Operational and Cyber Risks in the Financial Sector
39 Pages Posted: 3 Mar 2020
Date Written: February 2020
We use a unique cross-country dataset at the loss event level to document the evolution and characteristics of banks' operational risk. After a spike following the great financial crisis, operational losses have declined in recent years. The spike is largely accounted for by losses due to improper business practices in large banks that occurred in the run-up to the crisis but were recognised only later. Operational value-at-risk can vary substantially - from 6% to 12% of total gross income - depending on the method used. It takes, on average, more than a year for operational losses to be discovered and recognised in the books. However, there is significant heterogeneity across regions and event types. For instance, improper business practices and internal fraud events take longer to be discovered. Operational losses are not independent of macroeconomic conditions and regulatory characteristics. In particular, we show that credit booms and periods of excessively accommodative monetary policy are followed by larger operational losses. Better supervision, on the other hand, is associated with lower operational losses. We provide an estimate of losses due to cyber events, a subset of operational loss events. Cyber losses are a small fraction of total operational losses, but can account for a significant share of total operational value-at-risk.
Keywords: cyber risks, financial institutions, Operational risks, time to discovery, Value-At-Risk
JEL Classification: D5, D62, D82, G2, H41
Suggested Citation: Suggested Citation