2Also in this issuen Black Swans Mean Businessn How Canadian Banks haveManaged the EconomicCrisis so well
n OTC Clearing Evaluation ofthe EMIR and Dodd-FrankRegulations and their Impacton IT
n International FinancialSupervisory Convergence
I Introduction“This man, on one hand, believesthat he knows something, while notknowing (anything). On the otherhand, I – equally ignorant – do notbelieve (that I know anything).”– Socrates in Plato’s The Apologies
The notion of Socratic ignorance hasbeen a ideological theme for centuries.As the notion goes, the wise man isnot he who thinks he knows
everything, rather he who knows thathe does not know everything.
Since ancient times, this idea hasformed a common thread inphilosophy. Its application to the fieldsof economics and politics has,however, been a more recentphenomenon. As recently as 2004, inhis book Fooled by Randomness, NassimNicholas Taleb applied the idea tofinancial markets. He proposed that
the notion that financial institutionscan both fully know and fully quantifythe risks associated with theirbusinesses is a false wisdom, anarrogant oversight that has a valuedestructive effect on their businessmodels.
When, in 2007, Taleb published hisnow famous book, The Black Swan, thenotion was expanded beyondfinancial markets into the seemingly
Black Swans MeanBusiness (Part 1)Atula Abeysekera is a Chartered Accountant with 25 years corporate governance and riskmanagement experience. His has held senior positions in internal audit and risk managementat KPMG, Morgan Stanley, Fidelity Investments and Lazard. Atula is currently the DeputyChairman of the Risk Forum Committee of the Chartered Institute of Securities and Investmentsand a member their disciplinary panel. He is a member of the thinktank Bow Group Counciland, in 2011, was awarded the Freedom of City of London. In this article he describes howgovernment can better predict and manage national crises. Drawing on reforms to the waythat businesses and, in particular, banks have reformed their risk management processes, thepaper challenges the ways that the UK Government copes with so-called ‘Black Swan’ events.
Global Risk Update 2012 – Nov / Dec
2
unpredictable and devastatingevents, which impact not onlyeconomics but the security of thenation. These occurrences he called‘Black Swans’. Black Swans have nowentered into the common parlance ofbig business, with risk managersbusily deploying strategies to betterpredict and deal with the fall-out ofBlack Swans. The Boards ofDirectors of large enterprises aregradually realising not only that therisks to their business will never befully quantified but also that, in thisknowledge, they gain a competitiveadvantage by being better preparedthan their competitors to deal withcrises.
Institutions outside of the financialsphere are only just beginning to takenote of Taleb’s important theory. So asBusiness (and especially financialinstitutions) begins to acknowledgethe necessity of understanding BlackSwan events and incorporating them(as best they can) into their businessmodels, the UK Government hasstarted to lag in its thinking aroundBlack Swan risk.
Given the obvious importance to thenation of preventing national disasters,or at least mitigating their impact,what lessons can the Government takefrom the world of Business to addressthese risks and to add value to thenational security strategy?
This Bow Briefing describes the waysin which Business analyses andprotects itself from Black Swanevents. By looking in detail at recentexamples of national and internationalcrises and getting visibility on boththeir effect on the nation and howbetter risk strategies could havehelped to mitigate their effects, weargue that the Government has muchto learn. In doing so, we make severalspecific and achievable policyproposals, which we have set out onpage 6. The Government shouldembrace modern qualitative andquantitative methods of riskmanagement, as it is only with robustgovernance structures and cutting-edge risk management solutionscreated by modern enterprise that theGovernment can begin to effectivelycope with that elusive beast, the BlackSwan.
II Black SwansSometimes, from seemingly harmlesscauses come harmful effects. Whenthose effects make themselves known,it seems obvious what the cause of theeffect was; that the effect was alwaysgoing to happen.
According to Taleb, a Black SwanEvent has three keycharacteristics:
(i) it occurs outside projectedexpectations (a fat tail to adistribution curve);
(ii) it carries extreme impact; and(iii) it seems explainable after the
fact.
Consider the following recentexamples of Black Swan events withrespect to these underlyingcharacteristics.
