Banks Operational Risk Measurement in Practice

Swedish banks adaptation to the Basel II accord

Ted Lindblom* and Magnus Willesson **

Abstract
Since the implementation of Basel II in 2007, risk management in banks includes capital adequacy requirement also for operational risk. A banks exposure to risk may be evaluated based on three measurement approaches with different degree of sophistication. The aim of this paper is to evaluate Swedish banks adoption of regulatory risk measurement approaches over the first two years of Basel II. Particular interest is paid to the impact of the financial crisis and the proportion of capital held by the banks depending on how they measure exposure to operational risk as well as in relation to their exposure to credit and market risk. We find that most banks are using the default approaches provided by the regulatory body as it does not pay off to use a more sophisticated approach. The use of more advanced approaches depends primarily on the size of the bank, but also its ownership. Finally, there is strong relationship between the banks choice of operational risk approach and their regulatory approach used for measuring exposures to credit risk. (173 words)

School of Business, Economics and Law, University of Gothenburg, Box 610, 405 30 GTEBORG, Phone: +46 (0)31 786 1497 (office), Fax: +46 (0)31 786 4492, e-mail: ted.lindblom@handels.gu.se. ** (Corresponding author), School of Management and Economics, Vxj University, 351 95 VXJ, Phone: +46 (0)470-708842(office); +46 (0)733-107980 (mobile), e-mail: magnus.willesson@vxu.se.

Acknowledgements: The authors wish to thank the Swedish Financial Supervisory Authority for providing data on Swedish banks compliance with the Basel II accord, and the Jan Wallander and Tom Hedelius Foundation for financial support.

Introduction
Operational risk management in banks has been increasingly emphasized in the past decade. Big financial scandals, frauds and information technology system failures are important drivers for the greater attention both inside and outside banking institutions to their exposures to and internal handling of such risk. The exposure to different kinds of operational risk is nothing new for the individual bank, but as Moosa (2007:167) stresses; The trend towards greater dependence on technology, more intensive competition, and globalization have left the corporate world more exposed to operational risk than ever before. For a bank the occurrence of an extreme and major one-off event in its daily operations may even be more damaging than its credit losses in connection to the current collapse of the financial markets. However, the ability of the bank to properly assess and control, or hedge itself against, the negative economic consequences of such events seems to be less developed than its management of credit and market risks (Flores, Bnson-Ponte & Escobar-Rodrguez 2006; Wold 2006; Moosa 2007; Bonsn, Escobar & Flores 2008; Wahlstrm 2009). Banks assessment of risk exposures is also a concern of financial authorities. Traditionally, the focus has been on the banks balance sheet and their capability of absorbing unexpected losses due to high exposures to credit risk. The recent introduction of the Basel II accord may be regarded as a regulatory attempt to encourage improvements that sharpen the risk management in banks, but also to mitigate regulatory arbitrage (Aparicio & Keskiner 2004; Calem & LaCourLittle 2004; Lastra 2004). Under the first Basel accord all banks had to comply with a rather broad and arbitrary regulation of their credit (and later also market) risks in accordance with a one size fits all approach (Avery & Berger 1991; Jones 2000). In Basel I, no distinction was made between different banks with respect to their size and internal risk management. The main focus was on classifying assets into one of four risk categories; each one with a different capital adequacy requirement. As long as the assets belonged to the same risk category an asset of a small bank with an ordinary risk management system was given the same risk weight as an asset of a large bank that had developed and adopted a far more sophisticated approach for assessing and controlling its risk exposures. Under Basel II there is an opportunity for the latter bank to be rewarded for having greater knowledge and better internal understanding of the magnitude of its
1

