aggregate operational risk losses (cross-sectional) of U.S. commercial banks according to the 2004 LDCE (de
Fontnouvelle, 2005). Stratification of loss severity and loss frequency.

Major Operational Loss Event

(U.S.$140 million, Bank of New York, Sept. 11, 2001)
(In percent of)
Non-
Total Interest Interest Gross Tier 1
Insured U.S.-Chartered Commercial Banks1 assets3 income Income Income Capital
(ranked by consolidated assets, as of Dec. 31, 2001)
Bank of America NA (Bank of America Corp.)2 0.02 1.91 3.86 1.28 0.31
JP Morgan Chase Bank (JP Morgan Chase & Co.) 0.02 3.07 4.21 1.77 0.39
Citibank NA (Citigroup) 0.02 1.51 3.06 1.01 0.32
Wachovia Bank NA (Wachovia Corp.) 0.04 3.45 9.87 2.56 0.65
First Union Bank4 0.06 1.86 2.05 0.98 0.78
US Bank NA 0.08 5.63 12.60 3.89 10.92
Bank One NA (Bank One Corp.) 0.05 1.60 1.94 0.88 0.64
Wells Fargo Bank NA (Wells Fargo & Co.) 0.04 3.38 6.28 2.20 0.66
Suntrust Bank 0.13 4.30 6.49 2.59 1.75
HSBC Bank USA (HSBC NA) 0.17 13.67 55.66 10.97 3.12
Bank of New York (Bank of New York Corp.) 0.18 18.87 18.60 9.37 2.58
Key Bank NA (Key Corp.) 0.18 11.79 38.67 9.04 2.42
State Street B&TC (State Street Corp.) 0.21 25.51 21.04 11.53 3.93
PNC Bank NA (PNC Financial Services Group) 0.20 6.15 5.51 2.90 3.04
LaSalle Bank NA (ABN Amro NA HC) 0.13 12.05 33.32 8.85 1.75

mean 0.10 7.65 14.88 4.65 2.22

median 0.08 4.30 6.49 2.59 1.75
std. dev. 0.07 7.24 16.01 4.01 2.68

Table 3. Hypothetical loss exposure of the largest U.S. commercial banks on September 11, 2001. 1/excluded is Fleet
NA Bank (Fleetboston Financial Group), which merged with Bank of America NA in 2003. 2/“regulatory top holder” listed
in parentheses. 3/Total assets, gross income and Tier 1 capital represent the sum of assets, gross income and core
capital of individual banking institutions under each top holder, ignoring adjustments in consolidation at holding
company level. 4/After the merger with Wachovia, First Union did not publish financial accounts for end-2001.
Fundamental information is taken from the 2000 Financial Statement. Source: Federal Reserve Board (2002), Federal
Reserve Statistical Release - Large Commercial Banks (http://www.federalreserve.gov/releases/lbr/).

- 36 -
 Level 1 Level 2 Activity Groups
Corporate finance Corporate finance Mergers and acquisitions, underwriting,
Municipal/government finance privatization, securitization, research, debt
Advisory services (government, high yield), equity, syndication,
IPOs, secondary private placements

Trading and sales Sales Fixed income, equity, foreign exchange,

Market making commodities, credit funding, own position
Proprietary positions securities, lending and repos, brokerage, debt,
Treasury prime brokerage

Retail banking Retail banking Retail lending and deposits, banking services, trust
and estates

Private banking Private lending and deposits, banking services,

trust and estates, investment advice

Card services Merchant/commercial/corporate cards, private

labels and retail

Commercial banking Commercial banking Project finance, real estate, export finance, trade
finance, factoring, leasing, lending, guarantees, bills
of exchange

Payment and settlement External clients Payments and collections, funds transfer, clearing
and settlement

Agency services Custody Escrow, depository receipts, securities lending

(customers), corporate actions

Corporate agency Issuer and paying agents

Corporate trust
Asset management Discretionary fund management Pooled, segregated, retail, institutional, open,
private equity

Non-discretionary fund management Pooled, segregated, retail, institutional, open

Retail brokerage Retail brokerage Execution and full service

Table 4. Mapping of business lines (BLs).

