Wednesday, July 6, 2011

Does capital cap it all?

Does Capital, cap it all?
Basel II new Operational Risk Guidelines a threat or opportunity?
Yerram Raju and Rao N. Venuturupalle*
‘Wholesale banking in India is set for a period of sharp growth. Revenues from wholesale banking activities are likely to more than double over the next five years as infrastructure investment, expansion by Indian companies overseas, and further “Indianization” of multinational businesses, among other trends, drive new business. Foreign players and the country’s domestic banks, however, will find themselves in a tough com¬mercial environment and must overcome a range of challenges if they are to maintain, or assume, a leading position in the market. (Akash Lal and Naveen Tahilyani, McKinseys 2011) In the context of globalization and shadow banking, there is a genuine concern on the part of regulators that the operational risks would be on the rise and that they need to be provided for in the banks’ balance sheets adequately. It is this ‘adequacy’ that is likely to upset the applecart of commercial banks’ expectations, more so, when multiple channels and universal banking are embraced. The global risk scenario remains icing on the cake although between 2008 and 2011, there is considerable improvement. This article would like to deal with the emerging financial system in India in the first part and the concerns arising out of the recently put out Basel document on the Management and Supervision of Operational Risk: governance, risk management environment and the role of disclosure. Part II examines the principles and various aspects of OR management vis-à-vis the prevailing operational processes and practices in some of the major Indian banks. The paper also presents the challenges, potential costs and benefits in implementing the proposed best practices.

Part I
Indian Financial System (IFS) has its generic novelties and complexities. It embraces cooperative banks under two streams – urban and rural with a three-tier structure; commercial banks comprising of public sector banks; private sector banks (old and new generation); regional rural banks including local area banks; and foreign banks. It proved resilient under the recent global recession era thanks to the robust regulatory system that took care of capital adequacy concerns with the twin instrumentality of Statutory Liquidity Ratio and Cash Reserve Ratio among others and a low leveraging. These five streams of banking in India have wide-ranging variances in adoption of technologies – primitive in the cooperatives to the most advanced in globally placed banks like the State Bank of India, ICICI Bank and foreign banks. The most virtuous aspect of regulation has been the compliance discipline of these institutions. In line with the ongoing supervisory and multiple regulator concerns, a Financial Super Regulatory Board had been set up and the central bank was entrusted with the coordination role. The central bank started releasing the financial stability reports (FSR) at frequent intervals commencing from March 2010 to reflect the health of the Indian Financial System. The latest FSR states that the ‘Indian financial system remains stable in the face of some fragilities being observed in the global macro-financial environment. Growth is slackening in most parts of the world, even as the risks from global imbalances and sovereign debt crises in Europe continue to hover. The uncertainties in global environment with persistently high energy and commodity prices have contributed to a slight moderation in India’s growth momentum as well. The macroeconomic fundamentals for India, however, continue to stay strong, notwithstanding the prevailing inflationary pressures and concerns on fiscal fronts.’ India is among the sizzling top seven emerging market overheating index of the Economist (London – June 2011), measured in terms of six indicators - inflation, spare capacity, labour markets, excessive credit expansion, real rate of interest, and widening current account deficit. In the short-term, Fitch has lowered the growth rate at 7.7 percent (June 2011) in this background whereas Standard & Poor predicted a robust inflow of FII and FDI resources into the economy. The growth projections of Indian Banking even in the wake of overall uncertain economic growth, is intriguing.
Last two years witnessed an increasing trend of frauds, misappropriations, embezzlements, ATM robberies, technology security failures in quite a few centres in the entire banking spectrum and all of them fall under the band of Operational Risk. RBI directs Banks to report every fraud above Rs.1lakh to their Boards promptly; frauds by employees for amounts exceeding Rs.10000 to the local police; cases involving more than Rs.7.5cr to the Banking Security and Fraud Cell of the Economic Offences wing of the CBI; and cases of cheating involving Rs.1crore and above to the CBI. Latest RBI guidelines (April 29, 2011) on banks’ technology governance, information security, audit, outsourcing and cyber fraud as a possible reaction to the surfacing of operational risks in increasing measure lately, are a pointer to further investments in those areas to mitigate Operational Risk.
Even in the backdrop of rising systemic risks in the banking ecosystem in Euromarkets leaving little hope, the RBI Governor succinctly summarized the concerns of Basel III and exuded confidence that the Indian banks would be able to meet up with the capital expectations. But does capital cap it all? - Is the question.
Part II
The earliest Basel Committee publication on Operational risk was a compilation of information on management of operational risk at thirty major banks from different member-countries. We are of the opinion that awareness of operational risk as a separate risk category and processes for measurement of the same was then at a nascent stage. However, a series of high profile incidents at Barings Bank, Daiwa Bank and Allied Irish Bank (to name a few) in the late 1990s heightened the need for regulation of operational risk. In India, the State Bank of India and Punjab National Bank – both in the public sector, take such credit in the second half of the first decade of the current millennium.

