The Perception and Culture of Operational Risk in the Banking Sector: Evidence From Northern Cyprus

This study aims to analyze the attitudes toward and the perception of the risk culture with regard to operational risk (OR) among Northern Cyprus (TRNC) banking sector employees working in related departments. Although most previous studies have concentrated on the measurement and management of OR, the research remains extremely limited on the perception side as well as the formation of cultural background by human resources departments. The novelty of this study lies in the fact that it investigates OR from the perspective of human perceptions and cultural development in the context of a small banking industry. In addition, via addressing the relationship between personnel structure and the prevention of ORs in small banking sectors, this study fills an important gap in the literature. For this purpose, a survey was designed and the collected data has been analyzed by using Factor Analysis. The results are gathered under eight factors where both OR perception and cultural formation were analyzed under these eight factors. The sensitivity of perception and cultural development were then analyzed by taking into account the demographic information of the respondents. The results indicate that employees working in the treasury department are strongly sensitive toward OR. Furthermore, older staff who have experienced a banking crisis are more sensitive compared with their younger counterparts. Other findings include that developments in the financial sector increase the OR, senior management appropriation decreases the OR, and an effective OR database is required. The findings of this study can potentially serve as a guide for senior executives in the banking sector in terms of policy development and applications related to internal systems, particularly in small economies.


Introduction
In 2000, the banking sector of the TRNC was affected by a substantial banking crisis and 15 banks were liquidated as they failed to fulfill their liabilities. In periods of economic turbulence, the business risks increase (Dvorsky et al., 2018). As suggested by Tripati and Ghosh (2008), the most important reasons for this crisis were loose regulations and legal gaps, poor monitoring and weak supervisory activities, delayed precautions, the sudden increase in the number of banks, insufficient capital stocks and risk arrangements, and the misuse of bank resources in favor of the main shareholders. Similar arguments, particularly with regard to loose regulations, were made by Chevallier and Joueidi (2019) in their research aimed at detecting banking bubbles. At the time of the crisis, the number of banks in operation was 37, but after the liquidation of 15 banks, the establishment of three new banks, and the merger of other banks, the number dropped to 22. As of 2019, there are 21 banks operating in the sector (The Central Bank of TRNC, 2019). Banking legislation and risk management practices were restructured after the crisis, which subsequently affected human resources and mid-level management in particular gained more importance in the sector. In recent decades, risk has become the core factor of economic life (Dvorsky et al., 2018) and the developments toward corporate governance and institutionalization as well as awareness in risk culture have significantly increased. As a result of the nature of operational risk (OR), along with the difficulties in monitoring and measuring it, three basic methods have been identified in terms of its application in the TRNC (The Central Bank of TRNC, 2019). However, only the Basic Indicator Approach is being used by the sector and the supervisory authority. The measurement is only made 963587S GOXXX10.1177/2158244020963587SAGE OpenKirikkaleli et al. once a year based on the profit and loss accounts of the banking sector. This routine has a negative impact on the sector's investment in this subject and the creation of a risk culture in terms of human resources. The establishment and sustainability of such a culture, along with improvements to the perception of human resources with regard to this subject, are considered to be essential for the prevention of OR, but this requires substantial infrastructural investment.
The complexity of OR and the difficulties in its calculation mean that it is increasingly difficult to control; hence, there is now increased focus on suitable precautions for mitigating risk. As the most important precaution is considered to be the creation of a risk culture in institutions (Buchelt & Unteregger, 2003), the main focus of this study is to measure the bank employees' overall tendencies, knowledge, and perceptions regarding this type of risk. As the literature mainly focuses on measurement methods, this study aims to make a new contribution by concentrating on the perception of employees, which is considered to be the most crucial element of risk management, particularly in small economies. The creation of an OR culture and perception within institutions is the most important way of mitigating risk (Basel Committee on Banking Supervision, 2011;Blacker, 2000). In this study, it is foreseen that, based on the employees' perception and the risk culture, the OR should be prevented rather than measured. In smaller banking sectors in particular, this can be achieved by improving the perception of the employees and establishing a certain degree of risk culture.
