REVIEW: "Operational Risk: Regulation, Analysis, and Management", Carol Alexander
- BKOPRISK.RVW 20030913
"Operational Risk: Regulation, Analysis, and Management", Carol
Alexander, 2003, 0-273-65966-9, U$59.95/C$89.99
%E Carol Alexander
%C One Lake St., Upper Saddle River, NJ 07458
%I Prentice Hall
%O U$59.95/C$89.99 +1-201-236-7139 fax: +1-201-236-7131
%P 336 p.
%T "Operational Risk: Regulation, Analysis, and Management"
In 1999, the Basel Committee on Banking Supervision (BCBS), spurred by
recent bank collapses, started working toward an Accord in regard to
risk management. The eventual Accord, also known as Basel II, was not
wholly defined, but established three points or "Pillars": that banks
establish a capital reserve somewhat commensurate with their total
risk, that risk management plans be subject to a supervisory review,
and that such plans be disclosed. Operational risk was defined as
"the risk of loss resulting from inadequate or failed internal
processes, people and systems or from external events." That sounds
oddly like what anyone else just calls risk, but bankers are primarily
concerned with what they see as separate issues: credit risk and
market risk. This book appears to be a reaction, from the banks, to
the provisions of the Accord.
It is a commonly held myth that bankers are pompous, self-satisfied,
out of touch with the real world, and fond of the sound of their own
voices. The contents of this volume will do little to dispel that
perception. There is always a problem of quality with works of
collected essays by different authors, but few of these papers seem to
be direct or useful.
Part one is about regulation, and specifically the BCBS proposals.
Chapter one outlines the provisions of the Basel Accord. Rather than
a framework for considering risk, chapter two offers random thoughts
on the matter. We finally get the definition of operational risk, and
some more detail on the BCBS risk measurement approaches, in chapter
three. Chapter four has more complaints about the Basel measures.
Chapter five does have some discussion of fraud controls, but embedded
in verbiage. Chapter six seems intent on proving that the idea of
reserve capital in risky situations is not insurance.
Part two is entitled "Analysis." Chapter seven deals with statistical
models of operational loss, with a lot of mathematics and little
practicality. The loss distribution approach (LDA), in chapter two,
is based on historical data and does not seem to consider that most
severe events, such as the Barings Bank collapse, are due to
innovation and changed conditions. Simulation is proposed in chapter
nine, but without regard to validation of the models used. Chapter
ten presents a very interesting look at economic capital, a
calculation of the amount of reserve cash that a company would need to
cover emergencies in a given year. It is seen as a useful, single
indicator of risk, and validation is appraised, but, unfortunately,
only in terms of how acceptable or convincing your figure is going to
be with the board of directors.
Part three turns to risk management. Chapter eleven presents a
scorecard process for risk assessment, but betrays a fundamental
misunderstanding of the concept by trying to get quantitative data out
of a qualitative mechanism. The operational risk management framework
given in chapter twelve is reasonable, if limited and generic, and
chapter thirteen is basically a duplication of that content. The
material on Bayesian analysis, in chapter fourteen, does finally admit
that the technique is poor at identifying risks. Chapter fifteen goes
through some examples of calculating risk, but the content is still
The material contained in this book is narrow, repetitive, and padded
out with excessive verbiage. Most of the writing is not particularly
clear. Even given the intent as a response to a particular set of
directives, the text is vague and uninformative. It adds almost
nothing to the risk management literature.
copyright Robert M. Slade, 2003 BKOPRISK.RVW 20030913
rslade@... slade@... rslade@...
Computer Security Day, November 30 http://www.computersecurityday.com/