Operational risk was first recognized as sensitive to capital adequacy and given explicit treatment under Basel II Accord. Together with The Sound Practices for the Management and Supervision of Operational Risk(2003), the Accord laid down principles for effective management of operational risk, best practices for governance, identification and assessment, monitoring and reporting, control & mitigation etc. Besides these, the Accord also covered approaches for calculation of regulatory capital for operational risk. In response to these regulatory developments and prevention of operational failures, banks and supervisors have expanded their knowledge and experience in implementing ORM framework – loss data collection, modeling capital requirements, implementation of governance structure and other steps. For instance, formation of ORX (Operational Risk data eXchange), a repository of external operational risk loss events, is an initiative that would aid in exploring adequacy or weaknesses of internal controls, operational risk modeling and capital calculations etc.

Despite these developments, the fundamental reason for recent credit crisis was operational inefficiencies – lax underwriting standards, unbridled risk taking etc. – that eventually brought the interconnected world economy into a recession the likes of which was last seen only during the Great Depression.

Closer home, the systemic impact of credit crisis was much less because of timely interventions by the central bank, the RBI, by way of reining-in the economy using macro-economic variables CRR and SLR. However, this does not mean there are no operational inefficiencies in the Indian banking system. Most banks’ approach has primarily been compliance to regulation with minimal or no importance to imbibing a risk culture seeping through the entire organization. Risk evaluation is integral to everything that individuals do. Yet organizations often treat risk as an adjunct added on at the end of the process – ‘Let us do a risk assessment and see where we are.’ Such an approach is wholesomely inadequate. Instead, risk must be factored in at the beginning of an initiative and should remain a focus throughout the entire process. Given the expected growth in the Indian economy during the Twelfth Plan at an average of ten percent, and the concomitant growth in the banking industry, cultivating risk culture becomes imperative for the industry.

Based on the developments with respect to regulation and upheavals in the banking industry the world over in little over a decade, it can be concluded that the operational risk discipline is still evolving.

Collection of loss incidents data
Loss data collection (either internal or external) provides meaningful insight into effectiveness of internal controls, modeling of operational risk and capital calculations, and could provide information about previously unidentified risk exposures. For this to be effective, banks must have comprehensive documented procedures for capturing loss incidents data –
i) mapping of activities along various business lines
ii) define loss thresholds for each business line for the purpose of identifying those events that could have material impact on the bank’s balance sheet
iii) mapping loss data to appropriate business line (and sub-categories) and event types
iv) tracking of Internal loss data collection

It is generally observed that majority of the public sector banks in India have material business in around five of the eight business lines recognized by BCBS. Availability and reliability of loss event data in these business lines deserves lot of attention and much needed action, for, a branch that has not reported any loss data cannot be construed as functioning excellently. In order to improve internal data collection, clarity on collection of loss events data and their assignment to appropriate business lines is essential. Additionally, clarity on potential losses, near misses, attempted frauds, etc. where no loss has actually been incurred by the bank will go a long way in strengthening internal systems and controls. Active involvement of the Risk Management Committee of the bank could very well help in providing direction to this very important aspect of operational risk management.

OR governance and risk management function

Sound internal governance is fundamental to effective operational risk management framework that is fully integrated into the bank’s overall governance structure in risk management. The board of directors together with the senior management should lead the Governance processes to establish a strong risk culture. An industry best practice for internal governance is to have in place a 3-tiered structure:
i) business line management – responsibility of identification and management of risks inherent in a bank’s products, services and activities rests with the business units
ii) a functionally independent corporate operational risk function complementing the business line’s operational risk management activities and responsible for the design, maintenance and ongoing development of operational risk management framework within the bank.
iii) an independent unit performing review and challenging the bank’s operational risk management controls, processes and systems, typically, an audit function

A general observation in the Indian Banking industry is that the business lines and risk management departments are compartmentalized with no clear objective and direction from the senior leadership to bring these to work supportively towards a common objective of improving operational processes and shareholder value. The Risk Management department should be directly reporting to the Risk Management Committee of the Board instead of reporting to the CEO so as to ensure that revenue targets are pursued within the boundary of risk processes controls.

The role of the Board of Directors as mentioned under Principle (3) seems to be far-fetched and impractical especially in Indian Public Sector Banks. It is not possible for the non-executive directors to go into the detail required to ensure the firm is managing “operational risks associated with new strategies, products, activities, or systems, including changes in risk profiles and priorities”. This responsibility is more appropriate to senior management of the bank with the Board as an overseer.

Reporting and monitoring of operational loss data

Operational data – both qualitative and quantitative – could provide valuable insights into effectiveness of ORM framework, weaknesses in policies and procedures and measures needed to plug these, risk profiles, deviations from risk appetite, capital requirements and lot other information. Given the breadth and complexity of data, business intelligence tools can be used to present this data in the form of reports and pictorial dashboards to provide meaningful information to senior management and board.
For the Indian banks, there are a number of reasons that clearly justify the need to adopt business intelligence and data analytics tools:-
a) The 8.0% plus economic growth observed in the past decade and projected in the future
b) The recent economic crisis has shown that markets the world over are interconnected.
c) RBI’s mandate for an inclusive growth
d) Huge customer base in India
These tools will certainly help in proactive risk management and timely availability of reports to the senior management and the board.
Importance of audits
One of the sound industry practices for operational risk governance is setup of an independent audit unit that reviews and challenges the bank’s controls, processes and systems. The internal audit should not only be testing compliance to approved policies and procedures but should also be evaluating whether the ORM Framework meets organizational needs and supervisory expectations.
In general, the Indian banks have an audit department but lack importance and management oversight. These departments mostly perform transactional audits but gaps in underlying processes are never identified. Moreover, closure of audit findings continues to happen mechanically and there is no trail of audit compliance. Consequently, such a practice exposes the bank to loss of revenue, customer confidence and reputation.
Risk education, training and staff with required skills
An ORM framework is effective only when all departments implementing and evaluating the framework are staffed with required training and skills along with a continuous focus on education in risk. To this end, the board of directors and senior management must provide the required support and oversight.
There is a general feeling both among the regulators and the individual banks that the professional directors like the Chartered Accountants would take care of the risk management oversight better than the rest. Yes; only to a degree. Several Chartered Accountants also require intense knowledge and skills in the discipline of risk management. The ICAI has to put in place such arrangement, if necessary, by coordinating with knowledge providers of global repute like the Professional Risk Managers’ International Association (PRMIA) or GARP. When APRM, PRM, and FRM get premium attention in the placements and promotions to staff to handle the risk management function, there would be scope for professional directors to perform the risk management function more skillfully.

The budgets for risk training and education were inadequate. All employees in general and audit department, in particular, must be appropriately staffed with required training and skills along with a continuous focus on education in risk. To this end, the board of directors and senior management must provide the required support and oversight.
Implementation of proposed framework – costs and capital considerations
i) Operational risk cannot be treated as residual risk after accounting for credit and market risk. A leading public sector bank, capital at a maximum of 5 percent of the total risk weight assets is set aside for operational risk. This is certainly short of required adequacy for a bank of its size. Appropriate OR processes must be in place to enable calculation of required OR capital.

ii) The cost of implementation of the OR framework – particularly in regard to data collection and data analytics – is considered onerous and such costs cannot be passed on to the customers as is done in the areas of credit risk and market risk. The Central Bank could consider treating such costs differently and provide enough cushions for competitiveness. The Central Banks should incentivize banks which adopt data collection and data analytics tools for mitigating operational risks or capturing near misses by way of tax benefits or other subventions.

Timelines for implementation of AMA approach

Banks in India would be requiring time until 31st March 2014 to be in preparedness for adopting the AMA when alone it would be possible to secure high integrity data for the past 20 quarters under all data requirements. A step in the right direction is the formation of CORDEX (Compilation of Operational Risk Loss Data Exchange) initiated by Indian Banks’ Association. Such industry level data could very well be used for scenario and stress testing. However, this is in its formative stages and the Central Bank may itself take two years to validate the system.

Operational risk management is receiving immense importance and focus from all stakeholders – regulators, senior management & board and investors. Whereas credit and market risk management have matured considerably in the last couple of decades, operational risk management is still an evolving discipline.

Many banks world over have made considerable progress with respect to implementing an ORM Framework. Indian banks, however, have made some progress but this has been seen more as mandate for compliance than as a need for driving a risk management culture throughout the organization that will eventually reduce operational losses and improve shareholder value. In this respect, board and senior management oversight is the need of the hour.

Also, the ORM Framework must be periodically reviewed to ensure controls in response to material & non-material losses are implemented. Investments have to be made in training and education, and data analytics and business intelligence solutions as these will help in spreading a risk culture of highest quality throughout the bank and enable proactive risk management. Banks also have to make considerable investments for collection of loss data and for putting in place policies, procedures and controls before they can adopt AMA approach for calculation of operational risk capital.

The foregoing analysis clearly reveals that mere provisioning of capital of a high order does not insulate the banks from all the risks and the 2007 recession has proved beyond doubt that neither the size of the bank nor the size of the provisioning has insulated the bank from the catastrophic downfall. Robust processes are more important than mere provisioning of capital to take care of the commonly arising risks. These apart, the ORM is yet to capture the reputation risk as its measurability has some issues to debate. In essence, all the eleven principles highlighted in the Basel II document of December 2010 provide an opportunity to sprucing up the banks’ risk management platforms marginalizing the threat to adequacies of capital provisioning.


1. ‘Sound Practices for the Management and Supervision of Operational Risk’, Basel Committee on Banking Supervision, December 2010.
2. ‘Round Table on Sound Practices for Management and Supervision of Operational Risk’, PRMIA Hyderabad Chapter, January, 2011.

* Dr B. Yerram Raju is an economist and Regional Director, PRMIA, Hyderabad Chapter and Mr Rao N. Venuturupalle is Dy. Regional Director, PRMIA, Hyderabad Chapter and Lead Consultant, HSBC, Hyderabad. The views expressed are personal.