Trojan horse rules by John Thirlwell, ORRF
Once upon a time it all seemed so reasonable. The BIS 2003 Sound practices for the management and supervision of operational risk paper was a model of excellent practical guidance. Here in the UK, the draft text of the Prudential Sourcebook , especially the section on high-level op risk systems and controls (known mysteriously as SYSC3A), was essentially guidance. It recognised that op risk was a new risk, not wholly understood, either as to its extent, or as to the essentials that would enable it to be both managed and assessed with any degree of certainty.
It is undoubtedly the softest of the risks regulators and firms have had to grapple with. And it is very different in its nature from the others. There is no inherent 'size' for the operational risk involved in any transaction. Importantly, it deals largely with those difficult things called people who, to the dismay of economists and managers, are not always rational, efficient, honest or competent. And when it is not dealing with people, it is often dealing with events outside our control, whether fire, flood and pestilence; or changes in the risk environment -- terrorism, climate change, the compensation culture; or competitors, either directly or, indirectly, through their incompetence or misbehaviour.
So, a very imprecise risk, treated in an imprecise way. That didn't impress risk purists, or even many CEOs, but it was realistic. The challenges of operational risk management reflect a need to distinguish between shades of grey, rather than rely on paradigms that might explain more scientific certainties or truths.
These philosophical musings were prompted by an announcement by the FSA that it would not apply SYSC3A to banks because of the EU's Markets in Financial Instruments Directive (MiFID) and the Capital Requirements Directive (CRD). They are both due to be implemented in 2006 and would be subject to consultation in 2005, ie, after SYSC3A, had it come into force as planned at the beginning of next year. The chilling bit is contained in a letter sent by the FSA to CEOs that states: "The MiFID requirements -- which we plan as far as possible simply to 'copy out' -- will take a different form, with harder, more rules-based systems and controls requirements."
There are two points here. The first is to ask: 'When will it ever be the right time to publish text on operational risk?' The CRD has not exactly sprung from nowhere, even if its timing may possibly have been in doubt, and in any case I'm not sure that it should significantly affect the guidance that was to be brought in in January. But more importantly, MiFID, like any directive or regulation relating to financial services will, inevitably, affect op risk. Which begs the question of whether the people who debate and negotiate these texts are aware of the needs and nuances of op risk. Or, just as importantly, whether op risk professionals (whether from industry or the regulators) were involved in looking at MiFID. I strongly suspect the answer to both questions is no.
They won't thank me for it, but just as they are involved in new product and other risk management discussions, it seems to me essential that op risk professionals are involved in these new legislative initiatives to make sure the realities of risk management are reflected in the texts that emerge, and to defend the principles of guidance wherever that is needed. If not, risk management will be at the mercy of regulators and compliance experts for whom a rules-based framework is meat and drink.
Which leads me to the second issue -- those simple words, 'copy out'. When they were first used, many months ago, it was in response to concerns that in the past the FSA had been notoriously 'super-equivalent', and the industry didn't want that to continue with Basel II or the CRD. It sounded like a happy solution. However, to misquote Virgil: "Timeo custodes dona ferentes" -- I fear regulators bearing gifts. Because to copy out a directive is to copy out a law. And laws aren't intended to be guidance, but to be rules, as is indicated by the quote from the FSA's letter. Finally, and perhaps of most concern, is the comment, also in the letter to CEOs, that the FSA believes "guidance should be used sparingly and only where it is both meaningful and clear."
It's perhaps understandable that in a world where the FSA is being dragged through the courts, whether by Legal & General or by individuals, that they would wish for certainty and have effectively said "enough's enough". Understandable, but sad.
Good regulation and supervision is about considering individual firms and considering the issues of management that they face. Responsibilities to the wider world mean much of this has to be rules-based. But op risk, that notoriously wide and amorphous mass, is about business and risk management, where as far as possible, flexibility through guidance rather than prescriptive rules must be maintained. Beware, risk managers -- the Trojan horse is at the gates. OpRisk
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net
More on Regulation
Critics warn against softening risk transfer rules for insurers
Proposal to cut capital for unfunded protection of loan books would create systemic risk, investors say
Barr defends easing of Basel III endgame proposal
Fed’s top regulator says he will stay and finish the package, is comfortable with capital impact
Bank of England to review UK clearing rules
Broader collateral set and greater margin transparency could be adopted from Emir 3.0, but not active accounts requirement
The wisdom of Oz? Why Australia is phasing out AT1s
Analysts think Australian banks will transition smoothly, but other countries unlikely to follow
EU trade repository matching disrupted by Emir overhaul
Some say problem affecting derivatives reporting has been resolved, but others find it persists
Barclays and HSBC opt for FRTB internal models
However, UK pair unlikely to chase approval in time for Basel III go-live in January 2026
Foreign banks want level playing field in US Basel III redraft
IHCs say capital charges for op risk and inter-affiliate trades out of line with US-based peers
CFTC’s Mersinger wants new rules for vertical silos
Republican commissioner shares Democrats’ concerns about combined FCMs and clearing houses