The diversity in the nature of OR causes problems in detecting and limiting the dimensions that are required to define it (Moosa, 2007). Although numerous international banks have launched identification initiatives, the generally accepted regulatory definition can be found in the proposal document of Basel II in June 1999, which emphasizes that OR includes legal risk but excludes strategic and reputational risk. The definition in CRDIV (Directive, 2013) (within Basel III) "means the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, and includes legal risk" (Regulation Art. 4(52), 2013). The countries reflect these generally accepted definitions within their own regulations (Mermod & Ceran, 2011). These definitions also emphasize the difficulty of measuring OR.
The interest in OR increased after the 2000s as a result of the regulatory efforts of the Basel Committee, which subsequently led to an acceleration in the number of studies in the literature. Therefore, OR is relatively new compared to credit and market risks. Risk and loss have always been factors in business life and particularly in banking, arising from reasons such as human nature and cases of corruption, the complexity of the profession, legal processes, and information technology (IT) systems. Recently, developments that have increased the importance of OR include various forms of trade such as the incidents of substantial loss, globalization, mergers, automated technological infrastructures, online trade activities, service procurement, and the complexity of financial assets (Moosa, 2007).
It is important to highlight the fact that OR interacts with a bank's reputation and this feature affects the reporting transparency in this area; consequently, institutions are unwilling to report such risks (Sturm, 2013). OR has been associated with profitability in the generally accepted Basel II and III and if there is profit, the OR is covered by this profit. In the banking system, reserves or provisions can be easily created to cover this risk. However, in some cases, it may be impossible to cover the loss of OR with these provisions and it may even cause the collapse of the bank. The motivation of business to build up reserves is significantly reduced in crisis periods (Belás et al., 2018). Transparent reporting and the announcement of financial risk information including incidents of substantial loss and operational loss have significant importance for improving market efficiency, transparency, and corporate culture.
With reference to the resource-based approach theory, the importance of human resources' perception of OR in banking is undeniable. Barney (1991), as one of the major contributors to the development of the resource-based approach, separated resources into three types, namely financial resources, human resources, and organizational resources. The author claimed that in order for these resources to provide a competitive advantage, they should also be valuable, scarce, inimitable, and non-competitive. It is not possible to create a risk management framework unless the employees comprehend any potential undesired problems OR might cause. OR perception is a sort of control mechanism for the specified goals (Abdul Rahim et al., 2014). Therefore, in this study, we aim to measure human resource perception toward OR and the level of cultural formation in the TRNC banking sector. For this purpose, a survey with carefully formulated questions was designed to evaluate and interpret the attitudes of bank employees in relevant departments toward OR. Factor analysis revealed that human perception is affected by eight factors. The factors that were related to human perception and culture formation were then grouped for regression analysis. With respect to different departments, the results indicated that employees working in the treasury department are significantly more sensitive toward OR. This is attributed to the fact that these employees are continually in contact with their counterparts in correspondent banks. With respect to age, our results indicate that older staff are more sensitive and have developed a higher level of risk culture compared with younger employees. For example, they strongly believe in the necessity to establish an OR database, whereas the younger employees do not place as much value on such a database. This is due to the fact that older employees experienced the challenges of the banking crisis in 2000. In order to determine the specific factors that have more effect on human perception and cultural formation, regression analysis was conducted. Our findings indicate that human perception is improved due to developments in the financial system. On the contrary, culture is formed by institutionalization. In addition to contributing to the state-of-the-art OR knowledge, the findings in this article have the potential to guide senior managers in the banking sectors of small economies by providing insights about the attitudes of employees.

