Journal of Operational Risk

Marcelo Cruz

Editor-in-chief

Welcome to the third issue of Volume 19 of The Journal of Operational Risk.

As readers will be aware, a significant operational risk facing large banks today is cyber risk. Cyber security threats have been exacerbated by advancements in artificial intelligence (AI), which is increasingly used by cyber criminals to develop more sophisticated and targeted attacks, such as phishing schemes, automated malware and ransomware attacks. These AI-powered cyber threats are often faster, harder to detect and more difficult to defend against than their non-AI counterparts, as they can quickly adapt to bypass traditional security measures. Large banks, which rely on digital systems to store sensitive customer data and facilitate transactions, are especially vulnerable. In addition, as banks adopt their own AI-driven tools to streamline operations and analyze data, they face the challenge of protecting these AI systems from manipulation and misuse. These challenges, combined with the rise in remote work and mobile banking, which has widened the attack surface, require banks to invest heavily in advanced cyber security protocols, threat detection and employee training. Banks are now focusing on integrating AI-driven cyber security defenses, but the race to stay ahead of cyber criminals remains critical. This issue contains three papers that cover these ongoing operational risks, and they offer some ideas on how to tackle AI-driven cyber security challenges. The issue also includes a Forum paper as a thought piece to encourage analytical research.

As well as more articles on AI (particularly its use in crisis management research; see the paper by Lei et al in this issue) and quantifying and managing cyber and IT risks, the editorial board would be interested to see papers submitted in other areas, including applications of machine learning (ML) techniques as well as enterprise risk management (ERM) and everything this broad subject encompasses (eg, establishing risk policies and procedures, implementing firmwide controls, risk aggregation, revamping risk organization, internal audit). Analytical papers on operational risk measurement are also welcome, particularly those that focus on stress testing and managing operational risk.

These are certainly exciting – maybe even worrying – times! The Journal of Operational Risk, as the leading publication in this area, aims to be at the forefront of OpRisk discussions and we welcome papers that shed light on all of the above topics.

RESEARCH PAPERS

In the first paper in this issue, “Cyber risk assessment model for information assets: a tailored approach for the financial and banking sector”, Amir Schreiber and Israel Waismel-Manor explain how modern technological advancements have significantly impacted how financial institutions operate, while the intensity and scale of cyber threats have escalated, and cyber hackers are now capable of increasingly diverse and sophisticated attacks. With limited resources, it is increasingly difficult to effectively manage cyber security and discern which information assets need increased protection. Updated regulations demand effective methodologies for identifying and classifying such assets. However, current methods, often not being tailored to the financial sector’s specific needs, can neglect information asset evaluation, can be one dimensional, can struggle with large inventories and can focus solely on technical aspects. Considering this environment, Schreiber and Waismel-Manor present a systematic, holistic and user-friendly adaptive model specifically designed for assessing information assets and their cyber risk in the financial and banking sector. Through a detailed case study involving the application of their model to a substantial asset repository, they demonstrate a powerful reduction mechanism. After the application of their model, only 13% of information assets out of the total inventory were classified as high or very high risk. Their approach is thus effective at identifying those information assets that require resource allocation for significantly enhanced resilience against cyber attacks, underscoring the model’s efficiency and practicality in prioritizing cyber security efforts. It thus contributes to the wider benefit of society by safeguarding sensitive financial data, which is essential for both individual security and economic stability.

The issue’s second paper, “A qualitative study of operational resilience in financial institutions” by Sharada Iyer, George del Hierro and Indira Guzman, highlights that global systemically important banks (G-SIBs), such as investment banks, retail banks and insurance companies, can cease to perform their critical functions when faced with major disaster events. Such events (eg, widespread technology outages, cyber attacks and global pandemics) can have a far-reaching impact, threatening the viability of these firms, as seen in the 2007–9 global financial crisis. New regulatory requirements put forth by the Bank of England, which are due to be implemented by March 2025, need G-SIBs to ensure they have sound operational resilience practices in place for their business services. Similarly, the regulatory requirements of the Basel Committee on Banking Supervision (Basel III) came into effect in January 2023, and enforcement is due to be phased-in by 2028. While the concept of operational resilience is not new, companies have traditionally approached it separately and as needed for specific business functions. The new requirements necessitate G-SIBs to look at sustainable solutions more holistically to protect their end customers and shareholders. Iyer et al’s study leverages survey-style qualitative research methodology to gather candid and pragmatic feedback from a sample of 21 G-SIB employees to formulate recommendations for this specific aspect of the regulatory requirements.

In “Artificial intelligence in crisis management: a bibliometric analysis”, our third paper, Siyu Lei, Shuang Wang and Yiwen Tuo observe both that AI has gained increasing attention in the realm of crisis management research and that AI provides solutions for firms to better anticipate, address and learn from adversity to achieve sustainable growth and boost competitiveness. However, the research in this area remains fragmented and lacks adequate integration. To address this gap in the literature, the authors conducted a bibliometric analysis to illustrate the intellectual structure and research trends of AI in corporate crisis management, using a sample of 81 academic papers in the management and business fields. They found that the enabling role of AI in crisis management extends from firms’ internal organization to external environments, culminating in predictive and integration empowerment. Lei et al also discovered that there has been an increasing focus on human–computer interaction throughout AI’s evolutionary trajectory. Stemming from their analysis, they propose several future research directions to help scholars to address the gaps in the literature.

OPERATIONAL RISK FORUM PAPER

In the issue’s fourth paper, “Unraveling Lebanon’s financial crisis: the path from promise to peril, delving into a risk strategist’s own experience”, Mohammad I. Fheili examines the path leading to Lebanon’s ongoing financial crisis, which began (or at least became evident) in 2019. He analyzes the key risk factors that led to the disintegration of its once prosperous banking sector and offers a thorough review of the crisis, delving into its origins and presenting actionable recommendations to rebuild trust and stability. Key issues Fheili highlights include Lebanese banks’ heavy reliance on government debt, governance failures eroding public trust, and inherent weaknesses in the Lebanese banking model, such as deposit dependence and inadequate risk diversification. This paper advocates for Lebanon’s banks to adopt modern practices, critiquing the false perception of banking sector health, regulatory failures and operational risks due to poor governance. It also discusses the role of regulatory bodies such as the central bank and the financial intelligence unit in perpetuating risky behavior. The author proposes that a shift toward responsible lending practices, emphasizing the asset life cycle over the credit approval process, is vital for navigating the crisis and rsecuring long-term financial stability.