|
|
|
|
|
|
Basel ii Accord
Sections 664 to 683 |
|
2. Advanced
Measurement Approaches
(AMA)
(i)
General standards
664.
In order to qualify for use of the AMA a bank
must satisfy its supervisor that, at
a
minimum:
•
Its
board of directors and senior management, as
appropriate, are actively
involved
in
the oversight of the operational risk management
framework;
•
It
has an operational risk management system that
is conceptually sound and
is
implemented
with integrity; and
•
It
has sufficient resources in the use of the
approach in the major business lines
as
well
as the control and audit areas.
665.
A bank’s AMA will be subject to a period of
initial monitoring by its supervisor
before
it
can be used for regulatory purposes. This period
will allow the supervisor to
determine
whether
the approach is credible and appropriate. As
discussed below, a bank’s
internal
measurement
system must reasonably estimate unexpected
losses based on the combined
use
of internal and relevant external loss data,
scenario analysis and bank-specific
business
environment
and internal control factors. The bank’s
measurement system must also be
capable
of supporting an allocation of economic capital
for operational risk across
business
lines
in a manner that creates incentives to improve
business line operational risk
management.
(ii)
Qualitative standards
666.
A bank must meet the following qualitative
standards before it is permitted to use
an
AMA
for operational risk capital:
(a)
The bank must have an independent operational
risk management function that
is
responsible
for the design and implementation of the bank’s
operational risk
management
framework. The operational risk management
function is responsible
for
codifying firm-level policies and procedures
concerning operational risk
management
and controls; for the design and implementation
of the firm’s
operational
risk measurement methodology; for the design and
implementation of a
risk-reporting
system for operational risk; and for developing
strategies to identify,
measure,
monitor and control/mitigate operational
risk.
(b)
The bank’s internal operational risk measurement
system must be closely
integrated
into
the day-to-day risk management processes of the
bank. Its output must be an
integral
part of the process of monitoring and
controlling the bank’s operational
risk
profile.
For instance, this information must play a
prominent role in risk
reporting,
management
reporting, internal capital allocation, and risk
analysis. The bank must
have
techniques for allocating operational risk
capital to major business lines and
for
creating
incentives to improve the management of
operational risk throughout the
firm.
(c)
There must be regular reporting of operational
risk exposures and loss
experience
to
business unit management, senior management, and
to the board of directors.
The
bank must have procedures for taking appropriate
action according to the
information
within the management reports.
(d)
The bank’s operational risk management system
must be well documented. The
bank
must have a routine in place for ensuring
compliance with a documented set
of
internal
policies, controls and procedures concerning the
operational risk
management
system, which must include policies for the
treatment of noncompliance
issues.
(e)
Internal and/or external auditors must perform
regular reviews of the operational
risk
management
processes and measurement systems. This review
must include both
the
activities of the business units and of the
independent operational risk
management
function.
(f)
The validation of the operational risk
measurement system by external
auditors
and/or
supervisory authorities must include the
following:
•
Verifying that the
internal validation processes are operating in a
satisfactory
manner;
and
•
Making sure that data
flows and processes associated with the risk
measurement
system
are transparent and accessible. In particular,
it is necessary that auditors
and
supervisory authorities are in a position to
have easy access, whenever they
judge
it necessary and under appropriate procedures,
to the system’s specifications
and
parameters.
(iii)
Quantitative standards
AMA
soundness standard
667.
Given the continuing evolution of analytical
approaches for operational risk,
the
Committee
is not specifying the approach or distributional
assumptions used to generate
the
operational
risk measure for regulatory capital purposes.
However, a bank must be able to
demonstrate
that its approach captures potentially severe
‘tail’ loss events. Whatever
approach
is used, a bank must demonstrate that its
operational risk measure meets
a
soundness
standard comparable to that of the internal
ratings-based approach for credit
risk,
(i.e. comparable to a
one year holding period and a
99.9th percentile confidence
interval).
668.
The Committee recognises that the AMA soundness
standard provides significant
flexibility
to banks in the development of an operational
risk measurement and management
system.
However, in the development of these systems,
banks must have and maintain
rigorous
procedures for operational risk model
development and independent
model
validation.
Prior to implementation, the Committee will
review evolving industry
practices
regarding
credible and consistent estimates of potential
operational losses. It will also
review
accumulated
data, and the level of capital requirements
estimated by the AMA, and may
refine
its proposals if appropriate.
Detailed
criteria
669.
This section describes a series of quantitative
standards that will apply to internallygenerated
operational risk measures for purposes of
calculating the regulatory minimum capital
charge.
(a)
Any internal operational risk measurement system
must be consistent with the
scope
of operational risk defined by the Committee in
paragraph 644 and the loss
event
types defined in Annex 9.
