Let’s start with a hypothesis: if we become more operationally resilient, we could reduce our Operational Risk capital holding against our risks allowing us to free up funds to invest in growth initiatives.
To test this, we need to understand the regulatory position. The PRA’s Operational Resilience policy (SS1/21) does not have an associated capital requirement. As such, it does not affect the PRA’s approach to operational risk capital policy or add additional considerations for firms when they make capital calculations3. With this said, we have found that many organisations are still asking about the relationship between Operational Resilience and Pillar 2A so we explore the rationale and modelling in a bit more detail below.
What do we need to know and understand?
Under SS31/154 firm are required to hold capital to act as a buffer in the event of loss. Pillar 2A requires banks to hold extra prudential capital over and above the Pillar 1 amounts held for credit, market and operational risk, for instance against concentration risk, counterparty risk and interest rate risk in the banking book. The PRA undertakes an overall assessment of a firm’s operational risk informed by, amongst other factors, historical losses, a firm’s Internal Capital Adequacy Assessment Process (ICAAP) and conduct and non-conduct loss estimates. From that overall assessment, supervisory judgement is used to determine a firm-specific operational risk capital requirement. Thus, the overall capital holding assessment includes the PRA buffer (Pillar 2B) and the firm’s Internal Capital Guidance (ICG) (Pillar 2A). Pillar 2A is our target scope since this is risk-sensitive and based on an assessment of a firm’s own risk-weighted assets plus fixed add-ons.
So, we have a target scope: what’s the relationship with resilience?
Operational Resilience (SS1/21) is a regulatory framework designed to minimise operational losses and other impacts such as harm, market stability and the firm’s own safety and soundness through the use of preventative and responsive techniques that enable firms to anticipate, withstand and more quickly recover from planned and unexpected shocks. Over time, we should see that Operational Resilience is reducing the residual risk in our operational environment and reducing the impact of incidents through the delivery of services that are less likely to experience prolonged or severe disruption. Done well, net operational losses should be smaller because liability, staff, relocation, compliance, customer redress, communications and advisory costs should all be lower than had we not introduced resilience measures in the first place. With this in mind, would it be possible to make a case for reducing the capital amount held for operational losses under Pillar 2A, if it could be proven that resilience controls are reducing our risks?
We’d need to model it. Can we do that?
Theoretically, yes, and our teams have developed models that could do exactly this as part of our Operational Risk Capital engine, Capital Clarity5. However, we would need to accept a large number of assumptions and limitations. For example:
- The ability to prove that the OR capital we hold does indeed correlate to the same risks that OpRes controls are designed to address;
- The ability to reverse engineer Important Business Services (IBS) into our historical data to understand what our operational losses looked like in the past and whether these are greater or less than future loss events;
- Related to (2), good quality data relating to the performance of our IBS over a prolonged period of time;
- The ability to accurately model external costs of operational loss including inflationary influences on customer redress, staff, communication and advisory costs specifically as these relate to the portion of recovery activity that involves an IBS. This is a common problem for Operational Risk and so not insurmountable but an additional limitation to consider;
- Confidence in the level and quality of mapping undertaken such that assets that have not been on the critical path of an IBS present no risk to operational loss.
Given that, for the most part, much of this IBS data is only now becoming available, we don’t believe that many firms would be in a position to make the case for reducing their OR capital holding by citing improved operational resilience, even if the regulators factored this into the holding.
So, what can we say?
What we can say with a greater degree of confidence is that quantification of operational loss following major incidents is an increasing trend. We have seen that under the DORA, the EU ESAs are now encouraging (though not binding) firms to estimate the aggregated annual costs and losses caused by major ICT-related incidents6. We think that this is a prudent step to follow for all incidents (not just ICT) and can help resilience professionals to quantify their funding requests and remediation spend. We can also say that firms that do not do Operational Resilience, or that do not do it well, can expect to see greater net operational losses and may even see the OR capital allocation increased. For this reason, Operational Resilience teams must be involved in a firm’s ICAAP scenario planning and testing activities to help build a comprehensive picture of risk exposure and to explore and validate contingencies.