Conceptual Framework and Literature Review
OR has been officially used in the literature by internal auditors since the 1990s. The pioneering report on internal auditing and control was published in 1992 by The Committee of Sponsoring Organizations of the Treadway Commission (COSO; 2013). Internal control systems are composed of five integrated components, which are control environment, risk assessment, control activities, information and communication, and monitoring activities (Pakurár et al., 2019). At that time, OR was treated as a residual risk and was therefore not covered under credit risk and market risk (Power, 2003). Due to the case of investment corruption at Barings Bank in 1995 as well as the corruption involving forward transactions at Société Générale, which occurred in 2008 resulting in a loss of 5 billion euros, and other similar incidents within that period, the literature in this field developed, and the need for increased regulation and measurement arose.
According to Power (2003), "Operational risk is not a new risk . . . However, the idea that OR management is a new discipline with its own management structure, tools and processes, is new." Basel II introduced rules for measuring and management of OR that ranged from the simple to the complex methods, including incentives for capital-holding ( Figure 1) (Regulation Art. 4(52), 2013) along with reporting and publishing requirements within the framework of the third pillar. OR has now started to develop as a separate and specific area and new departments focusing on this subject have been opened.
After credit and market risks, these developments drew the attention of both academics and the audit authorities, which led to the emergence of this field of study (Barakat & Hussainey, 2013).
The Basel III document placed greater emphasis on OR and suggested that business continuity programs should be based on the concept of "risk" with the aim of maintaining the function of corporations and reducing the possibility of undesired loss in the case of unexpected and low probability but potentially significant incidents (cutback, state of emergency, crisis, or disaster). The expected characteristics of the risks that are taken into account within the scope of business continuity are the low probability of occurrence and high impact (Directive, 2013). Within this framework, effective reporting and public announcements, and the formation of internal and external databases are important in terms of both supervisory and academic perspectives (Barakat & Hussainey, 2013).
Those who are opposed to the regulations of Basel regarding the necessity to hold capital toward OR claim that OR is not systematic, it can easily be differentiated by investors and can be interpreted or perceived in different ways. However, unlike other non-systematic credit risks, OR is asymmetric and it does not have the possibility of resulting in a profitable outcome; in fact, it almost always results in damage (Cummins et al., 2005).
The most notable difference between OR and financial risks is that it arises solely as a result of engagement in an activity and is not dependent on a financial position. Also, it is highly impactful yet difficult to predict (Dima, 2009). It has come to the agenda of the financial system as a result of low frequency but high impact loss incidences (Black Swans) (Mousa, 2011). While some researchers characterize it as events arising from business-specific factors and they emphasize that it does not present any threat of systemic risk, other researchers have investigated the association between OR and macroeconomic data (Mousa, 2011). It is known that, regardless of size, the operational losses resulting from corruption in the financial sector lead to serious reputational loss and such reputational loss is not taken into consideration More complex methods need to be chosen as the size and the complexity of the bank increases.  Note. Figure 1 is inspired from the articles 315-323 of CRD IV, 575/2013 regulation. in measurement modeling (Eckert & Gatzert, 2015). Barakat et al. (2019) concluded that the loss of reputation is higher in cases where the media uses negative and strong language when announcing the OR losses. Therefore, it is emphasized that even the attitude toward risk of employees who are communicating with the public has importance. Many operational losses are based on human-related incidents and problems. Operational losses resulting from internal processes may be relatively small, but they attract the attention of the media as well as public opinion. ORs based on these kinds of irregular transactions or improper work processes become more harmful than material losses for the corporations due to the damage they cause to their reputation (Perry & Fontnouvelle, 2005).
Considering the destructive nature of OR, it is clear that only allocating capital for this is not likely to provide protection and it can have a very high cost. In this regard, the management and mitigation of OR gain importance. The management of OR requires a strong risk management framework (Mazıbaş, 2005).
Although the Basel Committee and the scope of CRD IV developed a range of strict approaches toward the identification of OR, its impact on bank activities was not mentioned. There are ongoing complex problems related to OR management in terms of practical and methodological methods regarding the interpretation of the system and the decisionmaking mechanisms. No measurement approach has been developed that measures the negative impact of OR on financial results (Daryakin & Andriashina, 2015).
