BIPRU 6.5 Operational risk: Advanced measurement approaches
Application
BIPRU 6.5 applies to a BIPRU firm with an AMA permission.
AMA permissions: general
The rules in GENPRU and BIPRU do not allow a firm to use the advanced measurement approach. A firm that wishes to use an advanced measurement approach, based on the firm's own operational risk measurement systems, for the calculation of its ORCR should therefore apply for AMA permission to use the advanced measurement approach as explained in BIPRU 1.3.
The FSA will not grant a firm an AMA permission to use the advanced measurement approach if the firm does not meet the standards in BIPRU 6.5.5 R.
An AMA permission will generally modify BIPRU 6.2.1 R (Calculation of ORCR) by amending, to the extent set out in the AMA permission, the calculation of the ORCR of the firm to be calculated in accordance with BIPRU 6.5.
Minimum standards
A firm must be able to satisfy the FSA that it meets:
- (1)
the general risk management standards in SYSC 4.1.1 R to SYSC 4.1.2 R and SYSC 7.1.16 R;2
- (2)
the qualitative standards set out in this section; and
- (3)
the quantitative standards set out in this section.
[Note: BCD Article 105(2) and Annex X Part 3 point 1]
Qualitative standards
- (1)
This rule sets out the qualitative standards that a firm's operational risk measurement system must meet.
- (2)
A firm's internal operational risk measurement system must be closely integrated into its day-to-day risk management processes.
- (3)
A firm must have an independent risk management function for operational risk.
- (4)
There must be regular reporting of operational risk exposures and loss experience. The firm must have procedures for taking appropriate corrective action.
- (5)
A firm's risk management system must be well documented. The firm must have a routine in place for ensuring compliance and policies for the treatment of non-compliance.
- (6)
A firm's operational risk management processes and measurement systems must be subject to regular reviews performed by internal and/or external auditors.
- (7)
A firm must ensure that in respect of its operational risk measurement system:
- (a)
its internal validation processes are operating in a satisfactory manner; and
- (b)
the data flows and processes associated with the risk measurement system are transparent and accessible.
[Note: BCD Annex X Part 3 points 2 to 7]
- (a)
For the purposes of BIPRU 6.5.6 R (2), a firm should be able to show that:
- (1)
its operational risk measurement systems and processes provide benefits to the firm and are not limited to determining regulatory capital;
- (2)
the operational risk measurement system and framework forms part of the systems and controls it has in place; and
- (3)
the operational risk measurement system and framework are capable of adapting to the changes in the business of the firm and evolving as the firm gains experience of risk management techniques.
For the purposes of BIPRU 6.5.6 R (3), a firm should be able to show that the independent risk management function is sufficiently separate from the business units of the firm to allow its professional judgement and recommendations to be effective and impartial.
For the purposes of BIPRU 6.5.6 R (4), a firm should ensure that:
- (1)
its governing body or designated committee (where one is used) possesses a general understanding of the firm's AMA; and
- (2)
its senior management possesses a good understanding of the firm's AMA and its operation.
- (1)
A firm's governing body or designated committee may choose to approve only material aspects of the firm's AMA and material changes to the firm's AMA.
- (2)
Where a firm's governing body or designated committee chooses to approve only material aspects of the firm's AMA and material changes to the firm's AMA:
- (a)
the firm's governing body or designated committee should define the firm's overall approach to the AMA and approve a policy statement defining that approach; and
- (b)
the firm should define and document the process for approval of non-material aspects of the firm's AMA.
- (a)
For the purposes of BIPRU 6.5.6 R (7), a firm should develop and adopt an internal validation methodology of its operational risk measurement system and management processes that:
- (1)
is proportionate and appropriate to the business of the firm;
- (2)
takes into account changing market and operating conditions of the firm;
- (3)
encompasses both quantitative and qualitative methods of the firm's operational risk measurement system;
- (4)
is periodically assessed by the firm;
- (5)
is subject to regular independent review to ensure effective implementation; and
- (6)
is clearly documented.1
Quantitative standards: process
- (1)
This rule sets out the quantitative standards that a firm's operational risk measurement system must meet with respect to process.