risk exposures and how its asset portfolio should be appropriately managed to avoid severe losses. The bank may seek and get the permission to use its sophisticated internal risk model(s) in order to reduce its capital adequacy requirement to a level where regulatory capital corresponds to economic capital. However, there is no guarantee that a bank with well developed principles and procedures for identifying, measuring and controlling its exposures to credit and market risks will actually have to set aside less regulatory capital than under the previous regulatory framework. The implementation of Basel II in 2007 did not only bring about more rigorous and accurate assessments of balance sheet related risks. The new regulatory framework also includes a capital adequacy requirement for operational risk. According to the regulatory statutes, a banks exposure to operational risk may be evaluated based on three measurement approaches; each with a different degree of sophistication. Two of the approaches are relying on the banks gross income as the relevant operational risk exposure indicator. These are the Basic Indicator Approach (BIA), which is the default approach, and the Standardized Approach (SA). Unlike BIA, SA takes the distribution of a banks gross income over its various business lines into consideration. This makes it slightly more sophisticated from a risk perspective, but SA is still a seemingly poor measurement approach for assessing the true operational risk taking of the bank. For this, the bank has to develop its own internal risk evaluation model in accordance with the third measurement approachthe Advanced Measurement Approach (AMA). Lindblom, Olsson & Willesson (2008) find that most banks in Sweden adopted the highly unsophisticated BIA when Basel II was implemented. No bank was using its own internal risk evaluation model for calculating the regulatory capital required to cover its exposure to operational risk. The obvious reason was that AMA was not an option offered by the regulatory body during the implementation year, but it is questionable whether too many of the banks would have chosen AMA anyhow as most of them appeared to be in a learning process. During the implementation year the number of banks adopting SA was steadily increasing from one quarter to the next. As all Swedish banks either did use BIA or SA in 2007, we cannot claim that Swedish banks were particularly sophisticated in their operational risk managementat least not what regards
2

the determination of regulatory capital needed to comply with the new Basel accord. On the other hand, representatives for the banks were generally affirmative to the inclusion of exposures to operational risk in the regulatory framework (cf. Wahlstrm 2009, who reports a similar response from respondents in his pre-study from 2004). Due to Basel II the importance of identifying and measuring operational risk exposure was being realized even in small and medium-sized banks. The new regulation stimulated them to recognize such exposures internally and to improve their current often poorly developed routines and measurement methods in the area of operational risk management.

Even if the adoption of more sophisticated regulatory risk measurement approaches is giving the banks an option to set aside less capital for covering risk exposures (Moosa 2008), this kind of incentive did not seem to matter much for Swedish banks. Just as they did hold much more capital than required by the regulation the last years under the first Basel accord (Lindblom & Olsson 2007), a majority of the banks did that also in 2007 despite the widening of the risk concept to also cover operational risk. For most banks the determination of regulatory capital was not a major concern. They had been able to generate a more than satisfactory profit for a number of years. Whether their concern about capital adequacy requirements is still a minor issue is however doubtful and remains to be examined. The financial crisis that markets worldwide have been experiencing since the early autumn of 2008 has not left the Swedish banking sector unaffected. On the contrary, three of the four dominant commercial banks in Sweden have already issued new equity in order to prepare themselves for an expected dramatic increase in credit losses2. Moreover, through the Swedish national debt office (Riksglden), the Swedish government has also established an extraordinary Bank guarantee programme in order to; facilitate borrowing by banks and mortgage institutions and reduce their borrowing costs during the prevailing global financial crisis (Riksglden 2009). With respect to the financial crisis and that cyclical factors are crucial for banks exposures to operational risk (Allen & Bali 2007), the question is not whether but how the banks are developing their measurement of regulatory capital for operational risk in times of recession. Do they continue to follow the learning trend that has been observed in previous studies? What is the relationship, in terms of degree of sophistication, between the risk measurement approaches adopted within the banks for
2

One of the banks had the issuing of new shares in December 2008, one in March 2009 and one in April 2009.

determining regulatory capital to cover credit risks, market risks and operational risks, respectively? Is the banks adoption of more sophisticated approaches to risk measurement in these areas converging or not? What role does the size and the type of bank play for a banks adoption of a certain operational risk measurement approach? The aim of this paper is to evaluate Swedish banks adoption of regulatory risk measurement approaches over the first two years of Basel II. Particular interest is paid to their measurement of operational risk exposures and their regulatory capital held to cover exposures to operational risk in relation to the capital set aside for credit and market risks.

The remaining part of the paper is divided into three sections. In the following section, we briefly describe the banking sector in Sweden and the data we will use in the analysis. Thereafter, we examine the banks choice of regulatory approach for determining the capital to be held with respect to operational, credit and market risk exposures. We then conduct a more in-depth analysis of the banks risk management strategies with the emphasis on reasons behind their choice of risk measurement approach and the impact of bank characteristics. Comparisons are made between sophistication degree and the proportion of regulatory capital required for covering exposures to operational risk and credit and market risks, respectively. In the final section, we make conclusions and discuss practical implications of our findings.

Data
All banks under Swedish supervision must comply with the new Basel accord.3 They are required to report their risk exposures and the regulatory capital they are holding for covering these exposures to the Swedish Financial Supervisory Authority four times a year in accordance with the document Capital Adequacy and Large Exposures4. Our analysis is based on the banks quarterly reporting of such data during 2007 and 2008. This means that we have access to capital adequacy data for eight quarters covering about one and a half years of good economic conditions (the first six quarters) and half a year of recession (the last two quarters).