The diversity of the ORs allows for various different systems of classification and definition. Basel II document provides a uniform application in the calculations of capital adequacy and it divides OR into seven categories (internal corruption, external corruption, recruitment practices and workplace safety, clients, products and loss incidents related to business processes, accidents and natural disasters, system crashes, processing, loss incidents related to delivery and process management) (Bank For International Settlements [BIS], 2004). On the contrary, Dorogovas et al. (2013) categorized the ORs under four main titles. These are the factors arising from human behavior, information systems, internal systems (corporate process), and external sources. Consequently, the efforts to separate and classify the ORs are insufficient due to the characteristics of this risk. This feature is affected by the lack of a suitable database and the scarcity of incidents that have a high impact (Ökdemir & Çelenk, 2010). Besides, there is an ongoing debate about the definition of OR. Power (2003) and Moosa (2007) reviewed the literature about OR, OR definitions, categorizations, and characteristics from a historical perspective. They concluded that even though it is the only type of risk that is institutionalized with an official description, it is highly debatable and therefore almost impossible to achieve a consensus on the issue; hence, it would be beneficial to simplify it in terms of definition, data collection, and measurement strategies. Power (2003) emphasized the fact that it is not possible to quantify it within the framework of the Basel II document. Daryakin and Andriashina (2015) conducted a comparative analysis using Bayesian modeling with income items. They highlighted the deficiencies and inadequacies of the existing models and emphasized the necessity to have qualitative and quantitative factors. Candoğan and Altan (2014) compared the OR calculation methods within the scope of Basel II and concluded that, as the method becomes more complex, the amount subject to OR and the OR capital requirements decline.
Due to globalization, the collapse of global financial firms has a significant effect on economies all over the world. Therefore, corporate governance has become more important for stability and profitability purposes. The business environment has changed dramatically and technological development, changing customer needs, regulations, and policies have increased competition in the market (Pakurár et al., 2019). Thus, the relationship between corporate governance and risk disclosure has received much more attention in the literature than other concepts. Barakat and Hussainey (2013) investigated the effects of governance, regulation, and audit on banking and Islamic Banking risk reporting and OR reporting in particular and explored whether to increase the quality of reporting, the independence of the board of directors and the activities of the audit committee should be increased and the auditors should be more proactive. Conversely, concentrating the responsibilities of the chairman and chief executive officer on the same person reduces the quality of information.
Other researchers have investigated the reputational effect of OR losses and reached valuable outcomes. Perry and Fontnouvelle (2005) analyzed 115 operational loss incidents in financial corporations between the years 1974 and 2004 in order to measure the reaction of capital markets to OR. The results showed that the market value of a company falls by more than double the operational loss that results from internal corruption, and external corruption has the same level of impact as operational losses. Furthermore, the losses are higher in companies where the shareholders have substantial rights. Herghiligiu and Cocrıs (2014) reached the same conclusion about shareholders' influences. However, in their study, OR was expected to have a negative impact on reputation and would therefore result in a plunge in profitability. While insufficient data was a limitation of their study, they stated that a significant correlation was not detected. Sturm (2013) reviewed the capital market reactions to the declaration of operational losses by European financial institutions between 2000 and 2009. He concluded that operational losses did not originate from the nature of the incident and that the impact on companies was largely determined by their structure. Banks that have higher equity capital and whose liabilities are less than their assets are less affected and he explored whether the OR has any negative impact on reputation risk.
In terms of measurement, Dima (2009) carried out a regression analysis based on 418 branches of a Romanian bank to reduce transaction-based OR and to increase the number of clients. The study suggested that the most effective way of detecting ORs is to systematically track loss incidents and record their frequency and severity as well as other necessary information. Even though this method is expensive, it has proved to be effective. On the same issue, Dorogovas et al. (2013) suggested that the measurement and management of certain risks are still problematic, particularly OR, and 52% of ORs arise from human behavior and information theft. Developing safeguard measures may protect IT systems against possible attacks. Safeguard measures are more important than detecting the last service user's profile and behavior; however, the use of a firewall may contribute to this process. Mermod and Ceran (2011) reviewed risks including OR and the capital requirements of the banking sector based on the recommendations of the Basel Committee in their comparison of Turkey, Europe, and the United States of America. They concluded that the Turkish banking sector possesses a sound and solid structure.