(b)
Supervisors will require the bank to calculate
its regulatory capital requirement
as
the
sum of expected loss (EL) and unexpected loss
(UL), unless the bank can
demonstrate
that it is adequately capturing EL in its
internal business practices.
That
is,
to base the minimum regulatory capital
requirement on UL alone, the bank
must
be
able to demonstrate to the satisfaction of its
national supervisor that it has
measured
and accounted for its EL
exposure.
(c)
A bank’s risk measurement system must be
sufficiently ‘granular’ to capture
the
major
drivers of operational risk affecting the shape
of the tail of the loss
estimates.
(d)
Risk measures for different operational risk
estimates must be added for
purposes
of
calculating the regulatory minimum capital
requirement. However, the bank
may
be
permitted to use internally determined
correlations in operational risk
losses
across
individual operational risk estimates, provided
it can demonstrate to the
satisfaction
of the national supervisor that its systems for
determining correlations
are
sound, implemented with integrity, and take into
account the uncertainty
surrounding
any such correlation estimates (particularly in
periods of stress). The
bank
must validate its correlation assumptions using
appropriate quantitative and
qualitative
techniques.
(e)
Any operational risk measurement system must
have certain key features to
meet
the
supervisory soundness standard set out in this
section. These elements must
include
the use of internal data, relevant external
data, scenario analysis and
factors
reflecting
the business environment and internal control
systems.
(f)
A bank needs to have a credible, transparent,
well-documented and verifiable
approach
for weighting these fundamental elements in its
overall operational risk
measurement
system. For example, there may be cases where
estimates of the
99.9th percentile confidence
interval based primarily on internal and
external loss
event
data would be unreliable for business lines with
a heavy-tailed loss
distribution
and
a small number of observed losses. In such
cases, scenario analysis, and
business
environment and control factors, may play a more
dominant role in the risk
measurement
system.
Conversely,
operational loss event data may play a more
dominant role in the risk measurement system for
business lines where estimates of the
99.9th percentile confidence
interval based primarily on such data are
deemed
reliable. In all cases, the bank’s approach for
weighting the four fundamental elements should
be internally consistent and avoid the double
counting of qualitative assessments or risk
mitigants already recognised in other elements
of the framework.
Internal
data
670.
Banks must track internal loss data according to
the criteria set out in this
section.
The
tracking of internal loss event data is an
essential prerequisite to the development
and
functioning
of a credible operational risk measurement
system. Internal loss data is
crucial
for
tying a bank’s risk estimates to its actual loss
experience. This can be achieved in
a
number
of ways, including using internal loss data as
the foundation of empirical
risk
estimates,
as a means of validating the inputs and outputs
of the bank’s risk measurement
system,
or as the link between loss experience and risk
management and control
decisions.
671.
Internal loss data is most relevant when it is
clearly linked to a bank’s
current
business
activities, technological processes and risk
management procedures. Therefore,
a
bank
must have documented procedures for assessing
the on-going relevance of
historical
loss
data, including those situations in which
judgement overrides, scaling, or
other
adjustments
may be used, to what extent they may be used and
who is authorised to make
such
decisions.
672.
Internally generated operational risk measures
used for regulatory capital
purposes
must
be based on a minimum five-year observation
period of internal loss data, whether
the
internal
loss data is used directly to build the loss
measure or to validate it. When the
bank
first
moves to the AMA, a three-year historical data
window is acceptable (this includes
the
parallel
calculations in paragraph 46).
673.
To qualify for regulatory capital purposes, a
bank’s internal loss collection
processes
must
meet the following standards:
•
To
assist in supervisory validation, a bank must be
able to map its historical
internal
loss
data into the relevant level 1 supervisory
categories defined in Annexes 8 and
9
and
to provide these data to supervisors upon
request. It must have
documented,
objective
criteria for allocating losses to the specified
business lines and event
types.
However, it is left to the bank to decide the
extent to which it applies
these
categorisations
in its internal operational risk measurement
system.
•
A
bank’s internal loss data must be comprehensive
in that it captures all
material
activities
and exposures from all appropriate sub-systems
and geographic locations.
A
bank must be able to justify that any excluded
activities or exposures, both
individually
and in combination, would not have a material
impact on the overall risk
estimates.
A bank must have an appropriate de minimis gross
loss threshold for
internal
loss data collection, for example €10,000. The
appropriate threshold may
vary
somewhat between banks, and within a bank across
business lines and/or
event
types. However, particular thresholds should be
broadly consistent with those
used
by peer banks.
•
Aside
from information on gross loss amounts, a bank
should collect information
about
the date of the event, any recoveries of gross
loss amounts, as well as some
descriptive
information about the drivers or causes of the
loss event. The level of
detail
of any descriptive information should be
commensurate with the size of
the
gross
loss amount.
