Every once in a while, banking regulators get it right, and Bangko Sentral ng Pilipinas (BSP) has certainly done so with its Circular 900 [LINK] on operational risk.
Released back in December 2015, banks in the Philippines have been given a two-year grace period to establish a comprehensive framework for measuring and responding to operational risk. The central bank's recommendations are not only in line with Basel II but embrace and work beyond the Advanced Measurement Approaches described in the global risk mandate. Other regulators across the planet should take note here; it is refreshing to see a central bank move past the SMA distraction that has been emanating from the BCBS corner of late.
Nonetheless, the BSP have been very explicit with their requirements which fall into six key areas and we can interpret the following activities listed below ...
into six activity centres we describe here:
 Buy-in from Board of Directors and senior management.
 Design and Implement a risk management framework AND reporting system.
 Project manage the rollout of the operational risk framework across the bank.
 Consolidate and aggregate operational risk reports.
 Provide operational risk training and support to staff.
 Ensure that Compliance Functions and Internal Audit are integrated into the framework.
The "Risk Assessment Methodology Tools and Risk Reporting System" can be facilitated through eight core risk framework methods (shown in the diagram below) captured in a database system that feeds into a report after various risk factors have been modelled. These databases, models and reports will either need to be developed or acquired.
Some of the other banking regulators have found it difficult to encourage banks to create a comparative modelling and reporting approach, but the BSP have smartly separated the two requirements.
"BSFIs may deem it useful to quantify their operational risk exposures using the output of the risk assessment tools as inputs into a model", AND the BSFI will perform comparative analysis.
It will be interesting to see how Philippine operational risk departments facilitate the comparative analysis requirement and we will try to find time to write a technical blog on how to achieve that end.
What is encouraging to see is those modelling or more so the reporting recommendations are supporting traditional risk thinking around connecting risk levels to returns so that risk appetites can be appreciated. This should help risk managers elevate operational risk efforts past simple adherence to what needs to be in place by embedding risk reports down with the business and in line with other KPIs managers measure performance against.
"The results of the model can be used in an economic capital process and can be allocated to business lines to link risk and return"
Moving away from risk modelling for a moment, the Circular 900 also recommends some well thought through practice guidelines that from my experience will lead banks in the right direction. Let's take a look at one of these recommendations.
"The operational risk management framework shall form part of the BSFI enterprise-wide risk management system cover all lines of business ... including outsourced functions"
Absolutely, why have a siloed enterprise risk management function? ... Can't we push these two units together, break down the silo or perhaps as the BSP puts it: "The operational risk management framework should include an enterprise-wide definition of operational risk" and remember, you can't outsource banking processes and transfer the risk away without retaining some responsibility in what is being delivered to customers. You must retain some skin in the game as it should always be in the domain banking.
Another favourite circular recommendation of mine is this.
"Loss events linked to credit and market risk may also relate to operational risk and should be segmented in order to obtain a more comprehensive view of the BSFI's operational risk expsure"
The demarcation between operational, credit and market risk is not a futile exercise, nor is it simply a definition tagline to help risk managers comprehend the source of risks so that they can better understand what needs to be managed. The thing is, risks of an operational nature that have actualized into losses can be flagged as credit or market risk allowing staff to conceal errors and the role they have played in generating those losses. Kind of convenient isn't it!
You can imagine one of the scenarios playing out in the following manner (there are so many ways this could play out) ... "oh wow that loan was too risky after all, let's just write it down as a credit scoring problem even though the loan was originated outside credit policy, no one will be the wiser if we blame the scoring system".
This is a form of capital arbitrage when measured and provisioned against but more importantly, the disorder can result in grossly negligent outcomes as you can imagine. The circular fights back against this capital arbitrage disorder by recommending banks in the Philippines follow a strict adherence to a Risk Taxonomy that also requires managers in banks to carefully monitor operational risks that are as the central bank puts it, "linked to credit or market risk".
All good and in the coming weeks ahead we will publish more thoughts on operational risk management as we follow the tail end of the Circular 900. Causal Capital will also be running a three-day deep dive program that addresses these Circular 900 framework elements in detail and more information on this exciting event can be found here [LINK].