Journal of Operational Risk

Marcelo Cruz

Welcome to the third issue of Volume 16 of The Journal of Operational Risk.

We are glad to see that the Basel changes to the calculation of regulatory operational risk capital have not stopped academics and practitioners looking for the best ways to model and measure operational risk. It is important to highlight the fact that it is very difficult, perhaps even impossible, to manage risk if you fail to measure it. The Basel rules relate only to regulatory capital, so financial institutions still need to find ways of measuring economic capital. This issue of the journal also contains an extremely interesting paper on cyber risk, which I definitely recommend reading. These are certainly exciting times!

There are certain subjects on which we would be very interested to receive more papers, with operational risk resilience being one of them. This is one of the key areas of interest in the industry, and we would welcome more submissions on the subject. We would also welcome more papers on cyber and IT risks: not just on their quantification but also on better ways of managing them. We also aim to publish more papers on important subjects such as enterprise risk management and the wide range of topics this encompasses, eg, establishing risk policies and procedures, implementing firm-wide controls, risk aggregation, revamping risk organization, etc. As I have said before, we continue to accept analytical papers on operational risk measurement, but particularly welcome those with a greater focus on stress testing and managing these risks.

The Journal of Operational Risk, as the leading publication in this area, aims to be at the forefront of these discussions. We welcome papers that can shed light on them.

In this issue we have four very interesting research papers. First, we present an approach to modeling dependency in operational losses, with an application to a real data set. The next paper analyzes the relationship between risk disclosure and economic losses. Then, we have our latest paper relating to cyber security, in which the authors demonstrate a very interesting method for assessing cyber risks. They note, interestingly, that most cyber attacks fail and cause a firm no economic loss. Our final paper offers a new method for performing stress tests in financial institutions.

RESEARCH PAPERS

In the issue’s first paper, “Nonhomogeneous bivariate compound Poisson process with short-term periodicity”, Ali Sakhaei and Parviz Nasiri present new results on the nonhomogeneous bivariate compound Poisson process with a short-term periodic intensity function. The dependence structure between margins is modeled using the Lévy copula, with its parameters estimated by the maximum likelihood method. Following our recommendation, Sakhaei and Nasiri apply their model to a set of real data on automobile insurance. Their empirical results show that the nonhomogeneous bivariate compound Poisson process with the Clayton Lévy copula is a better model for describing real data than the homogeneous equivalent.

In our second paper, “Risk disclosures in annual reports: the role of nonfinancial companies listed on the Athens stock exchange”, Fragiskos Gonidakis, Andreas G. Koutoupis, Panagiotis Kyriakogkonas and Grigorios Lazos analyze the requirement for companies listed on the Athens Stock Exchange not only to identify and manage business risks but also to inform investors regarding those risks in a timely fashion. The identification and management of risks protects businesses and creates value for shareholders and all other interested parties. In the past, countless organizations have collapsed due to irregularities and fraud, and many stakeholders – shareholders, creditors, suppliers, customers, employees and governments – have been adversely affected by these corporate failures. These failures have been attributed to the inability of senior management and boards of directors to identify the problems and risks their organizations face and to inform people in a timely manner. The effectiveness of management contributes to sound corporate governance practices. Gonidakis et al analyze the risks disclosed by all nonfinancial companies listed on the Athens Stock Exchange by deploying content analysis to their annual reports from the period 2005–11.

In the issue’s third paper, “Ex-intrusion corporate cyber risk: evidence from internet protocol networks”, Bill B. Francis, Wenyao Hu and Thomas D. Shohfi claim that previous event studies of corporate cyber risk have been limited to successful attacks on public firms, and that this means that samples based on the economic magnitude of equity losses are biased by these successful cyber hacks. To address this selection bias, they construct a larger and more representative sample of cyber intrusions and find fewer negative equity market reactions (and insignificant corporate bond reactions) than prior studies. In order to identify cyber risk irrespective of a successful attack being observed, Francis et al match public firms to internet protocol (IP) network data from the American Registry for Internet Numbers (ARIN) from 1991 to 2017. They find that both stockholders and creditors incorporate external IP network size into firm value. Further, debt and equity market reactions to cyber attacks are mitigated by firms having registered IP networks or having larger network deployments. Overall, this very interesting study demonstrates an important public data source that can help institutions proxy for, and more accurately price, firm cybersecurity risk.

In the fourth paper in the issue, “Key impact deep dive (KIDD)”, Philip Umande proposes an approach for assessing extreme financial impacts in a simple and transparent manner. This proposal is based on undertaking a key impact deep dive. The paper focuses on the application of the KIDD technique to assessing extreme operational risk losses in the banking sector and within the context of estimating operational risk capital. Umande claims that KIDD has broader applications: for instance, it can be used as part of a stress test in any type of institution. Furthermore, a KIDD can be generalized and applied to other risks (eg, credit and market risk) and other impact types, such as brand damage, length of time without access to critical systems, loss of customers, staff morale, etc. Interesting reading indeed.