Welcome to the second issue of Volume 18 of The Journal of Operational Risk.
Every year, Risk.net, our online sister publication, surveys operational risk managers worldwide to see what they consider to be the top 10 operational risks. The results this year were very interesting: cyber risk in information security took top spot (up from #5 in 2022), while regulatory risk was the runner up (up from #10 in 2022). In the United States, in particular, risk managers in banks have been reporting that regulators are much more combative and that they now frequently issue fines for situations that in previous years would have only merited a Matter Requiring Attention (MRA) notice. If you work in banking, therefore, cyber risk taking top spot will come as no surprise. In the survey, cyber risk was broken down into two separate risks: information security (#1 spot) and IT disruption (#3 spot). In order to help our readers deal with cyber risk, in this issue of The Journal of Operational Risk we include a paper from a Federal Reserve regulator suggesting a methodology to better classify such risks within a financial institution. This is an interesting account that I recommend that everyone in the community reads.
The application of machine learning techniques is currently a hot topic in our industry, and we are interested in receiving more papers on the subject. In addition to papers on machine learning and artificial intelligence, we would also welcome more submissions on cyber and IT risks – not just on their quantification but also on better ways to manage these risks. We also aim to publish more papers on important subjects such as enterprise risk management (ERM) and everything that this broad subject encompasses (eg, establishing risk policies and procedures; implementing firmwide controls; risk aggregation; revamping risk organization and internal audit). We also still welcome analytical papers on operational risk measurement, particularly those that focus on stress testing and managing operational risks.
These are certainly exciting times in the industry! As the leading publication in the area, The Journal of Operational Risk aims to be at the forefront of operational and cyber risk discussions, and we welcome papers that shed more light on these topics.
In the first paper in this issue, “The information value of past losses in operational risk”, Filippo Curti and Marco Migueis argue that improving the performance of operational risk models allows banks’ management to make more informed risk decisions by better matching their economic capital and their risk appetite, as well as allowing regulators to enhance their understanding of banks’ operational risks. They show that past operational losses are informative of future losses, even after control ling for a wide range of financial characteristics. Curti and Migueis propose that the information provided by past losses results from capturing hard-to-quantify factors such as the quality of operational risk controls, the risk culture and the risk appetite of the bank. The paper makes for very interesting reading.
In “Cyber risk definition and classification for financial risk management”, the second paper in the issue, Filippo Curti is again an author and is joined by Jeffrey Gerlach, Sophia Kazinnik, Michael Lee and Atanas Mihov to discuss how to tackle the difficult issue of cyber risk. This risk is undeniably one of the most critical emerging risks for the financial industry. However, even though it is recognized as a significant threat to financial institutions, and to financial stability more generally, the lack of proper data on cyber risk losses impedes efforts to effectively measure and manage this risk. This paper addresses that information gap by suggesting a novel cyber risk definition and classification scheme for risk management purposes, to be used as a data collection template for financial institutions. The proposed scheme would ensure that the adopting institutions utilize common language, and it would allow consistent data collection and sharing. Curti et al provide a deeper dive into the reasoning behind the proposed collection of variables and give examples of how different types of cyber security events would map into their proposed scheme.
In the issue’s third paper, “Application of the radial basis function in solving an operational risk management model: investigating the probability of bank survival with risk reserves”, Mansoureh Rasouli, Mohammad Ali Fariborzi Araghi and Tayebe Damercheli develop a mathematical model for operational risk and solve it using numerical methods. In addition, by considering the impact of a bank’s probability of survival on the amount of risk reserves, they investigate the effect of fluctuation in risk reserves on an organization’s probability of survival. To complete their investigation they calculate the amount of risk storage required to achieve the desired probability of survival.
In our final paper, “Does board diversity mitigate firm risk-taking? Empirical evidence from China”, Furman Ali, Bai Gang, Zohaib Zahid, Azhar Mughal and Baqir Husnain examine the relationship between firm risk and board diversity measured in demographic dimensions (age, gender and nationality) and cognitive-oriented dimensions (tenure, expertise and education). Using data on nonfinancial firms in China for the period 2008–19, they find that total board diversity, in both the demographic and cognitive-oriented dimensions, is negatively related to a firm’s risk. The cognitive-oriented dimension is more important to the firm’s risk than the demographic dimension of board diversity. The findings of Ali et al also show that a diverse board manages risk management activities effectively and improves firm performance. These findings are found to be robust using the generalized method of moments, and they suggest that more diverse boards can improve group performance, lead to a better decision-making process and reduce firm risk.
The authors argue that past operational losses inform future losses at banks and that the information provided by past losses results from their capturing factors that are hard to quantify in other tests.
The authors put forward a definition and classification scheme for cyber risk than can be used as a template for data collection by financial institutions.
Application of the radial basis function in solving an operational risk management model: investigating the probability of bank survival with risk reserves
The authors investigate the probability of bank survival in relation to operational risk and risk reserve and calculate the amount of risk storage necessary to achieve the desired probability of survival.
The authors explore the relationship between firm risk and both demographic and cognitive-oriented board diversity.