3 4

Foreign banks branches are excluded. FFFS (2007:1) and FFFS (2008:13).

Table 1 provides an overview of the banking industry in Sweden, also including foreign banks subsidiaries, by the end of 2007 and 2008.

Table 1 The Swedish banking industry at the end of 2007 and 2008. Year Type of bank
Commercial banks
(of which the big four)

2007
N 28 4 27 65 2 126 99 6,083,237 Total asset (Msek) 5,182,955
(4,849,616)

2008
N 30 4 29 53 2 118 89 7,469,394 Total assets (Msek) 6,435,040
(6,077,804)

Foreign commercial banks Foreign banks' subsidiaries Independent savings banks (ISBs) Cooperative banks TOTAL Of which under Swedish supervision

* 754,033 146,249

* 878,901 155,453

* Total assets for foreign commercial banks are included in the commercial banks total assets. Sources: Svenska Bankfreningen (2008;2009) and SCB (Statistics Sweden).

As is shown in Table 1, the commercial banks stand for more than 85 per cent of the Swedish banking market in terms of asset size. Four of these banks (the big four) dominate the market with a capitalization of over 80 per cent. The market is also characterized by a relatively large number of small independent savings banks (ISBs). In both years more than every second bank under Swedish bank supervision was an ISB. The majority of these banks are traditional savings banks, but thirteen of the banks have recently converted association form into a limited company, which is fully or partly owned by a trust foundation. By definition they are now commercial banks. Six of them are partly owned by Swedbank, which is one of the big four.

In total 103 banks are included in the data set, but the number of banks varies between different quarters from 87 to 102 banks. This variation is due to market consolidation through M&As, new bank charters and the close down of old banks. The significant difference in the number of banks that reported in the fourth quarter of 2007 and the first quarter of 2008 is mainly explained by two big mergers that in total concern ten small savings banks.5 Although these mergers explain almost the entire drop in terms of number of banks in the first quarter of 2008, the two new banks
5

There were also two acquisitions of banks which reduce the number of banks by two banks in the first quarter of 2008. One new bank was also registered in the first quarter of 2008.

that these mergers gave rise to do not show up in the data until the second quarter and the fourth quarter, respectively. Hence, in reality there should be two additional observations in the first quarter of 2008 and one more in the second and third quarters of 2008, where data is not provided. This also means that the number of active banks did not change during 2008, even though the number of analyzed banks changes.

Regulatory approaches adopted by Swedish banks for measuring risk exposures

From the compliance reports it is possible to distinguish which regulatory approach each bank has chosen for measuring its exposures to credit, market and operational risks, respectively. The minimum capital required for covering these exposures as well as the capital held by the bank are also discernable. This makes it possible to compare the banks exposure to the different risks and how much capital they set aside to cover their risk exposures. Table 2 shows the banks choice of operational risk measurement approach in each quarter of 2007 and 2008. Table 2 Swedish banks adoption of operational risk measurement approaches in 2007-2008 Regulatory approach BIA SA AMA N/A Total (N) 2007 Q1
76 10 15 101

Q2
76 15 11 102

Q3
76 16 8 100

Q4
78 17 3 98

Q1
68 18 1 87

2008 Q2 Q3
69 18 1 88 69 18 1 88

Q4
69 19 1 89

Over time the banks seem to have developed their use of risk assessment methods. At the beginning of 2007 the banks did to a large extent report that they used the default approach (BIA) before SA. Quite many banks had not even adopted any measurement approach at all. At the end of the year the majority of these banks appear to have chosen to report in accordance with SA, but so did also a few banks that initially used BIA. However, the substantial drop in the use of BIA at the beginning of 2008 is primarily explained by the two major mergers of ISBs. With the exception of one bank that in the second quarter of 2008 switched from BIA directly to an internal risk measurement method in accordance with AMA, the banks appear to hold on to the
6

approach chosen. Since then all the banks have fully adapted to the Basel II regulation framework by reporting their operational risk exposure in accordance with one of the available regulatory approaches. Even if the adoption of other approaches than the default approach has doubled from 10 to 20 over the two years, it is only one bank that has yet chosen to use an internal risk model. This indicates a relatively low level of sophistication in the banks operational risk assessment and lends no further support to the interpretation of Lindblom et al (2008) that the banks are in a continuing learning process towards the use of more advanced methods in their assessment of operational risk exposures. The apparent slowdown of the learning process is unexpected with respect to the vital importance that was given the assessment of risk exposures by bank managers (cf. Wahlstrm 2009), but also with respect to the financial crisis as more sophisticated approaches are generally expected to result in a lower capital adequacy requirement.