- 37 -
 Event-type
Category Definition
(Level 1)1
Losses due to acts of a type
intended to defraud,
misappropriate property or
circumvent regulations, the law
Internal Fraud
or company policy, excluding
diversity/discrimination events,
which involves at least one
internal party.
Losses due to acts of a type
intended to defraud,
External Fraud misappropriate property or
circumvent regulations the law
by a third party.
Losses arising from acts
inconsistent with employment,
Employment
health or safety laws or
Practices and
agreements, from payment of
Workplace Safety
personal injury claims, or from
diversity/discrimination events.
Losses arising from an
unintentional or negligent failure
to meet a professional obligation
Clients, Products &
to specific clients (including
Business Practices
fiduciary and suitability
requirements), or from the
nature or design of a product.
Losses arising from loss or
Damage to Physical
damage to physical assets from
Assets
natural disaster or other events.
Categories Official Activity Examples
Other Examples2
(Level 2)1 (Level 3)
(i) transactions not reported (intentional), (ii) transaction type
Unauthorized activity unauthorized (with monetary loss), (iii) mismarking of
Employee theft of assets
positions (intentional).
or information,
(i) fraud, credit fraud, worthless deposits; (ii) theft, extortion,
intentional misreporting
embezzlement, robbery; (iii) misappropriation of assets; (iv)
of positions, and insider
malicious destruction of assets; (v) forgery, check kiting; (vi)
Theft and fraud trading on an employee’s
smuggling; (vii) account take-over, impersonation; (viii) tax
own account.
non-compliance, evasion (willful); (ix) bribes, kickbacks; (x)
insider trading.
Theft and fraud (i) theft, robbery; (ii) forgery; (iii) check kiting.
Theft of assets or
(i) hacking damage; (ii) theft of information (with monetary information, robbery,
System security
loss). forgery, and check kiting.
(i) compensation, benefit, termination issues; (ii) organized Employee compensation
Employee relations
labor activity. and discrimination
(i) general liability; (ii) employee health and safety rules events; claims, violation of
Safe environment
(iii) workers’ compensation. employee health and
Diversity and safety rules, and general
All discrimination types.
discrimination liability.
(i) fiduciary breaches, guideline violations; (ii) suitability,
Suitability, disclosure disclosure issues; (iii) retail customer disclosure violations;
and fiduciary breach of privacy; (iv) aggressive sales; (v) account churning;
Fiduciary breaches,
(vi) misuse of confidential information; (vii) lender liability.
misuse of confidential
(i) antitrust; (ii) improper trade and market practices, market
Improper business and customer information,
manipulation, insider trading (on firm’s account); (iii)
market practices money laundering, and
unlicensed activity; (iv) money laundering.
sale of unauthorized
Product flaws (i) product defects, (ii) model errors.
products.
Selection, sponsorship (i) failure to investigate client per guidelines; (ii) exceeding
and exposure client exposure limits.
Advisory activities Disputes over performance of advisory services.
Financial loss from
natural disasters
Disasters and other (i) natural disaster losses; (ii) human losses from external (earthquakes, fires,
events sources (terrorism, vandalism, etc.). floods) and man-made
damage to physical assets
(terrorism, vandalism).
- 39 -

Business
Losses arising from disruption of
Disruption and
business or system failures.
System Failures
Losses from failed transaction
Execution, Delivery processing or process
& Process management, from relations with
Management trade counterparties and
vendors.
Table 5. Detailed event type (ET) classification. 1/The Level 1 and Level 2 categorization of ETs conforms to the specification of ETs in the guidelines on
Sound Practices for the Management of Operational Risk (2003a) issued by the Basel Committee. 2/See also Seivold et al. (2006).
Hardware and software
failures,
Hardware, software, telecommunications, utility
Systems telecommunication
outage/disruptions.
problems, and utility
outages.
(i) miscommunication; (ii) data entry, maintenance or loading
Transaction capture, error; (iii) missed deadline or responsibility; (iv) model/system
execution and misoperation, (v) accounting error/entity attribution error; (vi)
maintenance other task misperformance; (viii) delivery failure; (ix) collateral
management failure; (x) reference date maintenance.
Monitoring and (i) failed mandatory reporting obligation; (ii) inaccurate Data entry errors,
reporting external report (loss incurred). collateral management
Customer intake and (i) client permissions/disclaimers missing; (ii) legal documents failures, incomplete legal
documentation missing or incomplete. documentation, and
(i) unapproved access given to accounts; (ii) incorrect client vendor disputes.
Customer/client
records (loss incurred); (iii) negligent loss or damage of client
account management
assets.
(i) non-client counterparty misperformance; (ii) miscellaneous
Trade counterparties
non-client counterparty disputes.
Vendors and suppliers (i) outsourcing; (ii) vendor disputes.
- 40 -
View publication stats