- (2)
A firm must calculate its capital requirement as comprising both expected loss and unexpected loss, unless the firm can demonstrate that expected loss is adequately captured in its internal business practices.
- (3)
The operational risk measure of a firm must capture potentially severe tail events, achieving a soundness standard comparable to a 99.9% confidence interval over a one year period.
- (4)
The operational risk measurement system of a firm must have certain key elements to meet the soundness standard set out in (2) and (3). These elements must include the use of internal data, external data, scenario analysis and factors reflecting the business environment and internal control systems as set out in BIPRU 6.5.21 R to BIPRU 6.5.25 R.
- (5)
A firm must have a well documented approach for weighting the use of the four elements in (4) in its overall risk measurement system.
- (6)
A firm's risk measurement system must capture the major drivers of risk affecting the shape of the tail of the loss estimates.
- (7)
A firm must only recognise correlations in operational risk losses across individual operational risk estimates to the extent they are set out in its AMA permission. The firm must validate its correlation assumptions using appropriate quantitative and qualitative techniques.
- (8)
A firm's risk measurement system must be internally consistent and must avoid the multiple counting of qualitative assessments or risk mitigants recognised in other areas of the capital adequacy framework.
[Note: BCD Annex X Part 3 points 8 to 10, 11 (part) and 12]
For the purposes of BIPRU 6.5.12 R (7), the firm must be able to show that its system for measuring correlations is sound, implemented with integrity, and takes into account the uncertainty surrounding any such correlation estimates, particularly in periods of stress.
[Note: BCD Annex X Part 3 point 11 (part)]
A firm should be able to satisfy the FSA that it has considered the following with respect to its operational risk measurement systems:
- (1)
whether the choice of distributions used provides both a good fit with the data and an ability adequately to account for rare events;
- (2)
whether the estimated parameters and capital numbers used for the simulated inclusion or exclusion of unusually large losses are sufficiently robust;
- (3)
the co-dependency, or independency, of assumptions governing the relationships between risk types and between business lines;
- (4)
the number of simulations or iterations required during model execution to provide reasonably stable capital results;
- (5)
the emergence of different data types, such as the combination of internal and external loss data, based on different degrees of credibility; and
- (6)
the methodologies used for the purposes of achieving a soundness standard comparable to a 99.9% confidence interval.
For the purposes of BIPRU 6.5.12 R (2), a firm should be able to show that its operational risk measurement systems that capture expected loss are:
- (1)
clearly documented;
- (2)
sound, implemented with integrity and consistently applied, and take into account uncertainty surrounding expected loss;
- (3)
subject to regular reviews by the firm of the reasonableness of the expected loss estimates and comparisons with subsequent outcomes; and
- (4)
based on justifiable assumptions for capturing and reviewing the reasonableness of the expected loss estimates.
For the purposes of BIPRU 6.5.15 G, the firm should use the business management definition it uses for the purposes of identifying an expected loss.
Where a firm is using a combination of budgeting and pricing for the purposes of the operational risk measurement system for capturing expected loss, a firm should be able to show that:
- (1)
the process is transparent, can be repeated and provides support to the firm's management of its business;
- (2)
to a reasonable degree of certainty, budgeted resources for the relevant year cover budgeted expected losses;
- (3)
its forecasting takes into account both historic performance and drivers which may affect future trends; and
- (4)
the forecasting in (3) is monitored on a periodic basis and adjusted as appropriate.
For the purposes of BIPRU 6.5.12 R (3), a firm should be able to show that in respect of its operational risk measurement system:
For the purpose of developing and reviewing its methodology for obtaining a soundness standard comparable to a 99.9% confidence level, a firm should consider whether any of the following are appropriate:
Where a firm is using scaling for the purposes of the operational risk measurement system, it should be able to show that the methodology used is robust and based on assumptions that are meaningful and credible.
Quantitative standards: internal data
- (1)
This rule sets out the quantitative standards that a firm's operational risk measurement system must meet with respect to internal data.
- (2)
A firm's internally generated operational risk measures must be based on a minimum historical observation period of five years. When a firm first moves to the advanced measurement approach, a three year historical observation period may be used.
