Beyond the blueprint

The pace of evolution of operational risk measurement and management in the Asia-Pacific region is uneven at best. Advanced measurement approach (AMA) initiatives have stalled at many domestic banks, while international banks seem to be ramping up their implementation programmes. Moreover, both domestic and international institutions are focusing more on management of specific risks, with one regulator publishing papers on strategic and reputational risk, and others stepping up corporate governance reform.

Overall, progress around implementing the Basel II operational risk framework in the region is slow. Initially, many Asia-Pacific countries committed to implementing the operational risk advanced approaches by the global Basel II deadline of January 1, 2008, including Australia, Japan, Singapore and South Korea.

Some have met the deadline: Australia has unveiled which of its institutions' AMA frameworks have been accepted, and South Korea's top institutions have all implemented AMA models. Most other countries in the region have either delayed their Basel II implementation deadline to 2010 or beyond, or have backed off from requiring implementation of the AMA by firms planning to take the advanced credit risk approaches.

The delays stem from a variety of factors. To begin with, most local regulators are overstretched and understaffed, so they have chosen to focus their supervisory energies on implementing the advanced credit risk approaches under Basel II. The hope is that this will avoid a repeat of the Asian financial crisis that struck with such force in the late 1990s.

Domestic financial institutions are suffering from some of the same problems - it is becoming difficult to hire and retain risk management talent, in part because of the region's continuing economic boom. So they, too, are focusing budgets and energies on credit risk in the hope of avoiding another crisis.

Regulators are also asking firms to focus on market risk, as most are only taking the basic market risk approach and supervisors would like to see them undertaking the more advanced approach, again to avoid potential systemic risk.

The lack of urgency among regulators is causing concern among domestic operational risk professionals that have already gone some way towards implementing frameworks. One says: "I'm worried that if the regulators don't push, firms will take a very compliance-based approach to operational risk. We'll wind up being quasi-auditors."

Meanwile, large international financial services firms are ramping up in the region. Wealth management, private equity, structured products and other business lines continue to expand, even as the US and UK slide into recession. One wealth management executive says his bank now has more wealth management employees in Asia than in its continental European headquarters.

As a result, financial institutions are starting to transfer experienced operational risk staff into the region to implement the operational risk framework - often the AMA - developed at their headquarters. So whereas the region's operational risk community was previously dominated by domestic banks that have been bootstrapping modified AMA platforms or the standardised approach, now a growing number of experienced op risk executives are rolling out AMA programmes.

These executives face different challenges - often they are being asked to roll out something that might not fit the needs of the business lines in the Asia-Pacific region. One op risk executive working for an international bank in the region says: "We face a real challenge: rolling out an operational risk programme that is driven out of a central hub. The practitioners on the ground do not have the ability to cater to the local conditions and culture."

Even more distressingly, many of those executives say business lines in Asia have little appetite for participation in an op risk platform. Business lines in Asia, say these executives, are used to a lower level of control from their US or European bosses and like it that way. They see any attempt to impose a control framework as an unwarranted intrusion that prevents them getting the business done.

This leaves the executives in a tight spot - many are at dealers in the process of hiring hundreds or thousands of employees in the region to work in booming business lines. When the op risk executives are asked which risks they are most concerned about, a constant refrain is that front offices are growing far more quickly than their back office infrastructure can keep up with. Banks are having a difficult time finding and retaining experienced operations talent in many areas, including derivatives processing. Domestic banks that are also participating in this boom are experiencing the same problems. Many risk executives say these problems, if not addressed shortly, could have significant negative implications in the future.

Asia-Pacific growth has spurred one regulator to draft a new chapter on strategic risk management for its supervisory policy manual. The Hong Kong Monetary Authority (HKMA) has chosen a unique operational risk path in Asia: it is not allowing firms to implement the AMA, instead asking them to implement either the basic indicator or standardised approach.

Individual issues

But the regulator is also focusing on individual op risk management issues - anti-money laundering and business continuity were targets in 2007. Now, for 2008, the regulator has published the chapter on strategic risk management and plans to publish a similar chapter on reputational risk management early this year.

The supervisory policy manual chapter defines strategic risk as "the risk of current or prospective impact on an authorised institution's earnings, capital, reputation or standing arising from changes in the environment the authorised institution operates in and from adverse strategic decisions, improper implementation of decisions, or lack of responsiveness to industry, economic or technological changes". The definition goes on to say it is a function of the compatibility of the firm's strategic goals, the strategies developed to achieve those goals, the resources deployed to meet those goals, and the quality of implementation.