As is evident in Tables 3 and 4, the banks were not changing their choice of regulatory approaches for measuring credit and market risk exposures to any great extent either. Most banks were only using the standardized approach (SA) provided by Basel II and with a very few exceptions the regulatory approach first chosen by the bank has been kept. Rather interesting, though, the banks adoption of a regulatory approach for measuring credit and market risk exposures was even slower than their adoption of operational risk measurement approach. Quite a large share of the banks was not reporting on their credit and market risk exposures at all at the beginning of 2007. Table 3 Swedish banks adoption of credit risk measurement approaches in 2007-2008 Regulatory approach SA IRB N/A Total (N) 2007 Q1
64 10 27 101

Q2
64 11 27 102

Q3
66 11 23 100

Q4
70 11 17 98

Q1
75 11 1 87

2008 Q2 Q3
77 11 88 77 11 88

Q4
78 11 89

All the banks that did not choose a credit risk measurement approach from the beginning seem to later on have adopted the default approach, SA. The use of the more sophisticated Internal Ratings Based Approach (IRB) has been rather stable over the years. There are two variants of
7

IRB; the bank may either use the foundation approach, where the determination of regulatory capital is based on probability of default (PD) and loss given default (LGL) values given by the supervisory authority, or the advanced approach, where these values are derived within the bank itself from data collected and examined internally. Given the data we have access to it is not possible to distinguish if the sophistication level differs between the banks that are using the IRB approach. Hence, no distinction between these banks is made in Table 3. However, according to findings in previous studies (like Lindblom & Olsson 2007) only the largest banks are interested in and also capable of using their own internal risk measurement model in this context. As three banks are estimating their market risk exposure with an advanced Value at Risk (VaR) model (see Table 4), it seems reasonable to assume that these three banks are more sophisticated in their use of the IRB approach. Table 4 Swedish banks adoption of market risk measurement approaches in 2007-2008 Regulatory approach SA VaR N/A Total (N) 2007 Q1
21 3 77 101

2008 Q3
17 3 80 100

Q2
19 3 80 102

Q4
18 3 77 98

Q1
20 3 64 87

Q2
21 3 64 88

Q3
19 3 66 88

Q4
22 3 64 89

Table 4 shows that most of the banks that did report their market risk exposure to the supervisory authority were using the standardized approach (SA), i.e. the default regulatory approach. However, it is also clear that the majority of all the banks were not measuring this exposure. This is probably due to that small and medium-sized banks (like most of the ISBs) are not generally exposed to such risk. They are mainly in the retailing business. 6 As for credit risk measurement, there seems to have been only a marginal change of the banks use of measurement approach. The approach chosen by a bank at the beginning of 2007 is generally also the one used at the end of 2008.

Most of the ISBs are, for example, using Swedbank to be able to provide services to their customers that might otherwise expose them to market risks.

Our review of the Swedish banks use of regulatory approaches for measuring and reporting their exposures to operational, credit and market risks gives rise to the question why so few banks have adopted advanced internal risk assessment methods. This question is particularly relevant for the measurement of credit and market risk exposures. It is no news that it can be a real challenge for an individual bank to measure its exposure to operational risk. A most critical issue is that operational risk is largely seen as a residual risk and therefore difficult to define and identify (cf. Lindblom et al 2008). The operational risk exposures of most regulatory concern are the banks exposures to low-frequency but high-severity risk events. The main focus should therefore be on the distribution tail rather than on the distribution of the most frequent losses (Wei 2007; Moosa 2008).

Shortage of data, the context dependent nature of operational risk and the lack of a strongly risksensitive exposure indicator in risk models are aspects that affect the implementation of advanced measurement approaches (Moosa 2008). On the other hand, Neil, Hger & Andersen (2009) report a potential reduction of regulatory capital required to cover operational risk exposure by as much as 20-40 per cent when using an internal risk measurement model in accordance with AMA instead of using BIA and SA. According to our review, this is recognized only by one of the Swedish banks.