•
A
bank must develop specific criteria for
assigning loss data arising from an event
in
a
centralised function (e.g. an information
technology department) or an activity
that
spans
more than one business line, as well as from
related events over time.
•
Operational risk
losses that are related to credit risk and have
historically been
included
in banks’ credit risk databases (e.g. collateral
management failures) will
continue
to be treated as credit risk for the purposes of
calculating minimum
regulatory
capital under this Framework. Therefore, such
losses will not be subject
to the operational
risk capital charge.
(109)
Nevertheless, for the
purposes of internal
operational risk management, banks must identify
all material operational risk losses consistent
with the scope of the definition of operational
risk (as set out in paragraph 644 and the loss
event types outlined in Annex 9), including
those related to credit risk. Such material
operational risk-related credit risk losses
should be flagged separately within a bank’s
internal operational risk database. The
materiality of
these
losses may vary between banks, and within a bank
across business lines
and/or
event types. Materiality thresholds should be
broadly consistent with those
used
by peer banks.
•
Operational risk
losses that are related to market risk are
treated as operational risk
for
the purposes of calculating minimum regulatory
capital under this Framework
and
will therefore be subject to the operational
risk capital charge.
(109) This applies to all banks,
including those that may only now be designing
their credit risk and operational risk
databases.
External
data
674.
A bank’s operational risk measurement system
must use relevant external data
(either
public data and/or pooled industry data),
especially when there is reason to
believe
that
the bank is exposed to infrequent, yet
potentially severe, losses. These external
data
should
include data on actual loss amounts, information
on the scale of business
operations
where
the event occurred, information on the causes
and circumstances of the loss
events,
or
other information that would help in assessing
the relevance of the loss event for
other
banks.
A
bank must have a systematic process for
determining the situations for
which
external
data must be used and the methodologies used to
incorporate the data (e.g.
scaling,
qualitative
adjustments, or informing the development of
improved scenario analysis).
The
conditions
and practices for external data use must be
regularly reviewed, documented,
and
subject
to periodic independent review.
Scenario
analysis
675.
A bank must use scenario analysis of expert
opinion in conjunction with
external
data
to evaluate its exposure to high-severity
events. This approach draws on the
knowledge
of
experienced business managers and risk
management experts to derive
reasoned
assessments
of plausible severe losses. For instance, these
expert assessments could be
expressed
as parameters of an assumed statistical loss
distribution. In addition,
scenario
analysis
should be used to assess the impact of
deviations from the correlation
assumptions
embedded
in the bank’s operational risk measurement
framework, in particular, to
evaluate
potential
losses arising from multiple simultaneous
operational risk loss events. Over
time,
such
assessments need to be validated and re-assessed
through comparison to actual
loss
experience
to ensure their reasonableness.
Business
environment and internal control
factors
676.
In addition to using loss data, whether actual
or scenario-based, a bank’s
firm-wide
risk
assessment methodology must capture key business
environment and internal
control
factors
that can change its operational risk profile.
These factors will make a bank’s
risk
assessments
more forward-looking, more directly reflect the
quality of the bank’s control
and
operating
environments, help align capital assessments
with risk management
objectives,
and
recognise both improvements and deterioration in
operational risk profiles in a
more
immediate
fashion. To qualify for regulatory capital
purposes, the use of these factors in
a
bank’s
risk measurement framework must meet the
following standards:
•
The
choice of each factor needs to be justified as a
meaningful driver of risk,
based
on
experience and involving the expert judgment of
the affected business areas.
Whenever
possible, the factors should be translatable
into quantitative measures
that
lend themselves to
verification.
•
The
sensitivity of a bank’s risk estimates to
changes in the factors and the
relative
weighting
of the various factors need to be well reasoned.
In addition to capturing
changes
in risk due to improvements in risk controls,
the framework must also
capture
potential increases in risk due to greater
complexity of activities or
increased
business
volume.
•
The
framework and each instance of its application,
including the supporting
rationale
for any adjustments to empirical estimates, must
be documented and
subject
to independent review within the bank and by
supervisors.
•
Over
time, the process and the outcomes need to be
validated through
comparison
to
actual internal loss experience, relevant
external data, and appropriate
adjustments
made.
(iv)
Risk mitigation
(110)
110 The Committee intends to
continue an ongoing dialogue with the industry
on the use of risk mitigants for operational
risk and, in due course, may consider revising
the criteria for and limits on the recognition
of operational risk mitigants on the basis of
growing
experience.
677.
Under the AMA, a bank will be allowed to
recognise the risk mitigating impact
of
insurance
in the measures of operational risk used for
regulatory minimum capital
requirements.
