Into the unknown
by John Thirlwell, ORRF
A few weeks ago, I was looking out of my window at (by the standards of North West London suburbia) an astonishing monsoon thunderstorm which had lasted dramatically for a couple of hours or so, when a posse of police cars, some marked, some unmarked, screamed up the road and stopped at the house opposite. It turned out that my neighbour was one of the 8 Al-Qaeda suspects arrested that day in the UK and later charged with various terrorist offences. And I thought, if ever there was a good example of unpredictable external events – whether meteorological or terrorist inspired – that was it. As for the likely correlation of the two, I leave that to the quants and actuaries.
It also reminded me of the words of that great sage, Donald Rumsfeld. What I had just seen were probably two of his famous "known unknowns", rather than the even scarier "unknown unknowns". And from there I thought about how we handle these known unknowns, which are so often the risks that threaten both the business and the system, whether they come from outside or from the people you employ. It's all very well counting up all those losses and risks, often related to process, which are effectively expected, and which now under Basel are thankfully sliding out of the capital assessment equation. What really matters is the management of the unexpected losses, or the events and people you can't control.
And that, in turn, made me reflect on one other aspect of the expected/unexpected loss divide. It is often said, when considering loss event data, that what really matters is not so much the losses, as their causes. Risk management is about identifying and managing those causes. That's true for most losses, but I wonder whether it is the management priority when it comes to extreme events, the thankfully rare unknowns.
9/11 was about managing the effect, not the cause, as it is with most real disasters. It was the same with Royal Bank of Canada, when its IT system collapsed a few months ago and it had to draft in over 200 employees for more than a week to sort out the mess. Another good example of managing effects rather than causes lies in Standard Chartered's HIV/AIDS initiative. SARS threatened the global financial system as well as major economies not just in Asia. HIV/AIDS is doing the same. In South Africa, over a quarter of the population is HIV positive. Standard Chartered Bank, which recognises HIV/AIDS as one of its key strategic risks, launched an AIDS awareness campaign in 2000 and, in 2002, followed this with 'Living with HIV'. The bank needed to provide HR policy guidance on the management of employees living with HIV/AIDS. In addition, the bank's profitability was being affected through loss of personnel, absenteeism, medical and welfare costs and so on.
What is interesting about the RBC and Standard Chartered examples is that they don't fit the standard pattern of business continuity management, which is usually how we tackle the effects of the "unknowns". Business continuity planning, though, lies at the heart of most responses to crises. Resilience is essential in a world where nearly 1 in 5 businesses suffers a major disruption every year. How quickly you get back to 'business as usual' depends on how robust and up to date your business continuity plan is. How well you manage a crisis will tell the world more about your management than the fact that you hit the rocks in the first place.
And of course, 'no man is an island'. The UK Government has urged its citizens, in the event of an emergency, to 'Go in, stay in, tune in', which is easy to understand and serves its purpose. But a business in financial services can't be so isolationist. It is not just enough to have and to test your own internal BCP. You need to work with others in the market and, as with Y2K, co-ordinate BCP and testing arrangements. Failure to do that could well mean that markets are unsustainably illiquid and have to be closed, which means we're all out of business.
As well as BCP, of course, the other way you can mitigate the impact of the unknowns is to transfer the risk to your friendly insurer. This is not the time, though, to discuss the merits and pricing of insurance, but rather to consider who should be managing all these inter-related processes.
Fundamentally, the person identifying, monitoring and measuring these risks; the person who is working out the scenario analyses, in which realm Roger Cole, associate director at the Federal Reserve, clearly put external events at a speech in a Nice conference this summer; the person managing the BCP process; the person buying the insurance – should be the person responsible for operational risk.
We often talk about enterprise-wide risk management. This is the clearest area where integrated risk management, bringing together all the strands involved in managing the known unknowns, and indeed daring to think about the unknown unknowns, needs to be practised. OpRisk
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net
More on Risk management
SEC leadership change puts Treasuries mandate under scrutiny
FICC clearing models approved, but critics think delay could revive prospects of done-away trading
Markets Technology Awards 2025: Untangling the knots
Vendors jockeying for position in this year’s MTAs, as banks and regulators take aim at counterparty blind spots
Risk Awards 2025: The winners
UBS claims top derivatives prize, lifetime award for Don Wilson, JP Morgan wins rates and credit
An AI-first approach to model risk management
Firms must define their AI risk appetite before trying to manage or model it, says Christophe Rougeaux
BofA sets its sights on US synthetic risk transfer market
New trading initiative has already notched at least three transactions
Op risk data: At Trafigura, a $1 billion miss in Mongolia
Also: Insurance cartels, Santander settlement and TSB’s “woeful” customer treatment. Data by ORX News
Cyber risk can be modelled like credit risk, says Richmond Fed
US supervisors may begin to use historical datasets to assess risk at banks and system-wide
The changing shape of risk
S&P Global Market Intelligence’s head of credit and risk solutions reveals how firms are adjusting their strategies and capabilities to embrace a more holistic view of risk