Earlier I published a post about actuaries and operational risk. Today I am in a ranting sort of mood so here are my thoughts on quantifying operational risk.
I am not a huge proponent of the quant when operational risk is concerned. I’ve said it before, that risk management is more about people and processes and models and systems.
Years ago, a fellow named Philip Martin who was with HSBC at the time (who incidentally got me hooked on the op risk) told me a story about how he was delivering a presentation about risk management to a bank in Africa when the power went out. (My apologies Philip if I “mis-remember” this tale.) Although there was a generator on site, it was locked behind a door and no one could find the guy who had the key to the door. When I hear tales like this, I ask two questions: 1) would anyone have ever identified this risk; and, 2) if so, how the heck could anyone have quantified it? What sorts of models exist to quantify this risk and if some quant developed one, how reliable would it be to base treatment decisions?
And there are so many examples just like this: what is the probability that someone in your settlements department will file an ISDA agreement in the wrong place or that a confirmation will slip in the crack behind her desk? What is the probability that because of a spreadsheet input error your Value at Risk calculation will be wrong?
I say make sure that everyone is risk aware. Talk about risk and collectively assess your risks qualitatively. And don’t try to measure a silly risks like the one described and then rely on flawed or unavailable data to prioritize it.