Into the unknown

A few weeks ago, I was looking out of my window at (by the standards of North West London suburbia) an astonishing monsoon thunderstorm which had lasted dramatically for a couple of hours or so, when a posse of police cars, some marked, some unmarked, screamed up the road and stopped at the house opposite. It turned out that my neighbour was one of the 8 Al-Qaeda suspects arrested that day in the UK and later charged with various terrorist offences. And I thought, if ever there was a good example of unpredictable external events – whether meteorological or terrorist inspired – that was it. As for the likely correlation of the two, I leave that to the quants and actuaries.

It also reminded me of the words of that great sage, Donald Rumsfeld. What I had just seen were probably two of his famous "known unknowns", rather than the even scarier "unknown unknowns". And from there I thought about how we handle these known unknowns, which are so often the risks that threaten both the business and the system, whether they come from outside or from the people you employ. It's all very well counting up all those losses and risks, often related to process, which are effectively expected, and which now under Basel are thankfully sliding out of the capital assessment equation. What really matters is the management of the unexpected losses, or the events and people you can't control.

And that, in turn, made me reflect on one other aspect of the expected/unexpected loss divide. It is often said, when considering loss event data, that what really matters is not so much the losses, as their causes. Risk management is about identifying and managing those causes. That's true for most losses, but I wonder whether it is the management priority when it comes to extreme events, the thankfully rare unknowns.

9/11 was about managing the effect, not the cause, as it is with most real disasters. It was the same with Royal Bank of Canada, when its IT system collapsed a few months ago and it had to draft in over 200 employees for more than a week to sort out the mess. Another good example of managing effects rather than causes lies in Standard Chartered's HIV/AIDS initiative. SARS threatened the global financial system as well as major economies not just in Asia. HIV/AIDS is doing the same. In South Africa, over a quarter of the population is HIV positive. Standard Chartered Bank, which recognises HIV/AIDS as one of its key strategic risks, launched an AIDS awareness campaign in 2000 and, in 2002, followed this with 'Living with HIV'. The bank needed to provide HR policy guidance on the management of employees living with HIV/AIDS. In addition, the bank's profitability was being affected through loss of personnel, absenteeism, medical and welfare costs and so on.

What is interesting about the RBC and Standard Chartered examples is that they don't fit the standard pattern of business continuity management, which is usually how we tackle the effects of the "unknowns". Business continuity planning, though, lies at the heart of most responses to crises. Resilience is essential in a world where nearly 1 in 5 businesses suffers a major disruption every year. How quickly you get back to 'business as usual' depends on how robust and up to date your business continuity plan is. How well you manage a crisis will tell the world more about your management than the fact that you hit the rocks in the first place.

And of course, 'no man is an island'. The UK Government has urged its citizens, in the event of an emergency, to 'Go in, stay in, tune in', which is easy to understand and serves its purpose. But a business in financial services can't be so isolationist. It is not just enough to have and to test your own internal BCP. You need to work with others in the market and, as with Y2K, co-ordinate BCP and testing arrangements. Failure to do that could well mean that markets are unsustainably illiquid and have to be closed, which means we're all out of business.

As well as BCP, of course, the other way you can mitigate the impact of the unknowns is to transfer the risk to your friendly insurer. This is not the time, though, to discuss the merits and pricing of insurance, but rather to consider who should be managing all these inter-related processes.

Fundamentally, the person identifying, monitoring and measuring these risks; the person who is working out the scenario analyses, in which realm Roger Cole, associate director at the Federal Reserve, clearly put external events at a speech in a Nice conference this summer; the person managing the BCP process; the person buying the insurance – should be the person responsible for operational risk.

We often talk about enterprise-wide risk management. This is the clearest area where integrated risk management, bringing together all the strands involved in managing the known unknowns, and indeed daring to think about the unknown unknowns, needs to be practised. OpRisk