VIEW: Beyond the measurement of risk
Written by John Thirlwell, non-executive director, Institute of Operational Risk
Early in March, the Basel Committee issued a consultation about a major revision to the way banks calculate capital for operational risk. The Advanced Measurement Approach, in which banks can use their own internal models, similar to Solvency II for European insurers, is being changed to a Standardised Measurement Approach so that they will have to use a formula devised by the regulators. In a broad sense it uses income as the basis for the charge, scaled by the size of the bank’s operational risk losses over the previous 10 years.
But is it really that simple? Operational risk, it seems to me, fits very well with Keynes’s views about risk and uncertainty. Risk is essentially about cause. In the case of operational risk, the fundamental causes are to do with human frailty, including that of senior management, and external events such as natural or man-made disasters. And these lie in the outer realms of uncertainty. I have met many non-life actuaries, but I have yet to find one who believed that operational risk can be modelled to any reasonable degree of confidence. Maybe that’s why the regulators have decided on a crude formula. But is measurement what we should be about?
As my colleague Simon Ashby pointed out in this column many moons ago, major industries such as energy, aviation or medicine don't spend their time measuring risk, they spend their time managing and mitigating it. They worry about cause which, for most risk events, usually tracks back to people.
So it was fascinating to hear a senior Dutch regulator a few weeks ago explain their new approach to bank supervision. They have recruited organisational psychologists to join their supervisory teams. They have realised that the important thing is how the firm and its risks are managed from the boardroom down. What is the decision-making process? What information is provided for decisions -- too much or too little? Is challenge welcome? Is there a clear strategy? Are there clear objectives at each level and are they the basis for business decisions? Is everybody clear of their role and responsibilities? And most importantly, is the board and the firm flexible enough to change if the business environment changes?
These are the basics of risk, and especially operational risk, management. They don’t come easily. But if they are in place you will find a firm in which everybody not only thinks about what they are trying to do, but will also be managing its risks in a positive way. And not believing that by measuring its risks it’s succeeded in doing the job.