Urban unrest (2011)
An OutlierThe independent Riots Communitiesand Victims Panel (UK) estimated thataround 15,000 people were activelyinvolved in the riots, which spreadthrough England in the Summer of2011 at alarming speed. TheGovernment showed no sign of havingpredicted the riots and, as expected,the panel concluded that the causes ofthe riots were complex and were notabout, or caused by, any single issue.
Extreme impactResources from several police forceswere mobilised to deal with the crisis.Five people lost their lives and severalbusinesses and homes were destroyed.
The Riots Communities and VictimsPanel estimated that the costs to thecountry was in the region of half abillion pounds. Given the majorimpact on police resources and thewider economic ramifications, fewwould argue that the impact of theriots was not extreme.
Explainable after the factThe Riots Communities and VictimsPanel’s interim report looked at theAugust 2011 riots in the context of theEnglish riots of 1981. The Panel notedthat “it is thirty years since thepublication of the Scarman report.The Panel is clear that the riots inAugust 2011 were very differentdisturbances to those in 1981.However, it is a sad fact that in somerespects, the underlying challenges arestrikingly similar”.
Volcanic Ash Cloud (2010)
An OutlierWhen a relatively small volcano,Eyjafjallajokull (let’s call it ‘E’),erupted in Iceland in April 2010, itejected material as high as 20,000 feet.This event demonstrated the inherentuncertainties of volcano science.Although volcanoes are far morepredictable than earthquakes, eachvolcano is unique, with each onehaving its own personality, and, assuch, predicting the timing and scopeof their eruptions is notoriously tricky.
Volcano scientists are empiricists, whorely primarily on past performance topredict future activity. However, when
Black Swans Mean Business (Part 1)
3
Global Risk Update 2012 – Nov / Dec
it came to it, their methods, whichincluded measuring the regularity withwhich E had previously eruptedproved futile. Whereas the Icelandvolcano produced only a smalleruption at first, it seems now that thecause of the second, more seriouseruption was that a vent, previouslyunknown to the scientists had openedbeneath a glacier on the volcano andthe resulting ‘soda pop’ effect proveddevastating. This phenomenon hadpreviously not been observed.
Extreme impactThe eruption of E had a significantimpact on the civil aviation industry,causing thousands of flights to becancelled and the economicdestruction that limited transportentails. The eruption also had animpact on the RAF, which had totemporarily suspend flight trainingafter ash deposits were found in jetengines. Indeed, the gridlockproduced by the cancellation of airtravel was deemed sufficiently seriousby the previous Government torequire a meeting of COBR to beconvened to discussremedial measures.
Explainable after the factWith hindsight, the scientificcommunity felt that the impact of theeruption on airspace could have beenpredicted and better prepared for.Following the event, the UN, throughthe International Strategy for DisasterReduction (UNISDR), urged
European Governments toi n t e g r a t e
volcano risk as part of their air travelpolicies and legislation. It is interestingthat now UNISDR is now working ongreater coordination and interactionbetween decision makers and thescientific community to achievemeaningful results in this field.
Fukushima power plantdisaster, Japan (2011)
An OutlierWhen the Tsunami hit in March 2011,among several devastating effects, wasthe damage caused to a nuclear reactorin northern Japan. Being an area proneto earthquakes, the Tokyo ElectricPower Co., owner and operator of theFukushima Dai-Ichi plant, had erectedsea barriers at the site to protect thenuclear reactors. The waves producedby that particular earthquake were solarge that the sea barriers proved 8metres too short to stop the resultingtsunami.
Extreme impactThe damage caused to the reactor inJapan resulted in the worst nucleardisaster since Chernobyl, 25 yearspreviously. The Japan Center forEconomic Research, a private thinktank, has estimated the remediationcosts to be in the region of $250 billionover the next 10 years. Of course, thisdoes not take into the loss of life andinjury that will ensue following theexposure of local inhabitants tomassive amounts of radiation.
Explainable after the factSince Japan’s Fukushima disaster,Électricité de France (EDF), hasallocated about £200million to protectUK reactors from Black Swan
events, such as a giant wavecreated by a collapse of an
island as far away asNorth Africa.This isemblematicof anumbero f
reactive measures taken by nations,including the United Kingdom, toprotect themselves, post 2011Tsunami from the human andeconomic cost of poor preparation.