Some academics believe that the formation of culture is as important as measurement. Financial risk occurs everywhere and it is not possible to eliminate such risks but it should be managed using alternative methods (Shuying & Mei, 2014). According to Mazıbaş (2006) and Ökdemir and Çelenk (2010), the process of creating an OR database and OR auditing, the effectiveness of the database, and the integrity of risk management systems are closely related to the extent which the bank executive management embraces the issue by improving the control structure and the formation of culture. It is important that the determination of the management lays the essential foundation for the functioning of the systems and processes and prevents the behaviors that arise from negative motives. Erdoğan and Ülbeği (2009) aimed to provide data for the methods that will be developed for risk measurement and management by revealing the perception differences of the human resources, which is one of the most significant determinants of OR, toward various incidences that may affect risk formation. Ultimately, they concluded that the perceptions differ according to demographic characteristics. Kanagaretnam et al. (2011) studied the two cultural structures predicated on avoiding uncertainty and selfhood and their impact on risk-taking in the banking sector. Their findings suggested that banks take less risks in countries that avoid uncertainty and take more risks in countries where there is higher selfhood.

Method
This article involves a survey that was administered to employees of Internal Auditing, Risk Management, Compliance, Credit, Treasury, Information Technologies (IT), and Accounting Departments of the 22 banks operating in the TRNC. In total, 320 completed surveys were collected. Although there is no statistical data about the employees that are working in the selected departments, considering the fact that the total number of employees working in the banking sector was 3,148 as of December 2018 (The Central Bank of TRNC, 2018), the number of completed surveys is sufficient to obtain reliable results for an overall representation of the whole banking sector. Taking into account that within the TRNC banking sector, risk management/compliance, internal audit, and IT departments do not have sufficient human resources, the survey was conducted with the participation of the abovementioned departments, which are situated in the executive headquarters of the banks. It can be said that the total number of employees reached (320) is representative of the total number of employees of the concerned departments (Creswell, 2009;Saruhan & Özdemirci, 2013).
In this case, we can refer to a combination of cluster sampling, which is one of the probability-based methods, and deliberate (purposive) sampling, which is one of the non-probability-based (biased) methods (Ryzın, 1995;Tongco, 2007). Ryzın (1995) argued that cluster analysis has a number of features that make it extremely useful for purposive sampling, such as that it can provide extra information about the selection process and results can be easily generalized.
The survey was prepared referring to the scales used in the articles "A Study on OR Audit in Banks and the Banks Operating in Turkey" by Ökdemir and Çelenk (2010), "A Study on OR Perception" by Erdoğan and Ülbeği (2009) and also the authors' personal experience. A 5-point Likert-type scale is used in the survey (1-Strongly Agree, 2-Agree, 3-Neutral, 4-Disagree, 5-Strongly Disagree). At the beginning of the survey questions, the participants were asked six questions with the aim of understanding the demographic structure (age, department of duty, banking experience, education, position, the age of the bank). In total, the survey consists of 32 questions.
A pre-application test was conducted with 18 participants to evaluate and revise the inadequacies of the survey questions and any expressions that appeared to be false or incorrect. The statistical data in this research were produced via SPSS packaged software. In terms of the analysis method, Factor Analysis by the Principal Component Method, Factor (Principal Component)-Based One-Way Variance (analysis of variance [ANOVA]), and linear regression analysis were applied to the variables created as a result of factor evaluation. The Principal Components are named as "Factors" throughout this article.

Findings
Demographic Structure Table 1 shows the demographic attributes of the 320 employees who participated in the survey.