- (3)
A firm must be able to map its historical internal loss data into the business lines defined in BIPRU 6.4.15 R and into the event type categories defined in BIPRU 6.5.25 R, and must be able to provide this data to the FSA3 upon request. Loss events which affect the entire firm may be allocated to an additional business line 'corporate items' due to exceptional circumstances.3 The firm must have documented, objective criteria for allocating losses to the specified business lines and event types. A firm's operational risk losses that are related to credit risk and have historically been included in the internal credit risk databases must be recorded in the operational risk databases and be separately identified. Such losses will not be subject to the ORCR, as long as they continue to be treated as credit risk for the purposes of calculating the capital resources requirement. Operational risk losses that are related to market risks must be included in the scope of the capital requirement for operational risk.
- (4)
A firm's internal loss data must be comprehensive in that it captures all material activities and exposures from all appropriate sub-systems and geographic locations. A firm must be able to demonstrate that any excluded activities or exposures, both individually and in combination, would not have a material impact on the overall risk estimates. A firm must define appropriate minimum loss thresholds for internal loss data collection.
- (5)
Aside from information on gross loss amounts, a firm must collect information about the date of the event, any recoveries of gross loss amounts, as well as some descriptive information about the drivers or causes of the loss event.
- (6)
A firm must have specific criteria for assigning loss data arising from an event in a centralised function or an activity that spans more than one business line, as well as from related events over time.
- (7)
A firm must have documented procedures for assessing the ongoing relevance of historical loss data, including those situations in which judgement overrides, scaling or other adjustments may be used, to what extent they may be used and who is authorised to make such decisions.
[Note: BCD Annex X Part 3 points 13 to 18]
Quantitative standards: external data
- (1)
This rule sets out the quantitative standards that a firm's operational risk measurement system must meet with respect to external data.
- (2)
A firm's operational risk measurement system must use relevant external data, especially when there is reason to believe that the firm is exposed to infrequent, yet potentially severe, losses. A firm must have a systematic process for determining the situations for which external data should be used and the methodologies used to incorporate the data in its measurement system. The conditions and practices for external data use should be regularly reviewed, documented and subject to periodic independent review.
[Note: BCD Annex X Part 3 point 19]
Quantitative standards: scenario analysis
- (1)
This rule sets out the quantitative standards that a firm's operational risk measurement system must meet with respect to scenario analysis.
- (2)
A firm must use scenario analysis of expert opinion in conjunction with external data to evaluate its exposure to high severity events. Over time, such assessments must be validated and re-assessed through comparison to actual loss experience to ensure their reasonableness.
[Note: BCD Annex X Part 3 point 20]
Quantitative standards: business environment and internal control factors
- (1)
This rule sets out the quantitative standards that a firm's operational risk measurement system must meet with respect to business environment and internal control factors.
- (2)
A firm's firm-wide risk assessment methodology must capture key business environment and internal control factors that can change its operational risk profile.
- (3)
A firm must be able to justify the choice of each factor as a meaningful driver of risk, based on experience and involving the expert judgment of the affected business areas.
- (4)
The sensitivity of risk estimates to changes in the factors and the relative weighting of the various factors must be well reasoned. In addition to capturing changes in risk due to improvements in risk controls, the framework must also capture potential increases in risk due to greater complexity of activities or increased business volume.
- (5)
A firm must document this framework and make it subject to independent review within the firm and make it available for review by supervisors.
- (6)
Over time, a firm must validate and re-assess the process and the outcomes through comparison to actual internal loss experience and relevant external data.
[Note: BCD Annex X Part 3 points 21 to 24]
Loss event type classification
Table: Loss event type classification
This table belongs to BIPRU 6.5.21 R (3).
Event-Type Category |
Definition |
Internal fraud |
Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/ discrimination events, which involves at least one internal party |
External fraud |
Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party |
Employee Practices and Workplace Safety |
Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity/discrimination events |
Clients, Products & Business Practices |
Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product |
Damage to Physical Assets |
Losses arising from loss or damage to physical assets from natural disaster or other events |
Business disruption and system failures |
Losses arising from disruption of business or system failures |
Execution, Delivery & Process Management |
Losses from failed transaction processing or process management, from relations with trade counterparties and vendors |
[Note: BCD Annex X Part 5 Table 3]
Impact of insurance and risk transfer mechanisms
- (1)
A firm may recognise the impact of insurance for the purposes of its operational risk measurement system subject to the conditions set out in this rule and BIPRU 6.5.27 R.
