Operational Risk – the risk of incomplete risk management

The crux of this definition is what is included, and the significance of what, if anything, is left out. Basel II did us all a great disfavour by definitively excluding large parts of possible risks, strategic and reputational risks; largely ignoring others such as liquidity risk; and not even mentioning areas such as government, regulatory and environmental risks. We concentrated on what we could understand and what we could, or believed we could, quantify – and we thought we were safe.

Back in the dark ages I worked on designing an exposure system for a London investment bank - one long-since swallowed up and now lurking in the depths of some US or German global bank. Using the then recent techniques of real-time transaction processing, we attempted to give the bank’s management a view of where their exposure lay. We then discovered that one of the bank’s offices - in an off-shore financial haven - did not calculate exposure daily but was completely paper-based. They were lucky if they could report their exposures monthly, a month in arrears. As this was a large portion of the bank’s global exposure, it was decided it was pointless proceeding as the results would have given a false picture.

This is where we are today with risk management. We believe we can manage market risk. We think that we can manage credit risk, if only the ratings were accurate.  We have a go at managing a small part of operational risk, unfortunately the parts with the lowest impacts - failure of services, fraud, theft, process breakdown, etc. We ignore the impact of liquidity risk because we don’t know how to measure it. We have no idea how to assess and mitigate against the herd effect of reputational risk, We do not include the risks of government decisions, poor management skills, and remuneration practices that encourage risk taking.

We have an overall “model” that looks at parts in detail, pays lip service to other parts and ignores the rest. From my early years studying statistics, unfortunately most of which is long forgotten, I remember one rule. If a decision is to be based on, say, ten statistically derived values, all these values must be measured to similar levels of accuracy. You cannot measure three to four decimal places, calculate two to plus/minus 10%, estimate two to high/medium/low, and ignore three! Your decision will be based on erroneous data.

That is what we are doing in risk management. Value at risk is a misnomer – it is a “bit of the value of a bit of the risk”. It is time that we moved away from the detailed but incomplete quantitative models and built comprehensive if qualitative ones.

Let us have less mathematics (which makes us comfortable as being black/white) and more psychology (which makes us think). That is where we, the practitioners, the governments, the regulators, need to fund research. Keep the detailed parts as they are – they will improve through practice – and fill in the gaps, all the gaps.