Age of the participants and the department in which they work. Approximately 79% of the survey participants were under the age of 45 and 21.2% were over 46 years. Only 4.4% of the participants were 56 or older and 44.4% were 35 or younger (Table 1). This indicates that the participants were either very young during the banking crisis in 2000 or they were not working in the sector at that time. When we consider the number of employees in terms of departments of duty, the low number of employees in the IT, risk management/compliance, and internal audit departments is noteworthy. The number of those working in internal audit departments is more than 50% less than those working in credit departments, and the number of personnel in the risk and compliance department is as much as half of accounting personnel. Before the crisis, such departments did not exist, but over time, there was no alternative other than to rely on internal risk management (Tripati & Ghosh, 2008). Hence, it is obvious that the importance given to these departments has increased.
Banking experience and education of the participants. 66% of participants had less than 15 years of experience in the sector and 11.6% had 16 to 20 years of experience. Only 22% had been working in the sector for 21 years or more, while 81.2% had a university degree or higher education qualification. Hence, although the experience of the participants was low, their education levels were relatively high.
Positions of the participants and age of the bank. In many banks, particularly the relatively small ones, departments such as internal audit, risk management, and IT are still not recognized or established as full departments and due to the fact that number of employees is low, personnel in these positions work as administrative and authorized officers. In terms of risk management, one of the disadvantages of a small banking sector is the insufficient number of personnel in these departments and the inability to develop sophisticated approaches. The number of personnel who work in the specified departments is higher in banks that have been operating for more than 20 years and lower in banks that are younger than 20 years.

Factor Analysis and Reliability
Factor analysis. Factor analysis is used to aggregate variables and to collect the co-variables under the same factor. The aim is to interpretively aggregate the variables related to OR perception and culture. Before the factor analysis was applied, the Kaiser-Meyer-Olkin Sampling Adequacy Test was conducted to test the conformity of the variables to the factor analysis. The result of this test was found to be 0.816, which is significantly greater than the threshold (0.5), indicating that the variables are suitable for the factor analysis. As a result of the chi-square test, statistic for Bartlett's Test of Sphericity, which measures the sufficiency of correlation between the variables, was found to be 2,689.045, with a p value of approximately zero. The calculated p-value is much smaller than the significance level (.05). Thus, the variables that were used are suitable for factor analysis. As a result of the varimax rotation principal components factor analysis (Büyüköztürk, 2002), which was applied to 32 variables after the prerequisites were met, the "Component Matrix" was evaluated. Out of 32 variables, 26 of them were collected under eight factors as a result of the evaluation. The total variance expressed has been reported as 64.19%. Table 2 shows the eight factors that have an eigenvalue higher than 1, along with their pre-and post-rotation values. The description value of each factor in the variance identifies the relative importance of the related factor.
The eight factors obtained as a result of factor analysis are divided into two main groups and associated with OR perception and the formation of risk culture. The factors that are classified under OR perception are those that require awareness, experience, and as a result, perception formation. Those that need corporate involvement and the initiative of the organization are classified under formation of OR culture. The two main groups are subjected to linear multiple regression analysis (Table 3).
Reliability. Cronbach's alpha analysis was used in order to test the coherence of the data and the scale obtained as a result of the survey. The test was carried out on the entire scale consisting of 32 questions and the obtained result is .884. Separate reliability tests were applied on the eight factors that were formed as a result of the factor analysis and the results are summarized in Table 4.
As the reliability in Factors 6 and 8 is below the expected minimum value of 0.7 (Saruhan & Özdemirci, 2013), the variables compiled under these factors were examined and the reasons for the incoherence of the participants' responses were investigated.

Evaluation of F6 and F8, Which Have Low Reliability Degrees
Within the framework of F6, there is a tendency to hold the auditors accountable for any corruption incident, fraudulent loss, corporate damage, and any transaction that causes material or moral loss. The different approaches on this subject taken by the auditing department and other departments in the banking sector are remarkable. Audits take place after incidents occur and they include procedures to ensure that corrective measures are taken. Auditors play an important role in ensuring that work is carried out properly and the adopted corporate governance principles are applied. Also, they detect the generally defective aspects and the mechanisms that lead to the malfunctioning. The detection of corruption depends on the type of corruption that occurs, but generally it is not an easy task to detect cases of malicious corruption. In systems where the Board of Directors do not set effective internal control mechanisms, irregular transactions occur more frequently (Rao & Ghosh, 2008). For this reason, holding the auditors primarily responsible can lead to misleading results.