III The Current UKGovernment Approach
The UK Government’s civil andnational security risk is currentlymanaged by the following organs ofgovernment:(i) In the case of managing
domestic emergencies, TheCivil Contingencies Secretariat(‘CCS’), established in 2004under the Civil ContingenciesAct (its executive committee,the Civil ContingenciesCommittee (‘CCC’);
(ii) In the case of protecting thecountry’s national security andother interests, the NationalSecurity Council (‘NSC’),established in 2010; and
(iii) To manage emergencies, bothdomestic and international,‘COBR (A)’, or ‘Cabinet OfficeBriefing Room (A)’, whichprovides a forum for the CCCto meet and a focal point for theGovernment’s response.
For a full description of these bodies,please take a look at our recent paper,Intelligence Design: UK NationalSecurity in a Changing World. Weprovide below, however, a briefsummary of the roles of these bodies,with particular regard to their riskmanagement capabilities.
Domestic EmergenciesIn recent years, the UK Governmenthas made a good start on firming up itsrisk management architecture. TheGovernment was one of the firstgovernments in the world to create anational risk register (‘NRR’) fordomestic civil emergencies under theCCS. The NRR documents civilemergency risks over a 5-year timehorizon including malicious risks (e.g.,terrorism) and non-malicious risks(i.e., naturally occurring events andaccidents). The National RiskAssessment (‘NRA’) for civilcontingencies is assessed annually toensure it reflects the latest evidenceand draws upon the best availableevidence and advice from subject-matter experts.
Black Swans Mean Business (Part 1)
Global Risk Update 2012 – Nov / Dec
4
The CCS Preparedness and ResponseTeam systematically and routinelyscans the short-range horizon(generally up to six months ahead) forpotential or emerging civil domesticrisks within this timeframe. CCS haslinks to departments, their agenciesand other public bodies which areresponsible for monitoring andmanaging civil emergency-relatedinformation. These channels haveensured that CCS receives timelynotification of impending events, suchevents to include wide-area flooding,suspected animal disease outbreakssuch as Foot and Mouth Disease, andhuman health threats such as the swineflu pandemic.
International EmergenciesThe NSC has adopted themethodology used in the developmentof the National Risk Register. Themethodology used involves thinkingaround the impact of an event (basedon economic consequences, casualtiesand social or structural factors) and thelikelihood of such an event occurringover a determined timeframe.
The National Security RiskAssessment (‘NSRA’) is reviewedevery two years and uses similarconcepts to the NRA processdescribed above. It involves makingjudgements about the relative impactof each risk, alongside an estimation ofthe likelihood of each risk. The NSRAprocess assesses all major disruptiverisks to the UK’s national interest,which are of sufficient scale or impactso as to require action from theGovernment.
Using 5 to 20 year horizon scanning,the NSRA identifies and analyses a fullrange of real and potential risks, givingthe greatest weight to those with theability to cause immediate and directharm to the UK’s territories. Ingeneral, a risk assessed as high-likelihood and high-impact would alsobe considered as a high priority foraction. Similarly, those risks judged tobe low-impact and low-likelihoodwould be considered lower priorities.
The management of domestic risks isoverseen by the Joint Committee ofNational Security Strategy (‘JCNSS’),which is made up of 22 members (12from the Commons and 10 from theLords). This provides a forum to
challenge conventional wisdom and tohold the organs of Government toaccount.
COBR(A)The primary function of COBR is tocoordinate the national response toboth domestic and internationalemergencies. In addition, the CabinetOffice engages proactively withcentral and local Government andother partners in preparing for suchevents by developing and testingresponse plans. The COBRmechanism is triggered byemergencies which require sustainedcentral Government coordination andsupport from a number ofDepartments and where appropriate,the devolved administrations.
Recent PerformanceComplex interdependencies inmodern societies make it more likelythat emergencies will require a largedegree of co-ordination acrossGovernment.
“... there are also unknownunknowns – the ones we don’t knowwe don’t know. And if one looksthroughout thehistory of ourcountry and otherfree countries, it is[in this] categorythat tend to be thedifficult ones.”