The bank that is using AMA is one of the big four banks. A tentative conclusion drawn by Lindblom et al (2008) is that the choice of regulatory approach is size dependent. This is further manifested by Bonsn et al (2008). They link the choice of regulatory approach to the banks information system and find that more than half of the 54 listed banks included in the Dow Jones Eurostoxx index were considering the adoption of an internal risk measurement model in accordance with AMA. This leads to the conclusion that size is an important factor for this decision. Larger banks are likely to invest more heavily in information technology and information systems. Also Wei (2007) recognizes the size effect, but he finds methodological issues in the statistics as even more decisive for the choice of regulatory approach. Moosa (2008) goes a step further when he argues that there is not necessarily a relationship between the size of a bank and improvements of risk management systems. This does not mean that size does not matter. All the other three big Swedish banks were using SA and not BIA. Moreover, managers
9

within two of these banks acknowledge that their bank has either the capability or the ambition to change to AMA later on (Jarl & Wigren 2009). However, the size of the bank does not seem to be the only explanation for why a certain approach is used. It does, for example, not give an answer to why a number of small banks have also adopted SA.

Reasons behind the choice of regulatory approach for measuring operational risk
In their study Bonsn et al (2008) did also test the impact of country origin and balance sheet intangibles. These factors were expected to be positively correlated with a banks need of having an advanced information system, but the authors failed to find any significant effect for either factor. Another explanatory factor is emphasized in Table 5. It displays the relationship between the banks choice of regulatory approach for measuring exposures to credit risk and their adoption of operational risk measurement approach. Credit risk exposure is by far the most common risk exposure in banking and the regulatory capital set aside to cover this exposure is many times larger than the capital held for any other risk exposure (see Table 8). This ought to make the choice of regulatory approach vital for the bank and gives it incentives to invest in improvements of the information system. Hence, it seems reasonable to control for if this spills over on their measurement of operational risks.

Table 5 The relationship between the choice of regulatory approach for measuring credit risk and operational risk Regulatory approach Credit risk Operational risk Q1
1 1 1 4 4 4 60 1 15 10 101

2007 Q2
2 1 8 5 59

2008 Q4
2 1 8 5 65 2 12 3 98

Q3
2 1 8 6 60

Q1
2 1 8 8 67

Q2
1 2

Q3
1 2

Q4
1 2

AMA SA IRB (advanced) BIA N/A SA IRB N/A SA SA BIA N/A SA N/A BIA N/A

8 8 69

8 8 69

8 9 69

TOTAL (N)

16 11 102

15 8 100 10

86

88

88

89

In Table 5 it is assumed that those three banks that have adopted VaR for measuring market risk exposure are more sophisticated than other banks in their use of the internal ratings based approach when determining the regulatory capital required for covering their credit risk exposure. These banks are classified as IRB (advanced) users. The table strongly indicates that the banks credit measurement approach has an impact on their adoption of regulatory approach for measuring their exposures to operational risk. All banks that are using IRB, regardless of whether they are using VaR for measuring market risk exposure, had at least adopted SA by the end of 2008. It should be noted that the bank that initially used BIA, was planning to use its own internal risk model for measuring operational risk exposure as soon as it was sanctioned by the supervisory authority. The bank did report in accordance to AMA at the second quarter of 2008 and thereafter. The two other banks that we have assumed are using being advanced IRB users, almost immediately adopted SA for measuring operational risk exposure and according to their representatives (Jarl & Wigren 2009) both banks may very well change to AMA rather soon. A majority of the banks that were using the default approach (SA) for measuring credit risk exposure, stick to the default approach (BIA) also for assessing operational risk exposure.

The apparent relationship between the choice of credit risk and operational risk measurement approach does not imply that the size of the bank does not matter for the choice of regulatory approach. Considering that also ISBs are using the IRB foundation approach (Lindblom & Olsson 2007), it just indicates that also other factors might matter. A clear indication of the importance of size is given by the fact that almost 80 per cent (51 banks) of those 64 banks displayed in Table 4 that did not report on their market risk exposure the fourth quarter of 2008, were using the default approach both for measuring their exposures to credit risk and operational risk.

With reference to the principal agency theory, we check whether ownership structure has an impact on the banks adoption of regulatory risk measurement approaches. As most of the banks are ISBs with no owners and we have access to the owner concentration of only a few commercial banks, we have chosen to categorize the banks with respect to their association form. In Table 6, the banks are therefore divided into commercial banks, ISBs and cooperative banks.

11

Table 6 Operational risk measurement with respect to association form in 2008 Association form
Commercial banks ISBs Cooperative banks

Regulatory approach
AMA SA BIA SA BIA BIA

2008 Q1
12 20 6 46 2

Q2
1 13 19 5 48 2

Q3
1 13 19 5 48 2

Q4
1 13 20 6 47 2

Table 6 shows that the default approach for measuring operational risk exposure (BIA) is used by the majority of the banks in each association form category. It is used by both the cooperative banks and by almost 90 per cent of the ISBs. Even though 35-40 per cent of the commercial banks are using the somewhat more sophisticated SA or the internal based AMA, it is unlikely that this is due to the association form. It rather seems to be a size effect. On average commercial banks are significantly larger than the ISBs and the two cooperative banks.