Simon Topping - at the time of writing an HKMA executive director in Hong Kong, but who has now left the regulator - says the HKMA wants to see that banks have a planning process in place, with short-, medium- and long-term goals. The regulator expects firms to have the tools in place to create and execute a strategic plan. The paper on strategic risk management - 43 pages, including annexes - goes into substantial detail, covering the responsibilities of the board and of senior management, as well as the role of functional departments and risk management in implementing the strategic framework.

The reputational risk paper, meanwhile, will explore how financial institutions can reduce the number of events that affect their reputation, and how well they mitigate events that do occur, says Topping. "This is all about increasing governance in Asia," he adds.

Topping is not alone in his focus on corporate governance. Japan has introduced J-Sox, its own version of the US' Sarbanes-Oxley (Sox) legislation. And other jurisdictions, including China, are ramping up their corporate governance efforts (see Asia Risk, November 2007, page 36). Japan's deadline is April, and other countries have various deadlines scattered over the next 18 months in their own jurisdictions for similar initiatives.

Consultants say they are keen to help financial services organisations avoid some of the mistakes their US counterparts have made, by helping them combine risk and control self-assessments for Sox-style initiatives with those for risk management. Convergence is a theme already in full flow in the US and is expected to have growing prominence in 2008 in Asia.

China is also focusing on corporate governance and on implementing Basel II. The country has an ambitious regulatory agenda for the next few years and is insisting that its major banks implement Basel II's less sophisticated approaches by 2010 and the advanced approaches by 2013, says JR Reagan, global risk and compliance leader at management and technology consulting company BearingPoint in McLean, Virginia.

The China Banking Regulatory Commission published a flurry of regulatory documents in 2007 on Basel II and corporate governance, and more guidance is expected in 2008. As part of this push, state-owned banks must submit a report about their enterprise-wide risk management framework to regulators before the end of this year.

Hong Kong, Japan, Singapore and Taiwan form the second tier of countries in terms of the sophistication of their approach to operational risk, after the top tier of South Korea and Australia, with their AMA-approved banks.

BearingPoint's Reagan is optimistic about the outlook for operational risk in Asia, as a result of the growth of the financial services industry in the area. He says banks and regulators have recognised that they "can't afford to let Asian firms operate with a rudimentary operational risk framework any longer". Over the longer term, there might be more co-operation among the region's regulators regarding operational risk issues, adds Reagan.

Asean plans external loss database

After getting off to something of a slow start, Asia's external loss database consortium (LDC) industry is gathering momentum.

The Asean Banking Council - comprising banking association executives from the 10 Asean nations - agreed in November to establish an external loss database for member countries. This comes after the group did an extensive survey of member associations and banks to establish the appetite for this project during the first half of 2007.

Previous failures

Some member countries - most notably Singapore - have tried in the past to establish loss databases of their own, but to no avail. The number of domestic banks in any one country is too small to ensure anonymity of the data, and many of the international banks in those markets had other arrangements for their external loss data. Most of those international banks belong to the international loss database ORX, which had considered launching a 'stepping stone' database product to bring Asian countries into the fold. This plan didn't come off, apparently because of the amount Asian member banks would have had to pay.

Other factors have been an issue as well. "The slower introduction of specific regulation such as Basel II in the region, coupled with a lower level of interbank communication and co-operation" have delayed the creation of databases, says Mike Finlay, managing director of op risk consulting firm RiskBusiness in London. "Individual country cultures are also an issue, particularly the further east you go, where outward impression is a critical factor."

Patricia Jalleh, head of operational risk at United Overseas Bank in Singapore and head of the op risk subcommittee of the Association of Banks in Singapore, as well as head of the Asean database task force, is embarking on a roadshow among the Asean countries in January to explain how the database would work and drum up membership. Once they have a list of committed banks, the group will put out a request for proposal (RFP).

Jalleh says many banks in the Asia-Pacific region have shied away from the more advanced operational risk approaches because they lack data. She says she hopes the database will enable banks to begin to work on either the standardised or advanced measurement approaches.

The Indian Banking Association (IBA) is also moving to put a loss consortium database in place for its banks. The group issued a request for an expression of interest in mid-2007 to 16 companies, including ORX and RiskBusiness, the only two non-Indian firms.

The IBA then held an initial meeting with each company that responded and had planned to ask the shortlisted three to respond to a formal RFP. But the IBA has yet to issue its RFP, so plans to go live in early 2008 are likely to be subject to delay until the third quarter.

Specific to the region

"The nature of banking is different and specific to the region, which is also mainly dominated by large numbers of regional players, most of whom have no sizeable representation in the Americas or western Europe," says RiskBusiness' Finlay. "As a result, existing LDCs (loss database consortiums) do not provide much benefit to them, while a local or regional consortium will provide much more relevant data.

"Reporting-loss-value thresholds can also be lower and represent more typical loss amounts," adds Finlay. "The individual LDC can also adopt and use the language of their participants, rather than confining themselves to English."