Journal of Operational Risk

Marcelo Cruz

Welcome to the second issue of Volume 16 of The Journal of Operational Risk.

Since its establishment early in this century, The Journal of Operational Risk has been the most sought-after source of technical studies in the area. We are obviously very proud of the journal’s achievements and of the status the publication has achieved. There are many ways in which we could analyze the articles published in our journal to show how influential the papers and their authors have been. However, looking back at the list of authors we noticed that a significant majority are from the Americas and Europe. With that in mind, we are trying to expand the reach of the journal to the Asia/Pacific region, inviting more potential authors and researchers to submit their work and encouraging the extensive academic and practitioner community to subscribe to our publication. Our drive is just starting to show results, but we are happy to see that all the articles in this issue were either written by Asian authors or are discussing operational risk in Asia. More of this to come in the future!

In terms of the subjects that we are interested in seeing more papers about, I can say that “operational risk resilience” is one of the industry’s key interests right now, and we would welcome more submissions on this subject. In addition to resilience, we would also welcome more articles on cyber and information technology (IT) risks, and not just on their quantification but also on better ways to manage them. We would also like to publish more papers on important subjects like enterprise risk management (ERM) and everything that is included in this broad subject, such as establishing risk policies and procedures, implementing firm-wide controls, risk aggregation, revamping risk organization, etc. As I said before, we still think that analytical papers on operational risk measurement will come, but now they will have a focus on stress testing and actually managing these risks. These are certainly exciting times!

The Journal of Operational Risk, as the leading publication in this area, aims to be at the forefront of these discussions. We welcome papers that can shed light on them.

In this issue we have four very interesting research papers. You will find an interesting approach that shows a “contagion” take in assessing operational losses from an entire process in a bank. There is also an interesting paper that gauges operational risk in IT through assessing a firm’s organizational maturity, and that is followed by a paper that discusses in detail the case of a very large fat finger mistake that happened because of a lack of IT controls. We end this issue by following our tradition of showing the state of operational risk management implementation around the world, this time with an interesting study relating to operational risk disclosure and risk governance in ASEAN countries.

RESEARCH PAPERS

In the issue’s first paper, “On modeling contagion in the formation of operational risk loss”, Xiang Gao and Zhan Wang analyze the pattern of risk factor contagion in a banking process network by modeling the overall operational risk loss as the accumulation of intermediate losses incurred in different processes via network contagion across distinct processes within a bank. The paper lays the theoretical foundations for choosing a combined exponential–Pareto distribution to model the severity of operational risk by deriving, on a theoretical basis, the functional form of the operational risk severity distribution. The resulting loss severity distribution is, in theory, consistent with the parametric distribution that fits loss data best, as suggested by previous empirical works published in this journal.

In our second paper, “An approach to simultaneously assess operational risk and maturity levels in information technology management”, Hossein Moinzad, Mohammad Jafar Tarokh and Mohammad Taghi Taghavifard claim that the speed of IT development and financial institutions’ increasing dependency on these technologies for their day-to-day operations can profoundly affect the management of organizations. Due to the widespread use of IT, the increased risk of error has a significant effect on organizations. According to the authors, in order to mitigate the impacts of these risks we need to assess an organization’s maturity. Moinzad et al compare the operational risk and maturity level of IT in an anonymized financial institution against the benchmarks of the American Productivity and Quality Center (APQC) and the widely known Control Objectives for Information Technologies (COBIT). To this end, the operational risk and maturity levels of 34 IT service management processes were investigated by collecting required data from electronic forms and expert opinions. Results were obtained at three levels: the assessment of the operational risk and maturity level in the IT organization; the domains of the IT organization; and the processes. The authors’ findings show that the organization has a maturity level of 1.11 (indicating ad hoc and disorganized processes) and there was therefore a 47.9% chance of operational risk to IT management goals. The results can help managers allocate limited resources to activities, optimize the utilization of capital, reduce administrative costs and effectively use IT for growth and development.

In the third paper in the issue, “The economic cost of a fat finger mistake: a comparative case study from Samsung Securities’s ghost stock blunder”, Yongkil Ahn quantifies the economic cost of Samsung Securities’s ghost stock blunder using a synthetic control method. As the financial world becomes more computer-based, sudden price fluctuations caused by unintended human input errors appear to be occurring more frequently. Due to a keyboard input error, Samsung Securities, the Samsung conglomerate’s stock trading arm, mistakenly distributed shares worth over US$100 billion to its employees on April 6, 2018. The difficult process of finding a proper control group plagues comparative case studies. Ahn’s study overcomes this hurdle by constructing a synthetic version of the event firm. It turns out that the company lost 12.17% (US$428 million) of its pre-event market capitalization – 3000 times the direct loss incurred – due to the fat finger mistake. The results highlight the importance of developing strong controls to mitigate unintended human errors such as an incorrect keyboard input or a mouse misclick.

In our fourth paper, “Risk governance, market competition and operational risk disclosure quality: a study of the ASEAN-5 banking sector”, Etikah Karyani, Oluwaseun Kolade and Setio Anggoro Dewo investigate the impact of risk governance and market competition on banks’ operational risk disclosure (ORD) quality (voluntary or not), in the Association of South East Asia Nations banking sector. Using 285 firm-year observations encompassing the period 2010–14 for risk governance indexes, Karyani et al investigate the moderating effects on banks’ ORD quality of market competition relative to total risk governance practices. The results of the panel data analysis show that there is a substitution effect of competition, which could reduce the adverse consequences of weak risk governance practices. However, governance factors, eg, the role and independence of the chief risk officer and the risk communication system, decrease voluntary ORD quality. These findings have implications for the role of the financial regulator in using the market as an effective mechanism to replace banks’ weak risk governance, thus encouraging banks to improve their ORD quality. This study contributes to the literature by providing new empirical insights into the debates about the complementary or substitutionary role of competition policies and corporate governance practices.