This chapter sets out the standardised approach for calculating operational risk capital requirements.
The standardised approach methodology is based on the following components:
the Business Indicator (BI) which is a financial-statement-based proxy for operational risk;
the Business Indicator Component (BIC), which is calculated by multiplying the BI by a set of regulatory determined marginal coefficients (αi); and
the Internal Loss Multiplier (ILM), which is a scaling factor that is based on a bank’s average historical losses and the BIC.
Operational risk capital requirements (ORC) are calculated by multiplying the BIC and the ILM, as shown in the formula below. Risk-weighted assets (RWA) for operational risk are equal to 12.5 times ORC.
The BI comprises three components: the interest, leases and dividend component (ILDC); the services component (SC), and the financial component (FC).
ILDC, SC and FC are defined in the formulae below, where a bar above a term indicates that it is calculated as the average over three years: t, t-1 and t-2:1
To calculate the BIC, the BI is multiplied by the marginal coefficients (αi). The marginal coefficients increase with the size of the BI as shown in Table 1. For banks in the first bucket (ie with a BI less than or equal to €1bn) the BIC is equal to BI x 12%. The marginal increase in the BIC resulting from a one unit increase in the BI is 12% in bucket 1, 15% in bucket 2 and 18% in bucket 3.2
BI ranges and marginal coefficients |
Table 1 |
|
Bucket |
BI range (in €bn) |
BI marginal coefficients (αi) |
1 |
≤1 |
12% |
2 |
1 < BI ≤30 |
15% |
3 |
> 30 |
18% |
A bank’s internal operational risk loss experience affects the calculation of operational risk capital through the ILM. The ILM is defined as below, where the Loss Component (LC) is equal to 15 times average annual operational risk losses incurred over the previous 10 years:
The ILM is equal to one where the loss and business indicator components are equal. Where the LC is greater than the BIC, the ILM is greater than one. That is, a bank with losses that are high relative to its BIC is required to hold higher capital due to the incorporation of internal losses into the calculation methodology. Conversely, where the LC is lower than the BIC, the ILM is less than one. That is, a bank with losses that are low relative to its BIC is required to hold lower capital due to the incorporation of internal losses into the calculation methodology.
The calculation of average losses in the LC must be based on 10 years of high-quality annual loss data. The qualitative requirements for loss data collection are outlined in OPE25.14 to OPE25.34. As part of the transition to the standardised approach, banks that do not have 10 years of high-quality loss data may use a minimum of five years of data to calculate the LC.3 Banks that do not have five years of high-quality loss data must calculate the capital requirement based solely on the BIC. Supervisors may however require a bank to calculate capital requirements using fewer than five years of losses if the ILM is greater than 1 and supervisors believe the losses are representative of the bank’s operational risk exposure.
For banks in bucket 1 (ie with BI ≤ €1 billion), internal loss data does not affect the capital calculation. That is, the ILM is equal to 1, so that operational risk capital is equal to the BIC (=12% x BI). At national discretion, supervisors may allow the inclusion of internal loss data into the framework for banks in bucket 1, subject to meeting the loss data collection requirements specified in OPE25.14 to OPE25.34. In addition, at national discretion, supervisors may set the value of ILM equal to 1 for all banks in their jurisdiction. In case this discretion is exercised, banks would still be subject to the full set of disclosure requirements summarised in OPE25.35.
Banks with a BI greater than €1bn are required to use loss data as a direct input into the operational risk capital calculations. The soundness of data collection and the quality and integrity of the data are crucial to generating capital outcomes aligned with the bank’s operational loss exposure. The minimum loss data standards are outlined in OPE25.14 to OPE25.34. National supervisors should review the quality of banks’ loss data periodically.
Banks which do not meet the loss data standards are required to hold capital that is at a minimum equal to 100% of the BIC. In such cases supervisors may require the bank to apply an ILM which is greater than 1. The exclusion of internal loss data due to non-compliance with the loss data standards, and the application of any resulting multipliers, must be publicly disclosed in accordance with the Pillar 3 requirements.
The proper identification, collection and treatment of internal loss data are essential prerequisites to capital calculation under the standardised approach. The general criteria for the use of the LC are as follows.
Internally generated loss data calculations used for regulatory capital purposes must be based on a 10-year observation period. If ten years of good quality loss data are not available when the bank first moves to the standardised approach, a shorter observation period is acceptable on an exceptional basis (with a minimum observation period of five years). Note that all years of good-quality data available beyond five years must be included.