The statement that the association form is not likely to be of importance for which regulatory approach a bank chooses becomes even clearer when considering the banks choice of approach more in depth. For this purpose the commercial banks are divided into the following subcategories; i) the big four, ii) former savings banks (which are ISBs that have converted their association form to a commercial bank) and, iii) other. Then banks in the two first categories stand out as being more sophisticated. These banks are the big four and six former savings banks that recently converted into a commercial bank with Swedbank (one of the big four) as one of their owners. All of these banks are either using SA or AMA. This implies that ownership matters. This becomes even more evident when considering that six of the other seven former savings banks (not partly owned by Swedbank) are still using the default approach.

A table without the big four and the commercial banks that are partly owned by Swedbank would show that all but four of the remaining commercial banks were using the default approach. This is similar to the ISBs and strongly suggests that the association form has only minor, if any, impact on a banks choice of regulatory operational risk measurement approach.

12

The effect of the approaches adopted on the banks capital adequacy requirements
As is shown in Table 7, the Swedish banks were generally well capitalized in both 2007 and 2008. This was even the case during the third and fourth quarters of 2008 when the banks were part of the international banking crisis and economic recession. The lowest average value of the banks own funds ratio in any quarter was 2.17, which is still more than twice as high as required (see the third quarter of 2008)7. The own funds ratio is defined as the banks total own funds for capital adequacy purposes8 divided by the total capital adequacy requirement for covering the banks aggregated exposure to risk. This means that the banks own funds ratio should be at least equal to or higher than one.

Table 7 The Own Funds Ratio of Swedish banks in 2007 and 2008 N Q1 Q2 Q3 Q4
101 102 100 98

2007 Mean
2.35 2.43 2.42 2.33

Std dev.
0.91 1.73 1.75 0.77

N
87 88 88 89

2008 Mean
2.26 2.21 2.17 2.24

Std dev.
0.80 0.79 0.78 0.98

The total capital adequacy requirement is mainly based on the banks aggregated exposure to credit, market and operational risk. During the implementation year of the new regulatory framework there were some transition rules, making the total exposure to these three types of risk significantly less than 100 per cent (93-98%). Under 2008 they sum up to 99-99.5 per cent. The capital adequacy requirement for exposures to credit risk is on average over 85 per cent, whereas it is only about one per cent for market risk exposure and less than 15 per cent for operational risk exposure.9 In combination with the high capitalization of the banks in general (also during the financial crisis), the relatively low share of regulatory capital for covering operational risk exposure may of course be a plausible explanation for the widespread use of the default approach. It does not pay off to use a more advanced approach.
7

When looking at the outliers for identifying possible problem banks; the lowest value for a single bank was an own funds ratio of 1.10. The fifth lowest percentile was 1.27 in the fourth quarter of 2008 and it has decreased from 1.50 as the highest estimate in the second quarter of 2007. 8 The total own funds for capital adequacy purposes is derived from equity capital, subordinated debt and other near capital funds defined in Tier I and Tier II (and in some cases Tier III) in the Basel accord. 9 The low market risk on average is due to the fact that few banks seem to be exposed to market risks. The average of these banks was still only 3.6% in the fourth quarter of 2008. The average of the big four was just 5.4 %.

13

In Table 8 the total capital adequacy requirements for commercial banks, ISBs and cooperative banks, respectively, are shown in relative terms for the three main types of risk exposures. Besides that the exposure to market risk is more or less non-existent in ISBs and the two cooperative banks, it is obvious that commercial banks are also more exposed to operational risks in relative terms.

Table 8 Average capital adequacy requirement with respect to risk type at the end of 2008 Bank category ISBs Cooperative
90.4% 9.5% 0.1% 89.5% 10.5% 0%

Type of risk exposure Credit risk exposure Operational risk exposure Market risk exposure Number of banks

Commercial
79.6% 17,9% 2.5%

All banks
86.3% 12.7% 1.0%

n=34

N=53

n=2

n=89

When the commercial banks are divided into the three subgroups, we can observe that the big four as well as the former savings banks that are now partly owned by Swedbank display similar exposure to operational risk as banks in general. The remaining commercial banks are on average much more exposed to operational risk with respect to the capital adequacy requirement, but a closer look tells us that this additional exposure is referable to eight of the banks only. As the remaining commercial banks do not differ from the average bank, these eight banks are studied more in detail. Each bank has adopted the default approaches for determining the regulatory capital to be held for their exposures to operational risk and credit risk, respectively. However, the use of BIA can hardly be the only or even the main reason for their significantly higher regulatory capital requirement for operational risk exposures in relative terms. After all they are using SA for credit risk exposures. A more plausible reason lies in the fact that seven of the banks are investment banks. Generally, these banks do not have large credit portfolios and do therefore not expose themselves to high credit risks. This makes their operational risk exposure more pronounced. At the end of 2008, as much as 42.2 per cent of their total capital adequacy requirement was held for covering unexpected losses from operational risk exposures.

The apparently high preference for using the default approach for operational risk measurement implies that the economic incentive for adopting a more advanced approach is not high enough.
14

This motivates an analysis of how the capital adequacy requirement changes when a bank changes to a more sophisticated approach. During the first two years of the new regulation, only seven banks have changed to another regulatory approach. One bank changed from BIA to AMA, whereas the other six changed from BIA to SA. Three of these six banks reported the same amount of regulatory capital as before, whereas two of them actually reported a slightly higher amount. Thus, only one of the banks that switched to SA did gain in terms of a significantly lower capital adequacy requirement. (The bank that started to use its own internal measurement method did of course also manage to decrease its regulatory capital requirement substantially.)

The relatively few upgrades of the regulatory approach and their seemingly meagre outcome, together with the high use of the default approach, lend support to the conclusion that capital adequacy requirement for operational risk exposures is of minor importance for the banks. This conclusion is further strengthened when analysing the compliance reports of the banks more in detail. As is displayed in Table 9, the compliance reports are often identical from one quarter to another. Only a small fraction of the banks changes the amount of regulatory capital over time. Most changes or updates are made at the fourth quarter of the year, but to some extent also at the first quarter. Table 9 Frequency of changes of regulatory capital for operational risk exposure, 2007 and 2008 Number of banks with .. unchanged capital base increasing capital base decreasing capital base Total (N) 2007 Q2 Q3
79 2 4 88 2 1

Q4
20 70 0

Q1
55 20 8

2008 Q2 Q3
82 1 3 84 3 1

Q4
16 60 12

85

91

90

83

86

88

88

A more detailed analysis reveals that a majority of the banks update their reports of operational risk exposure once a year. As many as 49 banks updated their figures at the fourth quarter of both the years, whereas eight banks made an update at the first quarter of 2008. This implies that there is a very strong link to the accounting of these banks and that they do not follow up gross income on a quarterly basis. Instead the reporting is based on historical data on an annual basis. A few of the bigger banks were updating their figures more frequently, but no bank did so every quarter. However, four banks made changes twice a year and two banks did actually update their figures
15

every quarter of 2008. It is still evident that the reports are primarily made in order to comply with the regulatory framework rather than providing valuable information to the business units of the banks.

Conclusions
The new Basel accord forces the banks to develop and design internal risk information models and systems. This seems to have a major impact on the risk management of banks in general and on their assessment of operational risk exposures in particular. This paper generates additional empirical findings on the actual adaptation of Swedish banks to the new regulations, especially by evaluating how operational risk measurement is related to the measurement of other types of risk exposures. Our analysis leads to the following conclusions:

- The economic incentives to adopt more advanced operational risk approaches is generally minor to the banks. We identify relatively high own funds ratios but we cannot link the variations to the sophistication of risk management approaches used. We cannot either find that the banks that have changed their regulatory approach necessarily show lower capital requirements for operational risk exposures. The financial crisis does not seem to have had any significant impact on these conclusions.

- There is a strong relationship between size and choice of regulatory approach for measuring operational risk. However, this effect mainly concerns the largest and smallest banks. The big four are more sophisticated than other banks and the smallest banks are generally using the default approach. The middle size banks do not show any relationship between size and the approach adopted, but we can identify that the banks that are partly owned by Swedbank are more sophisticated than the other banks. This implies that the ownership is important for the choice of regulatory approach, although the banks association form does not impact. - There is a strong relationship between the banks use of more sophisticated approaches for different kinds of risk. However, only operational risk develops to be more sophisticated during the first two years of Basel II. The Swedish banks do not follow the trend towards more
16

sophisticated methods for measuring operational risk, during the second year of Basel II implementation, as was predicted by Lindblom et al 2008 after the first years analysis. - The banks compliance reports to the Swedish financial supervisory authority, is accounting based and primarily made in order to meet regulatory demands rather than the information needs of the business units of the banks. These findings show that the there is a discrepancy between the regulators intention towards risk management and banks risk management in practice. It is evident that the reporting to the regulator primarily is made in order to comply with the regulatory framework rather than providing valuable information to the business units of the banks. We can assume that either the banks are not interested in the modelling of operational risk due to the difficulties of modelling these risks formally (in other words, the benefit does not exceed the costs of adopting a more advanced regulatory approach) or that the approaches provided do not capture the actual risk exposures of the banks. The latter does not exclude the possibility that the banks are using more advanced internal models a side from the capital adequacy requirements. If this is true the implementation of the new Basel accord has succeeded in fulfilling the objective of sharpening the operational risk measurement in the banks, but it has failed to accomplish the important objective of making the real risk exposures of banks more transparent.

17

References

Allen L., Bali T. G., (2007), Cyclicality in catastrophic and operational risk measurements, Journal of Banking and Finance, 31(4): 1191-1235 Aparicio, J. and E. Keskiner (2004). A Review of Operational Risk Quantitative Methodologies Within the BASEL-II Framework, Accenture Technology Labs, Sophia Antipolis, France. Avery R.B. and A. Berger (1991). Risk-based capital and deposit insurance reform, Journal of Banking and Finance, 15(4/5), pp. 847-874. Bonsn, T., T. Escobar and F. Flores (2008). Operational Risk Measurement in Banking Institutions and Investment Firms: New European Evidences, Financial Markets, Institutions & Instruments, Vol. 17, No. 4, pp. 287-307. Calem, P.S. and M. Lacour-Little (2004). Risk-based Capital Requirements for mortgage loans, Journal of Banking and Finance, 28(3), pp. 647-672. FFFS (2007:1). Blankett Kapitaltckning och stora exponeringar, Bilaga 2 in Freskrifter och allmnna rd om kapitaltckning och stora exponeringar, Finansinspektionen, Stockholm. FFFS (2008:13). Blankett Kapitaltckning och stora exponeringar, Bilaga 2 in Freskrifter om ndring i Finansinspektionens freskrifter och allmnna rd (FFFS 2007:1) om kapitaltckning och stora exponeringar, Finansinspektionen, Stockholm. Flores, F., E. Bnson-Ponte and T. Escobar-Rodrguez (2006). Operational risk information system: a challenge for the banking sector, Journal of Financial Regulation and Compliance, 14(4), pp. 383-401. Jarl, H. and S. Wigren (2009). Operativa risker: Handelsbanken, Nordea, SEB och Swedbank, University of Gothenburg (Bachelor thesis). Jones, D. (2000). Emerging problems with the Basel Capital Accord: Regulatory capital arbitrage and related issues, Journal of Banking and Finance, 24(1/1), pp. 35-38. Lastra, R.M. (2004). Risk-based capital requirements and their impact upon the banking industry: Basel II and CAD III, Journal of Financial Regulation and Compliance, 12(3), pp. 225239. Lindblom, T. and M. Olsson (2007). Bank Capital and Loan Pricing - Implications of Basle II, in Frontiers of Banks in a Global World, (Eds) Molyneux, P. & E.Vallelado, Palgrave MacMillan, Hampshire, pp. 78-102. Lindblom, T., M. Olsson and M. Willesson (2008). Operational Risk under the Basel II Capital Adequacy Framework, Moosa, A, (2008). A Critique of the advance measurement approach to regulatory capital against operational risk, Journal of Banking Regulation, 9(3): 151-164 Moosa, I.A. (2007). Operational Risk: A Survey, Financial Markets, Institutions & Instruments, Vol. 16, No. 4, pp. 167-200.
18

Neil M., Hger D., Andersen L. G. (2009), Modeling operational risk in financial institutions using hybrid dynamic bayesian networks, The Journal of Operational Risk, 4(1): 3-33. Riksglden (2009). Bank guarantee programme, www.riksgalden.se/templates/ RGK_Templates/TwoColumnPage____17104.aspx (April 15th, 2009) Svenska Svenska Bankfreningen (2009). Bank- och finansstatistik 2008, http://www.bankforeningen.se/ upload/bank_finansstatistik2008.pdf. April 2009,

Bankfreningen (2008). Bank och finansstatistik 2007, Juni 2008, http://www.bankforeningen.se/upload/ broschyr_bank_finansstatistik07_uppdat.pdf.

Wahlstrm, G. (2009). Risk management versus operational action: Basel II in a Swedish context, Management Accounting Research, Vol. 20, pp. 53-68. Wei R. (2007), Quantification of operational losses using firm-specific information and external database, The Journal of Operational Risk, 1(4): Wold, M. (2006). Basel II Moves Operational Risk Into the Open, Securities Industry News, 18(33) p. 22.

19