Welcome to the second issue of Volume 14 of The Journal of Operational Risk.
At a recent staff meeting, we were looking back at the papers we have received over the past year or so and were extremely happy to realize that we are probably having one of our best years in terms of quality. After the Basel Committee on Banking Supervision removed the advanced measurement approach (AMA) as an option for banks, we thought that practitioners and academics would rethink their research priorities. So, we are absolutely delighted by the number of quality papers we are continuing to receive, and those featured in the present issue are no exception. We have one paper on cyber-risk measurement, which has become a hot topic in the operational risk industry, and another on insurance pricing for mitigating operational risk, which is also an area of growing interest for many banks.
From now on we are expecting to receive more papers on cyber and IT risks, and not only on quantification but also on better ways to manage those risks. We would also like to publish more papers on important topics such as enterprise risk management (ERM) and everything that encompasses this broad subject: establishing risk policies and procedures, implementing firm-wide controls, risk aggregation, revamping risk organization, etc. As I have said before, while we still expect to receive analytical papers on operational risk measurement, they are now likely to come with a focus on stress testing and actually managing those risks. These are certainly exciting times!
The Journal of Operational Risk, as the leading publication in this area, aims to be at the forefront of these discussions, and we welcome papers that will shed some light on the issues involved.
In this issue, we have three research papers and one forum paper.
In our first paper, “Estimation of losses due to cyber risk for financial institutions”, Antoine Bouveret analyzes the main characteristics of cyber attacks and identifies patterns using correspondence analysis and traditional operational risk measurement techniques. The paper applies the loss distribution approach to a cyber-loss data set and finds that the distribution of losses due to cyber events has a heavy tail (like most operational risks) and is best modeled by a generalized Pareto distribution. The risk measures are derived under different scenarios, and it is shown that the estimated losses are substantially larger than the size of the cyber-insurance market. The results of the author’s analysis emphasize the need to improve the modeling of cyber risk from an operational risk perspective.
“Sample dependence of risk premiums”, the issue’s second paper, sees Erika Gomes-Gonc¸alves, Henryk Gzyl and Silvia Mayoral tackle the problem of finding an acceptable method for pricing operational risk in the event a bank buys an insurance product to mitigate or hedge against the impact of potential operational risk losses in its operations. The price of these insurance products hinges on the computation of risk premiums, which involves the calculation of expected values with respect to the loss distribution. When the empirical data set is not large enough and loss distributions are inferred from the data, a large sample dependence of the premiums on the data is to be expected. The maximum entropy-based methodologies offer model-free, nonparametric procedures to determine probability densities from empirical data with high precision. At the same time, these methodologies provide the authors with a framework within which to study how the sample dependence is transferred from the data to the premiums via the density. The authors show how this can be done.
Dany Ng Cheong Vee, Preethee Gonpot and T. V. Ramanathan review some of the existing methods used to quantify operational risks in the banking and insurance industries, such as extreme value theory and copula modeling, in our third paper: “Quantification of operational risk: statistical insights on coherent risk measures”. The authors explore the possibility of using a coherent risk measure, expected shortfall (ES), to quantify operational risk. The suitability of the suggested risk measure is investigated with the help of simulated data sets for two business lines. The generalized Pareto distribution is used to model the tails, and three distributions – lognormal, Weibull and Gamma – are used for the body data. The results obtained show that the ES numbers under all three distributions tend to be significantly larger than the value-at-risk, which may lead to overestimating the operational loss and consequently overestimating the capital charge. However, the modified ES seems to provide a better way of mitigating any overestimation.
We have one paper in the forum section in this issue. In “The operational risk disclosure practices of banks: evidence from India and Romania”, Muneesh Kumar, Harshmeeta Soni and Mihaela Mocanu continue a tradition in this journal of reporting on the status of operational risk in different parts of the world. On this occasion the authors focus on the disclosure of information by banks in India and Romania, claiming (rightly) that it is beneficial to the stability of the financial system. They state that operational risk disclosures are particularly important because operational losses may affect not only the financial bottom line but also the reputation of a bank. This paper compares the levels of operational risk disclosure in the banking industries of India and Romania by developing an unweighted disclosure index with forty-three items, using data collected from the 2015 annual reports of all commercial banks in India and Romania. The authors then perform a regression analysis to investigate the extent to which banks’ characteristics affect the level of operational risk disclosure in these two countries. The results of their analysis reveal a similarly low level of information disclosure in both countries: namely, an overall index average of 27% in the case of India and of 29% in the case of Romania. These results are surprising as India’s culture appears to be more inclined toward transparency than Romania’s. Their study also points toward a positive association between bank size and the level of operational risk disclosure.
The objective of this paper is to analyze cyber risk from an operational risk perspective and to measure cyber risk empirically.
This paper discusses the framework within which to study how sample dependence is transferred from the data to the premiums via the density.
In this paper, the authors review some of the existing methods used to quantify operational risks in the banking and insurance industries.
This paper compares the levels of operational risk disclosure in the banking industries of India and Romania.