Internal loss data are most relevant when clearly linked to a bank’s current business activities, technological processes and risk management procedures. Therefore, a bank must have documented procedures and processes for the identification, collection and treatment of internal loss data. Such procedures and processes must be subject to validation before the use of the loss data within the operational risk capital requirement measurement methodology, and to regular independent reviews by internal and/or external audit functions.
For risk management purposes, and to assist in supervisory validation and/or review, a supervisor may request a bank to map its historical internal loss data into the relevant Level 1 supervisory categories as defined in Table 2 and to provide this data to supervisors. The bank must document criteria for allocating losses to the specified event types.
Detailed loss event type classification |
Table 2 |
|||
Event-type category (Level 1) |
Definition |
Categories (Level 2) |
Activity examples (Level 3) |
|
Internal fraud |
Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/ discrimination events, which involves at least one internal party |
Unauthorised activity |
Transactions not reported (intentional) Transaction type unauthorised (with monetary loss) Mismarking of position (intentional) |
|
Theft and fraud |
Fraud / credit fraud / worthless deposits Theft / extortion / embezzlement / robbery Misappropriation of assets Malicious destruction of assets Forgery Check kiting Smuggling Account takeover / impersonation etc Tax non-compliance / evasion (wilful) Bribes / kickbacks Insider trading (not on firm’s account) |
|||
External fraud |
Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party |
Theft and fraud |
Theft / robbery Forgery Check kiting |
|
Systems security |
Hacking damage Theft of information (with monetary loss) |
|||
Employment practices and workplace safety |
Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity / discrimination events |
Employee relations |
Compensation, benefit, termination issues Organised labour activity |
|
Safe environment |
General liability (slip and fall etc) Employee health and safety rules events Workers compensation |
|||
Diversity and discrimination |
All discrimination types |
|||
Clients, products and business practices |
Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product. |
Suitability, disclosure and fiduciary |
Fiduciary breaches / guideline violations Suitability / disclosure issues (know-your-customer etc) Retail customer disclosure violations Breach of privacy Aggressive sales Account churning Misuse of confidential information Lender liability |
|
Improper business or market practices |
Antitrust Improper trade / market practices Market manipulation Insider trading (on firm’s account) Unlicensed activity Money laundering |
|||
Product flaws |
Product defects (unauthorised etc) Model errors |
|||
Selection, sponsorship and exposure |
Failure to investigate client per guidelines Exceeding client exposure limits |
|||
Advisory activities |
Disputes over performance of advisory activities |
|||
Damage to physical assets |
Losses arising from loss or damage to physical assets from natural disaster or other events |
Disasters and other events |
Natural disaster losses Human losses from external sources (terrorism, vandalism) |
|
Business disruption and system failures |
Losses arising from disruption of business or system failures |
Systems |
Hardware Software Telecommunications Utility outage / disruptions |
|
Execution, delivery and process management |
Losses from failed transaction processing or process management, from relations with trade counterparties and vendors |
Transaction capture, execution and maintenance |
Miscommunication Data entry, maintenance or loading error Missed deadline or responsibility Model / system misoperation Accounting error / entity attribution error Other task misperformance Delivery failure Collateral management failure Reference data maintenance |
|
Monitoring and reporting |
Failed mandatory reporting obligation Inaccurate external report (loss incurred) |
|||
Customer intake and documentation |
Client permissions / disclaimers missing Legal documents missing / incomplete |
|||
Customer / client account management |
Unapproved access given to accounts Incorrect client records (loss incurred) Negligent loss or damage of client assets |
|||
Trade counterparties |
Non-client counterparty misperformance Miscellaneous non-client counterparty disputes |
|||
Vendors and suppliers |
Outsourcing Vendor disputes |
|||
A bank's internal loss data must be comprehensive and capture all material activities and exposures from all appropriate subsystems and geographic locations. The minimum threshold for including a loss event in the data collection and calculation of average annual losses is set at €20,000. At national discretion, for the purpose of the calculation of average annual losses, supervisors may increase the threshold to €100,000 for banks in buckets 2 and 3 (ie where the BI is greater than €1 billion).
Aside from information on gross loss amounts, the bank must collect information about the reference dates of operational risk events, including the date when the event happened or first began (“date of occurrence”), where available; the date on which the bank became aware of the event (“date of discovery”); and the date (or dates) when a loss event results in a loss, reserve or provision against a loss being recognised in the bank’s profit and loss (P&L) accounts (“date of accounting”). In addition, the bank must collect information on recoveries of gross loss amounts as well as descriptive information about the drivers or causes of the loss event.4 The level of detail of any descriptive information should be commensurate with the size of the gross loss amount.
