Operational and cyber risks in the financial sector
Focus
Operational risks are related to losses that could result from inadequate or failed internal processes, improper business practices, systems failures or from external events. Representing a significant portion of total bank risks, operational risks are currently second only to credit risks as a source of losses. Measuring and understanding operational risks, including cyber risks, is critical for both banks and public authorities.
Contribution
We use a unique cross-country data set from ORX, a consortium of financial institutions. The sample contains over 700,000 operational loss events from 2002 until end-2017 for a group of 74 large banks with headquarters worldwide. The granularity of the data set allows us to study the evolution of operational risks through time, compute an operational and cyber value-at-risk for financial intermediaries, document the time lag between occurrence, discovery and recognition of losses, and investigate the link between operational losses, macroeconomic conditions and regulatory characteristics.
Findings
After a spike following the Great Financial Crisis, operational losses have fallen in recent years. The spike was largely due to losses arising from improper business practices in large banks that were incurred in the run-up to the crisis but recognised only later. Operational value-at-risk can vary substantially across banks - from 6% to 12% of total gross income - depending on the method used. It takes, on average, more than a year for operational losses to be discovered and recognised in the books. However, there is significant variation across regions and event types. For instance, improper business practices and internal fraud events take longer to be discovered. Operational losses are not independent of macroeconomic conditions and regulatory characteristics. In particular, the paper shows that credit booms and periods of excessively accommodative monetary policy are followed by larger operational losses. Better supervision, on the other hand, is associated with lower operational losses. Cyber losses are still a small portion of operational losses, but can account for a significant share of total operational value-at-risk.
Abstract
We use a unique cross-country dataset at the loss event level to document the evolution and characteristics of banks' operational risk. After a spike following the great financial crisis, operational losses have declined in recent years. The spike is largely accounted for by losses due to improper business practices in large banks that occurred in the run-up to the crisis but were recognised only later. Operational value-at-risk can vary substantially - from 6% to 12% of total gross income - depending on the method used. It takes, on average, more than a year for operational losses to be discovered and recognised in the books. However, there is significant heterogeneity across regions and event types. For instance, improper business practices and internal fraud events take longer to be discovered. Operational losses are not independent of macroeconomic conditions and regulatory characteristics. In particular, we show that credit booms and periods of excessively accommodative monetary policy are followed by larger operational losses. Better supervision, on the other hand, is associated with lower operational losses. We provide an estimate of losses due to cyber events, a subset of operational loss events. Cyber losses are a small fraction of total operational losses, but can account for a significant share of total operational value-at-risk.
JEL codes: D5, D62, D82, G2, H41
Keywords: operational risks, financial institutions, cyber risks, time to discovery, value-at-risk