Journal of Operational Risk

Welcome to the second issue of Volume 10 of The Journal of Operational Risk. I would like to start by expressing my thanks for the numerous messages that we received from the journal's subscribers and readers congratulating us on the ten years of The Journal of Operational Risk.Your support is essential to this publication and we are very grateful for it. The editorial team puts significant effort into completing every issue and we appreciate the recognition.

In the second issue of each volume, I normally comment on the latest techniques and trends presented at OpRisk USA, but this year I was unfortunately unable to attend. I did, though, have the opportunity to talk to a number of participants and speakers and got a general flavor of the discussions. One subject in particular stood out: cyber risk. A number of high-profile incidents, particularly hacking incidents, were seen in 2014, and a number of financial institutions suffered very large breaches. The reaction of banks to these breaches has been strong. JP Morgan, for example, said it would increase its information security budget from US$300 million to US$1 billion. Other banks are following suit with large increases in their investments in this area. This subject has been attracting so much attention lately that we are considering a special issue later this year devoted to cyber risk and the threat to financial institutions. Stay tuned.

I would like to invite industry practitioners to submit to The Journal of Operational Risk regarding the state of operational risk research. Again, I would like to emphasize that the journal is not solely for academic authors. Please note that we do publish papers that do not have a quantitative focus, and indeed there is an example in this issue. We at The Journal of Operational Risk would be happy to see more submissions containing practical, current views on relevant matters as well as papers focusing on the technical aspect of operational risk. In this issue we have three research papers and one forum paper.

In the issue's first paper, "Approximations of value-at-risk as an extreme quantile of a random sum of heavy-tailed random variables", Lincoln Hannah and Borek Puza study the approximation of extreme quantiles of random sums of heavy-tailed random variables or, more specifically, subexponential random variables.A key application of this approximation is the calculation of operational value-at-risk (VaR) for financial institutions, to determine operational risk capital requirements. The authors' work includes two new approximations of VaR and an extension of the model to multiple loss types where theVaR relates to a sum of random sums, each of which is defined by different distributions. These proposed approximations are assessed via a simulation study as it is our editorial policy to always have numerical examples.

In our second paper, "A simple, transparent and rational weighting approach to combining different operational risk data sources", Alexis Renaudin and Matthew Grant deal with the very popular subject of aggregating operational risk data. They propose a generic weighting function based on a nonparametric approach that can be used to weight the different distributions, in line with the regulatory requirements under the advanced measurement approach. After analyzing the different driving factors and considering the desired sensitivities of the weights, the authors build and calibrate a weighting function to match all the necessary and relevant conditions. Their approach is very flexible while also being very tractable at the same time.

In the third paper in the issue, "Bayesian operational risk models", regular contributors Silvia Figini, Lijun Gao and Paolo Giudici write another good piece on the use of Bayesian analysis in operational risk. They claim that, if properly structured, risk self-assessment questionnaires, which are one of the most used data sources in operational risk, may provide prior opinions that can be used in a Bayesian perspective to better estimate operational risk. They propose a methodology that is able to frame risk self-assessment data into suitable prior distributions that, updated with observed loss data, can produce posterior distributions from which accurate operational risk measures, such as VaR, can be obtained. They test their proposed model on a real database composed of internal loss data and risk self-assessment data from an anonymous commercial bank. Their results arguably showthat the proposed Bayesian models perform better than classical extreme value models, leading to a smaller quantification of the VaR required to cover unexpected losses.

In this issue we have one forum paper. In "Monitoring IT operational risks across US capital markets", Jerry Friedhoff and Mo Mansouri realize that, due to an increasing number of high-profile technology-related incidents across US financial markets, industry participants are focused on improving their operational IT risk management frameworks. This is reflected in the inclusion of IT risk guidelines in recent regulatory mandates, industry standards and enterprise risk management methodologies. IT risk is a key component of operational risk, mainly through two event types (or subcategories). One is the so-called Business Disruptions and System Failures type, which addresses the disruption of regular business due to system failures, while the other type is External Fraud, which covers threats from external parties trying to hack into a firm's systems and computers. Across the US financial markets domain, operational IT events have been shown to have a larger impact on the participants than IT security events or IT project failures.Within this context, the monitoring of operational IT risk across the various organizations comprising an extended enterprise such as US capital markets becomes an important element of systemic risk management for the economy. This paper suggests an approach for assessing IT risk within the operational risk context through an incident-based method for monitoring operational IT risk across an extended enterprise based on the ISACA Risk IT framework. The proposed monitoring methodology is illustrated with an example from an extended enterprise within the US capital market. Observations about the approach are discussed and potential future research is outlined.

Marcelo Cruz