This paper proposes an approach to evaluating the ‘quality of compliance’ of ORM systems within, and between, firms and is based on the concept of ‘maturity models’.
By Patrick Mc Connell
In June 2004, the Basel Committee released the ‘Revised Framework for the International Convergence of Capital Measurement and Capital Standards’, which contained the definitive proposals on capital charges for operational risk under Basel II (Basel 2004). Under proposals for allowing “internationally active” banks to calculate regulatory capital using their own internal models – so called AMA (Advanced Measurement Approaches) - the Basel Committee backed away from dictating explicit methodologies for calculating operational risk capital charges towards a more qualitative approach to the management of operational risk.
In their final proposals, the Basel Committee stressed the importance of ‘qualitative standards’ for banks that wish to use an AMA for management of their operational risks. However, other than urge that an operational risk management (ORM) system must be “conceptually sound and implemented with integrity”, the Basel Committee gave few clues as to what such a ‘system’ might look like. Furthermore, Basel II states that any system developed and implemented by a bank must be “credible and appropriate”, “well reasoned”, “well documented” and “transparent and accessible”. Unfortunately, phrases such as ‘credible’, ‘well reasoned’, and ‘transparent’ are subjective and are open to interpretation by banks and their regulators.
The lack of clarity in the Basel II definitions of operational risk raises some very important practical questions for banks, in particular:
* What would a ‘conceptually sound’ operational risk management system look like?
* How can regulators compare one bank’s operational risk management system with another and, by implication, how can operational risk capital charges be compared – i.e. what constitutes a regulatory level playing field?
* Internally, what criteria can a bank use to allocate economic capital across its business units to satisfy the Basel qualitative standards for being “integrated into the day-to-day risk management processes of the bank”?
These questions are far from trivial. Banks are beginning to invest considerable sums of money and effort in developing the ORM systems necessary for Basel II, and they are doing so somewhat in the dark as to what will be acceptable. The Basel Committee can also change the ground rules and have reserved the right, prior to implementation, to “review evolving industry practices, … review accumulated data, and the level of capital requirements estimated by the AMA, and may refine its proposals if appropriate” (Basel 2004). This ambiguity creates a level of uncertainty (and operational risk) that the industry should address - sooner rather than later.
As part of the on-going research called for by Basel Committee, this paper considers the important questions raised by the ambiguity in the Basel II proposals and suggests mechanisms, proven in other industries, for evaluating ORM systems both within, and between, banks. After summarising the Basel II proposals on operational risk, the paper provides an overview of the COSO framework and its “Key Principles”. The paper then describes the concept of a ‘maturity models’ before proposing the concept of an ‘operational risk management maturity model’ (ORMMM).
Finally, the paper describes how such a model could be used to measure the quality of ORM compliance across the industry.
Read the complete paper (PDF)
•Date: 20th April 2005 •Region: UK/World •Type:
Article •Topic: Operational risk
this article or make a comment - click