Journal of Operational Risk


Marcelo Cruz

Welcome to the third issue of Volume 15 of The Journal of Operational Risk.

Due to the pandemic, all of the conferences at which we used to meet in person to discuss the latest trends and issues in the industry have taken on a different format. This is as it should be: the important thing is to keep everyone safe and healthy. Despite the pandemic, regulators have kept working, and lately they have been very focused on the issue of operational resilience, obviously motivated by events that are currently  taking place. Regulators want to assess how resilient banks are to stress events such as pandemics, major cyber threats, etc. A few weeks ago, they issued a consultative paper that includes the need for banks to perform a dedicated stress test for operational resilience. This is a very hot topic at the moment, and at The Journal of Operational Risk we are very interested in hearing from practitioners and academics on how they think banks can tackle this important issue.

We also welcome further articles on cyber and IT risks: not only on quantification of those risks but also soon better ways to manage them. We would also like to publish more papers on important topics like enterprise risk management and everything this broad subject encompasses, such as establishing risk policies and procedures, implementing firm-wide controls, aggregating risk and revamping risk organization. As I have said before, we expect analytical papers on operational risk measurement will continue to be submitted, but they will now have a focus on stress testing and actually managing those risks. These are certainly exciting times!

The Journal of Operational Risk, as the leading publication in this area, aims to be at the forefront of these discussions. We welcome papers that can shed light on them.

In this issue, we have three very interesting research papers and one forum paper. We are continuing our tradition of exploring operational risk management implementation across the world: this time, we are in India.


In our first paper, “Does the source of information influence depositors’ withdrawal intentions during operational events?”, Sune Ferreira and Zandri Dickason Koekemoer observe that increased globalization has made South African banks more efficient and more diverse, and it has given them a chance to capture new market opportunities. However, as banks extend their global reach and grasp these new opportunities, more risk is attached. Advances in technology and the radical spur of social media have changed the manner and speed with which information flows. 

Depositors base their perceptions (which are subjective in nature) of a bank on recent information (from various sources), and they have the power to ensure or erode the continuity of a bank. Depositor intentions may differ based on their demographics, perception, risk tolerance level, or the behavioral finance biases to which they are susceptible. However, research is limited when considering how depositors react to risk based on different sources of information. With this backdrop in mind, the authors aim to identify whether depositors’ intentions to withdraw funds during operational risk events differ based on the source of information. The top three sources of information as chosen by depositors are television broadcasts, printed media and online media. Independent t-tests are performed based on whether or not depositors chose a particular source of information. Depositors will react differently (ie, will be more likely to withdraw funds) when hearing about internal fraud; faulty clients, products or business practices; or damage to physical assets and reputational events from printed media rather than from other sources of information. Concerning depositors’ intentions to withdraw during operational risk events, depositors will not act any differently when hearing about these events from a television broadcast or online media. 

In the issue’s second paper, “Evaluating cyclic risk propagation through an organization”, Mark A. Gallagher, Daniel S. Fenn and Shane N. Hall note that many large organizations have risk that propagates because of the dependencies between their various major organizational components. Their paper addresses the situation when cycles of dependencies exist in an organization or system of systems. In a 2016 article, Gallagher, MacKenzie, Blum and Boerman proposed determining component risk assessment by evaluating against future plans with respect to performance, cost and schedules. Their method aggregated various risk evaluations to an expected component risk assessment between zero and one for each future scenario. In 2020, Hall, Gallagher and Fenn presented a networked risk assessment framework that evaluates components’ risks to assess the networked risk by components and the overall organizational expected risk. They included describing a maximum likelihood method to estimate dependencies between components based on expert assessments. They also proposed three risk propagation approaches across the networked components to produce networked risk assessments: (1) the linear program approach, which transfers risk based only on the worst support; (2) the reliability approach, which uses multiplicative probabilities; and (3) the Leontief approach, which adds all direct and indirect contributing risks. In the present paper, the authors computationally investigate the sensitivities of those three risk propagation models and conclude that the reliabilityformulationisthemostrobusttovarianceinmodelinputs.Theyapplythis networked risk framework to evaluate the United States Air Force in future combat scenarios. This is an interesting study, and it is quite different from the banking ones that we are used to.

In our third paper, “Ten laws of operational risk”, Michael Grimwade sets out ten laws that govern the behavior of operational risk relating to the occurrence and detection / duration of events; the rapidity with which firms suffer losses; and the lags in crystallization of losses and internal and external drivers of concentration correlation. The author includes a causal taxonomy. The paper also considers the conservation of risk when manufacturing products; risk homeostasis (ie, control expenditure will respond to increased risk to return firms to within appetite); and the proactive taking of operational risk by firms in order to obtain fee and commission income. These laws are illustrated through the analysis of loss and financial data for thirty one current and former global systemically important banks, before and after the global financial crisis. Finally, the paper briefly considers the impacts of these laws on how firms should undertake stress testing and risk and controls self-assessments, and select predictive key risk indicators (KRIs), and also the extent to which these laws make predictions as to the outcomes of three emerging threats.


In the only paper in this section, “Quantification of regulatory capital for management of operational risk in banks: study from an emerging market economy”, K. Naveen Kumar and Prosun Chatterjee attempt to study the various methodologies used by an Indian bank in its operational risk management activities: these include loss database analysis, risk control self-assessment, and KRI identification. This study is based on both primary and secondary data on a public sector bank in India, and it helps to identify which loss event types are more frequent and severe, showing how to categorize bank branches based on their risk profiles and KRIs.

You need to sign in to use this feature. If you don’t have a account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: