763. Mark Ames, Til Schuermann & Hal S. Scott, Bank Capital for Operational Risk: A Tale of Fragility and Instability, 2/2014.
Abstract: Operational risk is fundamentally different from all other risks taken on by a bank. It is embedded in every activity and product of an institution, and in contrast to the conventional financial risks (e.g. market, credit) is harder to measure and model, and not straight forwardly eliminated through simple adjustments like selling off a position. Operational risk tends to be about 9-13% of the total risk pie, though growing rapidly since the 2008-09 crisis. It tends to be more fat-tailed than other risks, and the data are poorer. As a result, models are fragile – small changes in the data have dramatic impacts on modeled output – and thus required operational risk capital is unstable. Yet the regulatory capital regime is, surprisingly, more rigidly model focused for this risk than for any other, at least in the U.S. We are especially concerned with the absence of incentives to invest in and improve business control processes through the granting of regulatory capital relief. We make four, not mutually exclusive policy suggestions. First, address model fragility through anchoring of key model parameters, yet allow each bank to scale capital to their data using robust methodologies. Second, relax the current tight linkage between statistical model output and required regulatory capital, incentivizing prudent risk management through joint use of scenarios and control factors in addition to data-based statistical models in setting regulatory capital. Third, provide allowance for real risk transfer through an insurance credit to capital, encouraging more effective risk sharing through future product innovation. Fourth, expand upon the standard taxonomy of event type and business line to include additional explanatory variables (such as product type, flags for litigated events, etc.) that would allow more effective inter-bank sharing and learning from experience. Until our understanding of operational risks increases, required regulatory capital should be based on methodologies that are simpler, more standardized, more stable and more robust.