Who dares wins

The US has been clued on to this potential risk for some time - in January 2007 the TJ Maxx chain of stores announced the loss of millions of customer records as a result of hacking over a period of almost three years. Even before that, ID theft and fraud have been hot topics in that country. As much as four years ago, friends of mine - a physician and her computer-savvy husband - had post snatched out of their letterbox and discovered only by chance they'd had vast loans and other commitments taken out in their names.

In Europe, this kind of theft has received less press, and it was not until the government's confession of CDs gone missing that the issue really gained momentum. Now everyone seems to be announcing that they've had data go missing, under the protective cover of the government's screw-up.

It's frustrating for me that so many UK financial institutions have announced data losses as part of this new confessional mood, including several building societies. Half the point of op risk is that firms should be looking at the kinds of losses other firms are experiencing and applying the lessons learned to their own organisations. Operational risk, done correctly, should be focused on prevention.

The problem of course is human nature - executives look at what happens at other firms and then convince themselves it couldn't happen in their own back garden - because they have better executives, better systems, better risk management and so on.

Complacency is hard to fight. No-one wants to be 'the boy who cries wolf', and often no-one wants to be the messenger bearing bad news - too often they are still shot. Therefore, speculating on what could go wrong seems political madness for many executives.

But for operational risk to move forward as a discipline, this basic human fear of failure needs to be countered with cultural change. Executives must dare to think creatively about disaster.

Ellen Davis