Journal of Operational Risk

Welcome to the third issue of Volume 13 of The Journal of Operational Risk.

I have reached out to and spoken extensively with practitioners and researchers in the operational risk community – as well as members of our editorial board – trying to understand the impact that recent regulatory changes ending the advanced measurement approach (AMA) and creating the standardized measurement approach have had on the industry. While these conversations are ongoing, we can already see changes in the industry. For example, some banks have created new “nonfinancial risk” departments: a catch-all term for operational risk, compliance, information technology (IT) risk, reputational risk, etc. This is one of the interesting initiatives that has been observed. Operational risk modelers continue to work full time on stress testing/ Comprehensive Capital Analysis and Review modeling, and quite a few papers on this subject are in the pipeline. In my conversations with practitioners, I have also noticed tremendous interest in the quantification of cyber risk in light of the argument that it is very difficult to manage risk without measuring it correctly. It is very difficult to convince a board of directors, for example, that investments made in cyber risk are working if there is no way of measuring that risk to show the effects of the decreased risk.

From now on, we will be expecting more papers on cyber risk and IT risk – not only on quantification but also on better ways of managing those risks. We would also like to publish more papers on important topics such as enterprise risk management and everything that encompasses this broad subject, such as establishing risk policies and procedures, implementing firm-wide controls, aggregating risk and revamping risk organization. We anticipate that we will continue to receive analytical papers on operational risk measurement, but now with a focus on stress testing and actually managing such risks. These are certainly exciting times!

The Journal of Operational Risk, as the leading publication in this area, aims to be at the forefront of these discussions. We welcome papers that will shed some light on them.

PAPERS

In this issue, we have two research papers and two forum papers. It is interesting to note that these papers are the result of research that is already looking to move operational risk beyond the AMA.

RESEARCH PAPERS

In our first paper, “Forward-looking and incentive-compatible operational risk capital framework”, Marco Migueis from the Federal Reserve Board proposes an alternative framework for setting banks’ operational risk capital, which allows for forward-looking assessments and limits gaming opportunities by relying on an incentive-compatible mechanism. The author claims that the proposed approach could mitigate the vulnerability to gaming of the AMA as well as the lack of risk sensitivity in the new Basel III standardized approach to operational risk.

“Modeling operational risk depending on covariates: an empirical investigation”, the issue’s second paper, sees Paul Embrechts, Kamil Jerzy Mizgier and Xian Chen demonstrate the application of a nonhomogeneous Poisson model and dynamic extreme value theory (EVT), incorporating covariates on estimating the frequency, severity and aggregate risk measures for operational risk. Compared with a classical EVT approach, the authors claim, dynamic EVT gives a better performance with respect to the t statistic. Dynamic EVT also boasts good flexibility to different types of empirical data. The authors also include firm-specific c covariates associated with internal control weaknesses (ICWs) and show empirically that firms with higher incidences of selected ICWs have higher time-varying severities for operational risk. This methodology can provide risk managers and regulators with a tool that uncovers nonobvious patterns hidden in operational risk data.

FORUM SECTION

In 2002, a number of US financial regulators and agencies, led by the Securities and Exchange Commission, imposed the largest fines up to that time on ten investment banks and broker/dealers for publishing misleading investor information. The changes to industry structures that followed these fines were collectively named the Global Analysts Settlement (GAS), and the regulators’ remedies aimed to ensure that Chinese walls within investment banks were strictly enforced. “Operational risk: a forgotten case study” by Patrick McConnell is a historical case study of the GAS scandal and it is the first paper to analyze it from the perspective of operational risk. In retrospect, the GAS case can be seen as an example of an operational risk loss event and, in particular, a conduct risk event (as it later became known). Subsequent events, such as the manipulation of the London Interbank Offered Rate and the mis-selling of mortgages and payment protection insurance, have demonstrated that the GAS was the precursor to much larger scandals. However, at the time of the GAS, the thinking on operational risk management and capital was still being developed by the Basel Committee on Banking Supervision, and the implications of this particular scandal went largely unnoticed. Clearly, an opportunity to incorporate the lessons learned from the GAS case into wider thinking on operational risk was missed. Using Turner’s case study approach, this paper considers the GAS case from the perspective of operational risk, with a view to identifying the lessons to be learned from the scandal and then applied to future, large-scale operational risk events.

In our second forum paper, “Risk monitoring through better knowledge-based risk processes”, Amine Nehari Talet, Louay Karadsheh, Mufleh Amin AL Jarrah and Samer Alhawari claim that knowledge-based risk processes are becoming a key factor in the effective monitoring of risk. The authors state that knowledge-based risk processes as well as knowledge-based risk repositories are already extensively used in IT projects to successfully support risk monitoring. Their paper proposes a model that describes the integration of knowledge-based risks (via the processes of knowledge-based risk identification, analysis, evaluation and education) and knowledge-based risk repositories to support risk monitoring. The authors used a questionnaire to gather opinions from 135 users employed in ten IT companies across Jordan. They then applied smart partial least squares software to test their hypotheses. The findings suggest that there is a constructive effect to acclimating knowledge-based risk identification, knowledge-based risk analysis and knowledge-based risk education when improving the risk monitoring mediation of a given knowledge-based risk repository.


Marcelo Cruz