(Donald Rumsfeld, 2002)
The Government has made areasonable start on this. A goodexample of developments to civilcontingencies planning is the
e x t e n s i v econtingency measuresdrawn up by the Government toprepare for extreme flooding inEngland: ‘Project ExcessiveWatermark’. This was undertakenfollowing the Pitt review of the 2007summer floods, a Black Swan event.The tests concluded that England andWales has the capability to respond tosevere, widespread flood emergencies.
On the other hand, the Governmenthas not always been so proactive.Looking at the fuel protests of 2000and 2012, the Government wascompletely underprepared for theformer, and by the time the lattercame along, only reactive measureshad been taken by the Government,such as calling in the military, shouldthe drivers of petrol tankers decide tostage a national strike. Ultimately themilitary was not required, and thesepreparations were time and resourceconsuming for COBR(A) and forGovernment Departments.
The lack of strategic focus resultedfrom a failure to be proactive and morerobust architecture is needed tomitigate the effects of suchoccurrences. There is much to do, andthe world of Business and, in
Black Swans Mean Business (Part 1)
Global Risk Update 2012 – Nov / Dec
5
particular, the experiences of thefinancial sector, offers some usefulideas, which could lead to meaningfulprogress in this area.
IV Business Approaches
Recent Black Swan events such as theFinancial Crisis, the BP oil spill in theGulf of Mexico and the above-mentioned Tsunami in Japan haveprompted businesses to plan forextreme events and look again at theirrisk architecture.Complex businesses have oftendeveloped their own enterprise riskmanagement frameworks to capturethese emerging unknown risks. Theseframeworks employ forward-lookinggovernance structures and quantitativetechniques to assist in the decision-making process.
These organisations generally havegood risk management practices forspecific risks at ‘business unit’ level,but also have the ability to aggregatethese risks across the entireorganisation, sometimes applyingcorrelation factors between risks.
There are formal and informalprocesses for escalating risks throughthe hierarchy of a business but theygenerally follow a “three lines ofdefence” approach, as describedbelow:
n The 1st level of defence is theperson who identifies the risk
(whoever identifies the risk, isresponsible for managing the risk);
n The 2nd level of defence is aseparate risk managementdepartment, headed by a senior riskofficer; and
n The 3rd level of defence is theBoard of Directors (or appropriategoverning body), supported by anindependent audit function.
A risk crystallises if all three levels arebreached.
The success of the three level defencesystem depends upon goodmanagement information systems,change management controlprocedures, strategic planningprocesses, and financial reportingconventions. In addition to this, mostbusiness organisations have an annualrisk assessment review and materialand emerging risks are subjected toextensive stress testing. Should a risknot be accounted for, a remediationplan will then be implemented toreduce the risk to the organisation.
The day-to-day analysis of risk variesin its nature across industries andjurisdictions. Some industries useprobabilistic approaches such asplanning for 1 in 200 year single ormultiple events, while the others takea more qualitative approach. Sometake a combination of both. Theobjective is to have the appropriategovernance structure to identify theseevents, so that contingency plans can
be initiated, if necessary, to mitigatethe risk.
Most business organisations are awareof the dangers of ‘group think’ andthey will actively seek expertise fromoutside the industry to formulate, orat least inform, their risk strategy. Topromote this enterprise-wide riskmanagement, most Boards are alsoaware of the importance of risk cultureand the role it plays in identifying andescalating risks promptly through thechain of command.
These organisations generally have anexperienced Chief Risk Officer whoreports to a Board-level RiskCommittee. The Risk Committee isgenerally made up of executive andnon-executive directors, with anindependent director as its Chairman.The external members, who comefrom various business disciplines,provide both independent externaloversight and bring their ownexperience and expertise to bear.
Part 2: White Swans, March 2013
The author, Atula Abeysekera, invites feedbackand comments and can be contacted [email protected]
Black Swans Mean Business (Part 1)
Global Risk Update 2012 – Nov / Dec
6
Global Risk, Governance & Compliance Recruitment
Tel +44 (0)20 7638 5558 www.riskrewardsearch.comS E A R C H
Dennis Cox – CEOtelephone: +44 (0)20 7638 5558email: [email protected]
Lisette Mermod – New Yorktelephone: 1-917-310-1334email: [email protected]
