Journal of Operational Risk

Welcome to the fourth issue of Volume 14 of The Journal of Operational Risk.

As a result of the recent Basel III rules, we are starting to see changes in the profile of the papers being submitted to the journal. In this issue, we have two very interesting papers covering conduct risk and cyber risk. There are very few studies on the measurement of these risks, and we are proud to be at the cutting edge again by publishing papers that will open up discussion of these two subjects, which are a key focus of chief risk officers, chief operational risk officers, chief executive officers and boards of directors. We also provide a noteworthy paper on the impact of enterprise risk management (ERM) in Serbian companies.

We are expecting to receive more papers on cyber and IT risks in the future: not only on quantification but also on better ways to manage those risks. We would also like to publish more papers on important topics such as ERM and everything this broad subject encompasses: establishing risk policies and procedures, implementing firmwide controls, aggregating risk and revamping risk organization. As I have said before, we expect that analytical papers on operational risk measurement will be submitted, but they will now have a focus on stress testing and actually managing those risks. These are certainly exciting times!

The Journal of Operational Risk, as the leading publication in this area, aims to be at the forefront of these discussions. We welcome papers that can shed some light on them.
In this issue, we have three research papers and one forum paper.

RESEARCH PAPERS

In our first paper, “Estimation of value-at-risk for conduct risk losses using pseudo- marginal Markov chain Monte Carlo”, Peter Mitic and Jiaqi Hu propose an analytical model for conduct risk, one of the most prevalent operational risks these days. Conduct risk loss databases are usually composed of a small number of extremely large losses and a more numerous contingent of smaller losses. One special characteristic of these large losses is that they are usually provisions of sums that will be paid to several customers over a period of time, with all of the payments being due to the same loss event in which the financial institution had a conduct issue and harmed a number of customers. The authors use the pseudo-marginal (PM) Markov chain Monte Carlo method to decompose the largest loss into smaller partitions in order to estimate 99.9% value-at-risk (VaR). This partitioning is conducted in a way that makes no assumption about the size of the partitions. The advantages and
disadvantages of using this method are discussed. PM procedures were run on several representative data sets. The results indicate that, in cases where using approaches such as calculating a Monte Carlo-derived loss distribution yields a result that is not consistent with the risk profile expressed by the data, using the PM method yields results that have the required consistency.

Our second paper, “Measuring expected shortfall under semi-parametric expected shortfall approaches: a case study of selected Southern European/Mediterranean countries” by Nikola Radivojevic, Borislav Bojic and Marija Lakicevic, offers an investigation of the applicability of semi-parametric approaches for estimating expected shortfall. The authors examine the applicability of several models based on the historical simulation (HS) approach: one based on untransformed historical data, and others based on transformed historical data. Their research shows that the HS models based on certain transformed historical data can reliably be used for the estimation of market risk in terms of the Basel III standards. This investigation was conducted on the capital markets of selected Southern European/Mediterranean countries and those of Serbia and Ireland. The authors’ backtesting results were verified using Monte Carlo testing and the bootstrap method.

“Cyber risk management: an actuarial point of view” by Maria Francesca Car- fora, Fabio Martinelli, Francesco Mercaldo and Albina Orlando, the third paper in the issue, finds its authors tackling the subject of cyber risk measurement, which has emerged as one of the top challenges in risk management. Insurance has only recently been applied to the cyber world, and it is increasingly becoming part of the risk management process, posing many challenges for actuaries. One of the main issues in this field is the dearth of loss data that actuaries need to perform their calculations. This paper points out the peculiarities of cyber insurance contracts compared with classical nonlife insurance contracts from the perspectives of both the insurer and the insured. The main actuarial principles that are fundamental to any valuation in a cyber context are discussed. An illustrative example is proposed where the Chronology of Data Breaches data set provided by the Privacy Rights Clearing House is analyzed in depth. The most suitable distributions to represent the frequency and severity of the reported cyber incidents are examined and the VaR measure is estimated. Then, two exemplifying cases offer an assessment of both the premium required by the insurer and the indifference premium the insured is willing to pay. Despite certain limitations, this research could offer useful information on this particular kind of insurance policy.

FORUM SECTION

Finally, we have one paper in the forum section of this issue. In “The impact of enterprise risk management on the performance of companies in transition countries: Serbia case study”, Marija Panic, Milica Velickovic, Danijela Voza, Zivan Zivkovic and Zuzana Virglerova claim that the market position of a company influences its performance. In hazard conditions, all the factors that determine a company’s market position and business are exposed to risk. An effective program of ERM decreases the level of risk and improves company performance. ERM is a process that identifies and evaluates all potential losses that can occur in business organizations and selects techniques that can mitigate and prevent such losses in accordance with the requirements of International Standard ISO 31000. The paper defines seven hypotheses, on the basis of which a theoretical model is developed to examine how different sources of enterprise risk affect the operational performance of Serbian companies and their risk of losing market position.

Marcelo Cruz