- (2)
The provider must be authorised to provide insurance or re-insurance.
- (3)
The provider must have a minimum claims paying ability rating by an eligible ECAI associated with credit quality step 3 or above under the rules for the risk weighting of exposures to firms under the standardised approach to credit risk .
[Note: BCD Annex X Part 3 points 25 to 26]
- (1)
A firm must ensure that its insurance and its insurance framework meet the conditions in this rule.
- (2)
The insurance policy must have an1 initial term of no less than one year. For policies with a residual term of less than one year the firm must make appropriate haircuts to reflect the declining residual term of the policy, up to a full 100% haircut for policies with a residual term of 90 days or less.
- (3)
The insurance policy must have a minimum notice period for cancellation of the contract of 90 days.
- (4)
The insurance policy must contain no exclusions or limitations based upon supervisory actions or, in the case of a failed firm, that preclude the firm, its receiver or liquidator from recovering for damages suffered or expenses incurred by the firm, except in respect of events occurring after the initiation of receivership or liquidation proceedings in respect of the firm. The insurance policy may exclude coverage for any fine, penalty or punitive damages resulting from actions by a competent authority or third country competent authority.
- (5)
The risk mitigation calculations must reflect the insurance coverage in a manner that is transparent in its relationship to, and consistent with, the actual likelihood and impact of loss used in the overall determination of the ORCR.
- (6)
The insurance must be provided by a third party entity. In the case of insurance through captives and affiliates, the exposure must be laid off to an independent third party entity, for example through reinsurance that meets the eligibility criteria.
- (7)
The framework for recognising insurance must be well reasoned and documented.
- (8)
The methodology for recognising insurance must capture the following elements through discounts or haircuts in the amount of insurance recognition:
- (9)
The capital alleviation arising from the recognition of insurances and other risk transfer mechanisms3 must not exceed 20% of the capital requirement before the recognition of risk mitigation techniques.
[Note: BCD Annex X Part 3 points 27 to 29]
For the purposes of BIPRU 6.5.27 R (7), a firm should be able to demonstrate that the mitigating effect of the insurance is appropriate and relevant to the firm's business.
For the purposes of BIPRU 6.5.27 R (9), a firm should be able to set out clearly how it made its assessment of the appropriate level of capital alleviation, including any assumptions made by the firm and how the insurances and other risk transfer mechanisms have 3been factored into the firm's risk measurement system.
A firm may recognise a risk transfer mechanism other than insurance to the extent that a noticeable risk mitigating effect is achieved and the risk transfer mechanism is included in the firm's AMA permission.
4A firm that recognises the impact of insurance and operational risk mitigation techniques for the purposes of its operational risk measurement system should be able to show that it has considered the Commission of European Banking Supervisors' guidelines on operational risk mitigation techniques published in December 2009. This can be found at http://www.c-ebs.org/documents/Publications/Standards---Guidelines/2009/Operational-risk-mitigation-techniques/Guidelines.aspx.
Use of an advanced measurement approach on a groupwide basis
Where an EEA parent institution and its subsidiary undertakings or an EEA parent financial holding company and its subsidiary undertakings use an advanced measurement approach on a unified basis for the parent undertaking and its subsidiary undertakings, the qualifying criteria set out in BIPRU 6.5 may be met by the parent undertaking and its subsidiary undertakings considered together where permitted by the AMA permission.
[Note: BCD Article 105(4)]
Where the AMA is used on a unified basis for the parent undertaking and its subsidiary undertakings, and approval and reporting of the AMA are carried out at the group level, the qualifying criteria in BIPRU 6.5 may be met if:
- (1)
the subsidiary undertakings have delegated to the governing body or designated committee of the EEA parent institution or EEA parent financial holding company responsibility for approval of the AMA;
- (2)
the governing body or designated committee of the EEA parent institution or EEA parent financial holding company approves either: