Deserts of vast eternity

Macmillan's words came back to me a number of times over the past few weeks, as I listened to conference presentations and, courtesy of this august organ, read some academic papers on op risk. Again and again, I heard and read about the measurement of events and I kept asking myself, 'Whatever happened to the chain of cause-event-effect?'. Instead of researching that, we'll measure events, because that's a given and is what we've been told to do, whether or not the result is even half accurate, or the firm or the system becomes a safer or more certain place.

The imperfections of loss event data are too well-rehearsed to need another outing here. It was interesting, though, that even those academics confidently searching for a more precise measurement methodology highlighted the non-stationarity of loss events, the fact that banks tend to do something to prevent large events hitting them again, so that past history is but a remote guide to future exposure. Which rather blows the whole exercise significantly off course.

In the margins of one conference, I was talking to two eminent AMA operational risk heads. One told me that if people really wanted him to model to 99 point whatever, they should build in a tolerance of over 100%. At 95% he reckoned the tolerance came down to around 40%, and one of the academic papers I read mentioned a tolerance of 20% around the 90% quantile. Perhaps a pattern is emerging. The other told me he will come up with a figure to whatever percentile is required of him. "Do I believe it as a measure of my exposure?" he asked. "Of course not." But he'll produce the figure. Because that's what the regulators want (including the dreaded and irrelevant 56-cell matrix), and if we do it that way, they'll be happy. And if they're happy, our chief executive officers will be happy.

Loss event data may seem to be the only relatively hard facts we have to go on. Yet we know that the losses are heterogeneous, if only because events of the same type can have different causes, and the route from event to effect is similarly fraught. And large and currently relevant losses will never be statistically meaningful. But still we worry loss data to death to find the answer we want to see. Last March, the GIRO working party of the Institute of Actuaries published a paper on quantifying operational risk in general insurance companies.1 Their conclusion, which deserves a wider audience, suggested that if we are to quantify operational risk, we shall probably have to look to causal modelling, rather than use existing actuarial methodologies on loss events.

So, with Othello, I am tempted to cry, "It is the cause, my soul". Of course, that doesn't make the job any easier. But causes - and effects - are what we manage, rather than events per se. So a method that focuses more closely on those, allies itself to risk management and should point us to where we are truly exposed. We learn much from events, especially if we know how they came about and analyse those causes. But at our backs the winged chariots of the regulators sweep us along towards deserts of vast eternity, where we shall try to stretch those events well beyond their true usefulness.

The Centre for the Study of Financial Innovation recently published its annual 'Banana Skins' survey for 2005. Top of the list was 'Too much regulation' (whether that is the greatest risk to the system rather than the greatest irritant, I leave to you). One respondent, Stanley Epstein of Israel's Citadel Advantage consultancy, said: "Many organisations are wrongly assuming that operational risk regulation will keep them safe." I share his concern. Is there a danger we are letting the regulators do our thinking for us, perhaps by counting and calibrating loss data, and not really thinking it all through?

Those of you who have been to see 'Peter Pan' will remember the tearful moment near the end when Tinkerbelle appeals to the audience, "Do you believe in fairies?" and we all shout back "Yes". And the adults smile benignly at the children around them. Deep down, of course, the adults also want to believe. Sadly, life and operational risk are more difficult than that. OpRisk