Operational loss events related to credit risk and that are accounted for in credit RWA should not be included in the loss data set. Operational loss events that relate to credit risk but are not accounted for in credit RWA should be included in the loss data set.
Operational risk losses related to market risk are treated as operational risk for the purposes of calculating minimum regulatory capital under this framework and will therefore be subject to the standardised approach for operational risk.
Banks must have processes to independently review the comprehensiveness and accuracy of loss data.
Building an acceptable loss data set from the available internal data requires that the bank develop policies and procedures to address several features, including gross loss definition, reference date and grouped losses.
Gross loss is a loss before recoveries of any type. Net loss is defined as the loss after taking into account the impact of recoveries. The recovery is an independent occurrence, related to the original loss event, separate in time, in which funds or inflows of economic benefits are received from a third party.5
Banks must be able to identify the gross loss amounts, non-insurance recoveries, and insurance recoveries for all operational loss events. Banks should use losses net of recoveries (including insurance recoveries) in the loss dataset. However, recoveries can be used to reduce losses only after the bank receives payment. Receivables do not count as recoveries. Verification of payments received to net losses must be provided to supervisors upon request.
The following items must be included in the gross loss computation of the loss data set:
Direct charges, including impairments and settlements, to the bank's P&L accounts and write-downs due to the operational risk event;
Costs incurred as a consequence of the event including external expenses with a direct link to the operational risk event (eg legal expenses directly related to the event and fees paid to advisors, attorneys or suppliers) and costs of repair or replacement, incurred to restore the position that was prevailing before the operational risk event;
Provisions or reserves accounted for in the P&L against the potential operational loss impact;
Losses stemming from operational risk events with a definitive financial impact, which are temporarily booked in transitory and/or suspense accounts and are not yet reflected in the P&L ("pending losses").6 Material pending losses should be included in the loss data set within a time period commensurate with the size and age of the pending item; and
Negative economic impacts booked in a financial accounting period, due to operational risk events impacting the cash flows or financial statements of previous financial accounting periods ("timing losses").7 Material "timing losses" should be included in the loss data set when they are due to operational risk events that span more than one financial accounting period and give rise to legal risk.
The following items should be excluded from the gross loss computation of the loss data set:
Costs of general maintenance contracts on property, plant or equipment;
Internal or external expenditures to enhance the business after the operational risk losses: upgrades, improvements, risk assessment initiatives and enhancements; and
Insurance premiums.
Banks must use the date of accounting for building the loss data set. The bank must use a date no later than the date of accounting for including losses related to legal events in the loss data set. For legal loss events, the date of accounting is the date when a legal reserve is established for the probable estimated loss in the P&L.
Losses caused by a common operational risk event or by related operational risk events over time, but posted to the accounts over several years, should be allocated to the corresponding years of the loss database, in line with their accounting treatment.
Banking organisations may request supervisory approval to exclude certain operational loss events that are no longer relevant to the banking organisation's risk profile. The exclusion of internal loss events should be rare and supported by strong justification. In evaluating the relevance of operational loss events to the bank's risk profile, supervisors will consider whether the cause of the loss event could occur in other areas of the bank's operations. Taking settled legal exposures and divested businesses as examples, supervisors expect the organisation's analysis to demonstrate that there is no similar or residual legal exposure and that the excluded loss experience has no relevance to other continuing activities or products.
The total loss amount and number of exclusions must be disclosed in accordance with the Pillar 3 requirements with appropriate narratives, including total loss amount and number of exclusions.
A request for loss exclusions is subject to a materiality threshold to be set by the supervisor (for example, the excluded loss event should be greater than 5% of the bank’s average losses). In addition, losses can only be excluded after being included in a bank’s operational risk loss database for a minimum period (for example, three years), to be specified by the supervisor. Losses related to divested activities will not be subject to a minimum operational risk loss database retention period.
Banking organisations may request supervisory approval to exclude divested activities from the calculation of the BI. Such exclusions must be disclosed in accordance with the Pillar 3 requirements.
The scope of losses and BI items used to calculate the operational risk capital requirements must include acquired businesses and merged entities over the period prior to the acquisition/merger that is relevant to the calculation of the standardised approach (ten years for losses and three years for BI).
All banks with a BI greater than €1bn, or which use internal loss data in the calculation of operational risk capital, are required to disclose their annual loss data for each of the ten years in the ILM calculation window in accordance with the Pillar 3 requirements. This includes banks in jurisdictions that have opted to set ILM equal to one. Loss data is required to be reported net of recoveries, both before and after loss exclusions. All banks are required to disclose each of the BI sub-items for each of the three years of the BI component calculation window in accordance with the Pillar 3 requirements.