Journal of Operational Risk

Marcelo Cruz

Editor-in-chief

Welcome to the first issue of Volume 21 of The Journal of Operational Risk.

I have been the editor of the journal since it started around 20 years ago, and I have been privileged to witness the progress operational risk has made over the decades. The Journal of Operational Risk is the only peer-reviewed academic journal dedicated exclusively to operational risk, and the editorial board receives many submissions each year. As we publish one issue per quarter, each containing four papers, this means that of the many papers submitted we only select about sixteen to be published every year. I took some time, with the help of our database and artificial intelligence (AI), to analyze the main subjects published in the journal over the past six years, and I have summarized the findings in Table 1. It is interesting to see how cyber and information technology (IT) risk and AI have received increasing attention from risk practitioners, from almost negligible interest in 2020 to dominance in 2025. As the Basel IV framework proposed simple regulatory capital models to assess operational risk, it is no surprise that this subject dropped from the top subject to a more modest rank in 2025. Nevertheless, quantitative models to measure and manage operational risk have remained of consistent interest to researchers across the last five years. It is also interesting to see climate and geopolitical risk rising up the table, reflecting our increasingly uncertain times.

These changes are also reflected in this issue, which contains two papers on AI, one paper on cyber risk and one that uses models to analyze operational risk in a New Zealand bank. I hope you enjoy the issue, and please keep submitting your research.

RESEARCH PAPERS

In “Artificial intelligence in password-less authentication: bridging the gap between security and transparency”, the issue’s first paper, Nitin Bansal explores the role of AI in the adoption of password-less authentication in an Indian context. The paper investigates the intersection of AI, security and transparency, which is important when it comes to authentication systems and highlights how crucial it is to consider their social and technical aspects, particularly in emerging markets such as India. The study adopts a quantitative research design and uses primary data collected from 438 Generation Y and Generation Z respondents from India’s National Capital Region, through a self-administered questionnaire. Modeling with the partial least square structural equation modeling (PLS-SEM) algorithm reveals that AI has a significant impact on the acceptability of password-less authentication to Generation Y and Generation Z in India. These generations are tech savvy and use multiple digital services that can benefit from authentication controls, meaning that they are willing to accept AI-based password-less authentication. This study provides actionable insights for policy makers, IT developers and digital service providers in providing a secure, transparent and AI-driven password-less authentication mechanism.

In our second paper, “Improving data for managing cyber risk and building resilience”, Bryson Alexander, Filippo Curti, Jeff Gerlach and Stacey Schreft note that gaps in the data available for assessing cyber risk have limited the development of metrics that would help both the public and private sectors prevent and recover from cyber attacks and reduce systemic risk. While cyber incident disclosure rules, introduced to close the data gaps, help to some degree, they fall short in supporting the effective management of cyber risk. This paper examines the current and proposed reporting requirements, especially in the financial sector, where they are the most prevalent. It describes the data gaps that remain and discusses how moving toward a better and more harmonized cyber incident data collection rule could improve cybersecurity, reduce the risk of catastrophic cyber incidents and reduce the regulatory burden on companies that currently need to report cyber data to multiple agencies.

The third paper in the issue, “The digital sentinel: artificial intelligence and the mitigation of corporate litigation risk” by Guo Wu and Anqi Du, provides robust evidence that the strategic adoption of AI yields a net reduction in corporate litigation risk. Using firm-level data from Chinese A-share listed firms between 2008 and 2023, the authors show that AI significantly reduces corporate litigation risk and that firms with greater AI adoption experience fewer lawsuits, face reduced monetary damages and are less likely to be sued. The findings remain consistent across various robustness tests and endogeneity treatments. Wu and Du also demonstrate that AI operates through two complementary channels: an organization-improving effect, which enhances innovation proactivity, knowledge diversity and information transparency; and a cost-cutting effect, which reduces operational, management and financial constraints. In addition, the authors indicate that the risk-mitigating effects of AI are heterogeneous in terms of firm characteristics and life cycle, and they find that AI adoption corresponds to a lower probability of corporate default as well as increased managerial agility. Their findings suggest AI has benefits in mitigating litigation risk, and that it is not a replacement for human oversight but a powerful tool that empowers and enhances corporate stability and governance. The paper also highlights the implications for various stakeholders.

In the issue’s final paper, “Operational risk patterns in New Zealand banking: a clinical case study”, Carina Zhao, Lina El-Jahel and Dimitris Margaritis present a descriptive case study analyzing more than 5000 operational risk incidents from a major New Zealand bank to document risk patterns within a concentrated, dualregulated banking environment. Using incident-level data from 2007 to 2024, their analysis reveals that human factors (such as training deficiencies and procedural lapses) accounted for more than half of all recorded incidents, challenging prevailing assumptions that technology failures dominate in digitally transforming banks. Regression analysis shows that, while human errors occur frequently, they are associated with lower-severity outcomes. Process-related risks exhibit significant associations with customer, financial and regulatory impacts, whereas system failures (though less frequent) are uniquely linked to reputational damage in baseline models. This association becomes statistically insignificant when macroeconomic factors are controlled for, highlighting the contextual nature of operational risk dynamics. Incident patterns evolved alongside key regulatory reforms, including New Zealand’s Financial Markets Conduct Act 2013 and Financial Markets (Conduct of Institutions) Amendment Act 2022, though these temporal correlations do not imply causation. The authors find that approximately 80% of incidents originated from front-office functions, particularly within practices relating to clients, products and business, underscoring concentration in customer-facing processes. The authors’ forensic review of around 400 material incidents identifies six operational risk concentration areas: documentation verification, customer engagement, compliance processes, fraud prevention, payment processing and data management. These areas represent priorities for future risk mitigation. As one of the first studies to use incidentlevel operational risk data from a live banking environment, Zhao et al’s research provides rare empirical evidence in a data-scarce domain and establishes a replicable approach for confidential case studies in concentrated banking markets.