Dear Ms. Davis:
This letter is written in my personal capacity, in response to your article Operational risk at a crossroads (OR&C, December 2006). In my professional capacity, I am the head of operational risk of the Emirates Bank Group in Dubai, the co-regional director of the UAE chapter of GARP, and a professional member of the Institute of Operational Risk.
It is interesting that this debate is now being opened to the industry. You are spot on about a discipline 'in limbo'. Everybody is trying to make a quick buck, nobody is really pulling together to sort out the fundamental mistakes made in the beginning.
These mistakes include issues like calling people 'operational risk managers' and as you mentioned, things that evolved from the audit profession, re-directed by Basel to be an independent function, really need some urgent direction and correction.
The fathers of op risk managers were wrong to create the title of 'operational risk manager'. Managing op risk is not even a line-management function, it is everybody's job. The discipline has two distinct streams of work, and thanks to Basel II, a third one.
First we have the level at which op risk actually gets managed. At this level it is a skill that needs to be taught and applied, let us thus get away from thinking there is a breed of managers – 'operational risk managers – who go around organisations, 'picking up banana peels'.
Second, there is the advisory level. The professionals in this discipline should be called 'operational risk advisers'. These are the strategists and policymakers who implement sound risk-management principles, and develop the op risk function into the value-adding function it should be. These are the guys who are looking through the windscreen to drive the car; no longer just in the rearview mirror.
No amount of quantification, scenario analysis or modelling can mitigate operational risk. People risk is the most important part of operational risk, and these professionals need to provide the tools to the business to manage all operational risks. At the professional level, all tools and data streams are pulled together into a comparative reporting dashboard, to support the entire workforce in their management of op risk.
Do not try to compare this level to consultants. Just as the ex-auditors are not op risk managers and never will be, you can never have op risk consultants. Op risk professionals must understand the business and the support functions fully to be able to put together the strategy, framework, policies and performance-management criteria.
The third level is specialisation. These are the quants and modelling specialists that Basel II brought into the picture. They should work cross-functionally on risk modelling. They are not managing op risk other than any that is relevant to their jobs, and they are by no means op risk professionals. They are quantification experts, and should focus on that.
Until these three distinct levels and functions within the discipline of op risk are clearly understood and functional boundaries are defined, we will have the current confusion. Amid this confusion, nobody will be able to get over the wall you say we have hit.
Horst Simon, Dubai