Some would argue that the enormity of the operational risk task implies that the
only way to achieve success in terms of managing operational risk without creating
an army of risk managers is to have business management self-assess the risks.
However, this approach is not likely to elicit the kind of necessary information to
effectively control operational risk. It is unlikely that a Nick Leeson would have selfassessed
his operational risk accurately.
In idealized circumstances senior management aligns, through the use of appropriate
incentives, the short- and perhaps long-term interest of the business manager
with those of the corporation as a whole. If we assume this idealized alignment then
business management is encouraged to share their view of both the opportunities
and the risk with senior management. Self-assessment in this idealized environment
perhaps would produce an accurate picture of the risk. However, a business manager
in difficult situations (that is, when the risks are high) may view high risk as
temporary and therefore may not always be motivated towards an accurate selfassessment.
In other words, precisely when an accurate measurement of the operational
risk would be most useful is when self-assessment would give the most
inaccurate measurement. Risk management should do the gathering and processing
of this data to ensure objectivity, consistency and transparency.
So how is this to be done without the army of risk management personnel? First,
as described earlier, a reasonable view of the operational risk can be constructed
from the analysis of available information, business management interviews, etc.
This can be accomplished over a reasonable timeframe with a small group of
knowledgeable risk managers. Risk managers (who have been trained to look for risk
and have been made accountable for obtaining an accurate view of the risk at a
reasonable cost) must manage this trade-off between accuracy, granularity and
timeliness. Second, risk managers must be in the flow of all relevant business
management information. This can be accomplished by having risk managers sit in
the various regular business management meetings, involved in the new product
approval process, and be the regular recipient of selected management reports, etc.
This is the same as how either a credit risk manager or a market risk manager keeps
a timely and a current view of their respective risks.
A second argument often used in favor of self-assessment is that an operational
risk manager cannot possibly know as much about the business as the business
manager, and therefore a risk assessment by a risk manager will be incomplete or
inaccurate. This, however, confuses their respective roles and responsibilities. The
business manager should know more about the business than the risk manager,
otherwise that itself creates an operational risk and perhaps the risk manager should
be running the business. The risk manager is trained in evaluating risk, much like
a life insurance risk manager is trained to interpret the risk from a medical report
and certain statistics. The risk manager is neither expected to be a medical expert
nor even to be able to produce the medical report, only to interpret and extract risk
information. This, by the way, is the same with a credit risk manager. A credit risk
manager is expected to observe, analyze, interpret information about a company so
as to evaluate the credit risk of a company, not be able to manage that company. To
demand more from an operational risk manager would be to force that risk manager
to lose focus and therefore reduce their value added. Operational risk can be
mitigated by training personnel on how to use the tools associated with best practice
risk management.
Hiç yorum yok:
Yorum Gönder