Operational Risk Faultlines

One of the more interesting phenomenon in operational risk is why managers experience such abnormally high levels of catastrophic risk when compared to credit and market risk environments. A potential answer may lie in the choice of risk outcomes managers make in the design and operation of their programs. Experience from credit and market risk suggests that when we refuse to recognize every day risk which allows it to be reconciled daily, we force it to hide, only to emerge when it reaches catastrophic levels.

In credit risk, accountants and auditors would quickly jump on firms that extend commercial credit but fail to establish, forecast and maintain a reserve allowance for bad debt. No level of rationalization about the firm's exceptional credit screening process would convince a prudent accountant to ignore reserve requirements. Instead, managers use historical or probability models in accounting for expected risk, allowing the firm to experience the daily feedback from current lending practices. Through this process, risk is forced into the budgeted "expected loss" category, materially driving down the alternate and default "unexpected loss" category where catastrophic demons reside. Feedback is daily and risk appetites appropriately adjusted.

Likewise, market risk managers have equally mature practices in forecasting recurring risk. Value-at-Risk or Capital-at-Risk models, portfolio loss reserves and other methods anticipate a certain level of loss from expected risk. Derivatives markets, intentionally structured to administer risk, often use daily settlement methods so that a day's gains or losses are immediately felt. Instead of deferring the realization of gains and losses to the end of a contract term, which attracts liquidity and default risk into the equation, winners and losers in these markets settle daily and risk levels are moderate but balanced. Risk is rarely allowed to stray too far from the expected loss category, and the demons of unexpected loss are again kept at bay. Again, feedback is provided on a near-daily basis, allowing the organization to appropriately adjust its appetite for risk.

Operational risk, on the other hand, is rarely permitted to reconcile daily. Rather than maintaining an expectation of budgeted loss, managers set unrealistic "zero fault" expectations. Systems are pronounced to have "five nines" (99.999%) uptime, change processes are put in place that apply punitive, often professionally terminal consequences for technical administrators who recognize a risky condition, creating an atmosphere where participants in the system are encouraged to ignore risk or worse yet, cover up minor risk manifestations. Game theorists would find these outcomes unsurprising, yet many operations environments are littered with these risk landmines.

The result is that normal risk is shuffled aside and hidden. Feedback is prevented, or worse yet, prohibited by organizational policy. In this state, catastrophic cousins are invited in, as the risk demon demands settlement in full, with obscenely compounded interest for his absence. Worse yet, operational environments tend to be rich with risk collinearity opportunities, as system failures tend to experience amplification due to homogeneous operating systems, hardware platforms and administrative personnel. A failure in risk mitigation to one system, such as an e-commerce webserver, bypasses most prevention-oriented defenses and permits a complete compromise to the environment to occur.

What's the solution to reducing operational risk conditions favorable to catastrophic consequence? John Milton, the well-know author of "Paradise Lost" and other works wrote the significant essay "Areopagitica" addressing the importance of allowing a free press, in which the concept of an open "grappling of truth and falsehood" is encouraged. Applied to risk management treatments, we see Milton's prescription present in credit risk management, where individual accounts are periodically evaluated and forecasted for default treatment. Derivatives markets (in most cases) are forced to grapple daily, with gains and losses applied before one's position becomes too extreme.

Operational risk requires this same treatment in order to reduce the opportunity for catastrophic loss, but can only occur in environments where the organization encourages the forecasting of expected loss. Loss must be recognized as a probabilitistic reality, rather than a culturally prohibited outcome. Absent recognition as a recurring expected loss, risk's demons will find their expression in unexpected catastrophic outcomes.

As the FuzzyNumbers blog evolves, I'll share ideas about the practical treatment of operational
risk that converts risk from unexpected to forecasted (and moderated) states.