The recognition of insurance mitigation will be
limited to 20% of the total
operational
risk capital charge calculated under the
AMA.
678.
A bank’s ability to take advantage of such risk
mitigation will depend on
compliance
with
the following criteria:
•
The
insurance provider has a minimum claims paying
ability rating of A (or
equivalent).
•
The
insurance policy must have an initial term of no
less than one year. For
policies
with
a residual term of less than one year, the bank
must make appropriate haircuts
reflecting
the declining residual term of the policy, up to
a full 100% haircut for
policies
with a residual term of 90 days or
less.
•
The
insurance policy has a minimum notice period for
cancellation of 90
days.
•
The
insurance policy has no exclusions or
limitations triggered by
supervisory
actions
or, in the case of a failed bank, that preclude
the bank, receiver or
liquidator
from
recovering for damages suffered or expenses
incurred by the bank, except in
respect
of events occurring after the initiation of
receivership or liquidation
proceedings
in respect of the bank, provided that the
insurance policy may exclude
any
fine, penalty, or punitive damages resulting
from supervisory actions.
•
The
risk mitigation calculations must reflect the
bank’s insurance coverage in
a
manner
that is transparent in its relationship to, and
consistent with, the actual
likelihood
and impact of loss used in the bank’s overall
determination of its
operational
risk capital.
•
The
insurance is provided by a third-party entity.
In the case of insurance
through
captives
and affiliates, the exposure has to be laid off
to an independent third-party
entity,
for example through re-insurance, that meets the
eligibility criteria.
•
The
framework for recognising insurance is well
reasoned and
documented.
•
The
bank discloses a description of its use of
insurance for the purpose of
mitigating
operational
risk.
679.
A bank’s methodology for recognising insurance
under the AMA also needs to
capture
the following elements through appropriate
discounts or haircuts in the amount
of
insurance
recognition:
•
The
residual term of a policy, where less than one
year, as noted
above;
•
A
policy’s cancellation terms, where less than one
year; and
•
The
uncertainty of payment as well as mismatches in
coverage of insurance
policies.
D. Partial
use
680.
A bank will be permitted to use an AMA for some
parts of its operations and the
Basic
Indicator Approach or Standardised Approach for
the balance (partial use),
provided
that
the following conditions are
met:
•
All
operational risks of the bank’s global,
consolidated operations are
captured;
•
All
of the bank’s operations that are covered by the
AMA meet the qualitative
criteria
for
using an AMA, while those parts of its
operations that are using one of
the
simpler
approaches meet the qualifying criteria for that
approach;
•
On
the date of implementation of an AMA, a
significant part of the bank’s
operational
risks
are captured by the AMA; and
•
The
bank provides its supervisor with a plan
specifying the timetable to which
it
intends
to roll out the AMA across all but an immaterial
part of its operations. The
plan
should be driven by the practicality and
feasibility of moving to the AMA
over
time,
and not for other reasons.
681.
Subject to the approval of its supervisor, a
bank opting for partial use may
determine
which
parts of its operations will use an AMA on the
basis of business line, legal
structure,
geography,
or other internally determined
basis.
682.
Subject to the approval of its supervisor, where
a bank intends to implement an
approach
other than the AMA on a global, consolidated
basis and it does not meet the
third
and/or
fourth conditions in paragraph 680, the bank
may, in limited circumstances:
•
Implement an AMA on a
permanent partial basis;
and
•
Include in its
global, consolidated operational risk capital
requirements the results of
an
AMA calculation at a subsidiary where the AMA
has been approved by the
relevant
host supervisor and is acceptable to the bank’s
home supervisor.
683.
Approvals of the nature described in paragraph
682 should be granted only on
an
exceptional
basis. Such exceptional approvals should
generally be limited to
circumstances
where
a bank is prevented from meeting these
conditions due to implementation decisions
of
supervisors
of the bank’s subsidiary operations in foreign
jurisdictions.
|
| | | |
|
Sarbanes Oxley
Training
Courses
designed to provide with the knowledge and skills needed to understand and
support Sarbanes-Oxley compliance.
www.sarbanes-oxley-training.com
Basel ii
Training
Courses
designed to provide with the knowledge and skills needed to understand and
support Basel ii compliance.
www.basel-ii-training.com
Sarbanes Oxley
Act
Sarbanes
Oxley Compliance: Books, Software, Certification, Training and
Resources.
www.sarbanes-oxley-act.biz
Basel ii Accord
Basel ii
Compliance: Books, Software, Certification, Training and
Resources
http://www.basel-ii-accord.com/
Compliance Training
Sarbanes
Oxley, Basel ii, Data Protection Directive, Information Security
Training
www.compliance-training.net
|
|