Reinventing Operational Risk Regulation for a World of Climate Change, Cyberattacks, and Tech Glitches.

I. INTRODUCTION 728 II. A BRIEF HISTORY OF OPERATIONAL RISK REGULATION 732 III. THE INADEQUACIES OF EXISTING OPERATIONAL RISK REGULATION 738 A. Uncertain Threats 741 1. Climate Change 742 2. [...]
Around 30 years ago, banking regulators began to construct the concept of "operational risk," and devise rules to manage this newly created risk category. This "invention" of operational risk assembled a grab-bag of otherwise uncategorized risks associated with banking operations; this Article argues that the resulting operational risk regulation framework isn't very well suited to some of those risks. In particular, this Article demonstrates that the existing operational risk regulation framework is becoming an increasingly inadequate response to banks' exposure to operational losses following damage to their physical assets and business disruption and system failures. This is so for two reasons. First, the current iteration of operational risk regulation does not respond to the significant uncertainty affecting banking system operations, which is being exacerbated by increasing technological complexity, cyberattacks, and climate change. Second, existing regulation doesn't contemplate that operational risks can be transmitted to and from banks through technological and other non-financial channels, and so the potential for systemic contagion is underestimated. This Article therefore sketches the beginnings of a "reinvented" approach to regulating for the operational threats of damage to physical assets and business disruption and system failures. The proposed framework places much less emphasis on risk-weighted capital regulation, favoring the alternative of simple buffers of equity that are more robust to uncertainty. In the absence of risk-weighted capital regulation, banking supervision will take on even greater importance. This Article therefore provides some guidance on what a "macro-operational" approach to banking supervision might look like, taking into account the possibility of technological and other forms of transmission of operational risk among banks. The Article concludes by recognizing that macro-operational supervision will not succeed in preventing all operational problems and therefore considers what new types of operations-specific emergency tools might need to be devised as a response.