Into the unknown
by John Thirlwell, ORRF
A few weeks ago, I was looking out of my window at (by the standards of North West London suburbia) an astonishing monsoon thunderstorm which had lasted dramatically for a couple of hours or so, when a posse of police cars, some marked, some unmarked, screamed up the road and stopped at the house opposite. It turned out that my neighbour was one of the 8 Al-Qaeda suspects arrested that day in the UK and later charged with various terrorist offences. And I thought, if ever there was a good example of unpredictable external events – whether meteorological or terrorist inspired – that was it. As for the likely correlation of the two, I leave that to the quants and actuaries.
It also reminded me of the words of that great sage, Donald Rumsfeld. What I had just seen were probably two of his famous "known unknowns", rather than the even scarier "unknown unknowns". And from there I thought about how we handle these known unknowns, which are so often the risks that threaten both the business and the system, whether they come from outside or from the people you employ. It's all very well counting up all those losses and risks, often related to process, which are effectively expected, and which now under Basel are thankfully sliding out of the capital assessment equation. What really matters is the management of the unexpected losses, or the events and people you can't control.
And that, in turn, made me reflect on one other aspect of the expected/unexpected loss divide. It is often said, when considering loss event data, that what really matters is not so much the losses, as their causes. Risk management is about identifying and managing those causes. That's true for most losses, but I wonder whether it is the management priority when it comes to extreme events, the thankfully rare unknowns.
9/11 was about managing the effect, not the cause, as it is with most real disasters. It was the same with Royal Bank of Canada, when its IT system collapsed a few months ago and it had to draft in over 200 employees for more than a week to sort out the mess. Another good example of managing effects rather than causes lies in Standard Chartered's HIV/AIDS initiative. SARS threatened the global financial system as well as major economies not just in Asia. HIV/AIDS is doing the same. In South Africa, over a quarter of the population is HIV positive. Standard Chartered Bank, which recognises HIV/AIDS as one of its key strategic risks, launched an AIDS awareness campaign in 2000 and, in 2002, followed this with 'Living with HIV'. The bank needed to provide HR policy guidance on the management of employees living with HIV/AIDS. In addition, the bank's profitability was being affected through loss of personnel, absenteeism, medical and welfare costs and so on.
What is interesting about the RBC and Standard Chartered examples is that they don't fit the standard pattern of business continuity management, which is usually how we tackle the effects of the "unknowns". Business continuity planning, though, lies at the heart of most responses to crises. Resilience is essential in a world where nearly 1 in 5 businesses suffers a major disruption every year. How quickly you get back to 'business as usual' depends on how robust and up to date your business continuity plan is. How well you manage a crisis will tell the world more about your management than the fact that you hit the rocks in the first place.
And of course, 'no man is an island'. The UK Government has urged its citizens, in the event of an emergency, to 'Go in, stay in, tune in', which is easy to understand and serves its purpose. But a business in financial services can't be so isolationist. It is not just enough to have and to test your own internal BCP. You need to work with others in the market and, as with Y2K, co-ordinate BCP and testing arrangements. Failure to do that could well mean that markets are unsustainably illiquid and have to be closed, which means we're all out of business.
As well as BCP, of course, the other way you can mitigate the impact of the unknowns is to transfer the risk to your friendly insurer. This is not the time, though, to discuss the merits and pricing of insurance, but rather to consider who should be managing all these inter-related processes.
Fundamentally, the person identifying, monitoring and measuring these risks; the person who is working out the scenario analyses, in which realm Roger Cole, associate director at the Federal Reserve, clearly put external events at a speech in a Nice conference this summer; the person managing the BCP process; the person buying the insurance – should be the person responsible for operational risk.
We often talk about enterprise-wide risk management. This is the clearest area where integrated risk management, bringing together all the strands involved in managing the known unknowns, and indeed daring to think about the unknown unknowns, needs to be practised. OpRisk
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
More on Risk management
Op risk data: TD Bank takes US reg pill in purported drug-related AML fails
Also: SCB fraud bill rising fast; Postbank pain for Deutsche Bank. Data by ORX News
Clear warning on escape hatch for optimisation trades
CCPs fear Emir clearing mandate carve-out for portfolio rebalancing could be abused
One year on, regulators still want a cure for bank runs
Broad support for higher outflow assumptions on uninsured deposits, but that won’t save insolvent banks
Falling T2 balances bode well for eurozone’s stability
Impact of fragmentation would be less severe today than in 2010s, says Marcello Minenna
For a growing number of banks, synthetics are the real deal
More lenders want to use SRTs to offload credit risk, but old hands say they have a long road ahead
Did Fed’s stress capital buffer blunt CCAR?
Experts fear flagship test’s use as a capital top-up has undermined its role in risk management
How Ally found the key to GenAI at the bottom of a teacup
Risk-and-tech chemistry – plus Microsoft’s flexibility – has seen US lender leap from experiments to execution
Industry urges focus on initial margin instead of intraday VM
CPMI-Iosco says scheduled variation margin is better than ad hoc calls by clearing houses
Most read
- Breaking out of the cells: banks’ long goodbye to spreadsheets
- Too soon to say good riddance to banks’ public enemy number one
- Industry calls for major rethink of Basel III rules