Evaluating F8, the profit-oriented attitudes of management and the incentives given to mid-level executives as a result of certain determined targets can lead to a struggle for superiority and might cause misappropriation. With regard to the necessary documents that customers should submit, confidence issues arise between customers and corporations, based on the characteristics of underdeveloped societies. The clients particularly feel that the banks have a level of mistrust toward them. Income-generating departments experience difficulties with gathering detailed documentation and considering the challenges involved with application; they refrain from establishing a detailed database. The incoherence also observed in this subject should be associated with institutionalization and the form of management.

Factor Analysis in Terms of Differences in Perception
In order to evaluate the differences in perception, factorbased one-sample t-test is applied (Table 5).
In all factors, the participants responded below the test value, which corresponds to "I agree." Factors 2, 5, 6, and 7 are separated from the other four factors. In other words, the mean difference is greater than 1, so it is determined that the mean of these factors is below 2. The majority of the participants responded with values of 1 and 2 for Factors 2, 5, 6, and 7. On the contrary, the participants expressed more anxious and indecisive attitudes with regard to Factors 3, 4, 1, and 8.

Factors With Results Close to 3 (F3, F4, F1, F8)
Listed from the most indecisive, the range mentioned in the title (F3, F4, F1, F8) is formed and statistical data in Table 5 were listed as below 3 and above 3 depending on the value of 3, which corresponds to indecisiveness.
In Table 6, the responses of 154 participants are 3 or above with respect to F3 "Information about Operational Risk Quantification has been formed." It is observed that they were either unsure about the subject or they claimed that no information had been formed. There is no aggregated database available in the sector on this subject, and banks have not collected or reported data. Although the average is expected to be over 3, the value was actually 2.777. This level may be interpreted to mean that the participants preferred to stay neutral to avoid giving an incorrect answer. Even though the value for F2 "OR Database is Important in OR Quantification" was lower than 2, which means the participants clearly accepted that there is no database in the sector and they believe it is essential, their indecisiveness with respect to F3 may be related to the tendency to ignore the The targets such as exorbitant deposits/credits that are determined and directed to the branches by the top management lead to operational risk.

0.538
Note. Variables that are excluded from factor analysis. 1-The fact that the valuation of loan collaterals is not determined by taking into account the imputed costs and the current market values in the market leads to operational risk (7). 2-Capital adequacy is not an objective for BASEL, it is a tool for effective supervision systems (10). 3-Emergency Action Plans should be prepared by the auditors of the bank (23). 4-When preparing an Emergency Action Plan, the opinions of employees at all levels should be sought (24). 5-Operational risk-based audits are mostly shaped within the framework of legal obligations. 6-A position such as "Fraud Auditor" should be established at the banks (31). insufficient infrastructure. On the contrary, because there is no idea of the limits of sufficiency, this may have resulted in the need to appear perceptually sufficient. Although the results do not indicate negativity as the average is not above 3, as it is close to the value of 3, this can be interpreted as an indication that there is a certain level of awareness. In F4, which assesses whether the audits are being conducted sufficiently, although it is expected that negative results would be obtained, which means higher than 3, the results of the contextual variables suggest that a definite judgment was avoided. When the contextual variables are reviewed, it is found that there is 70% agreement (except the neutrals) with the fact that auditors are completely independent from managers, which is a relatively high rate. If the auditors are allowed to act sufficiently independently, they would go beyond legal requirements and would have the opportunity to make more advanced audit plans. Banks should have the responsibility to provide effective education and enhance the skills of the employees to achieve such an independent structure. An OR audit is a form of audit that is more specific, requires experience, and contributes to the development of prevention mechanisms (Basel Committee  Note. F denotes "factor."  on Banking Supervision, 2011). 53% of the respondents confirmed that the auditors have adequate knowledge about money laundering issues. There was almost 72% agreement that OR-based audits are only conducted to extent that legal obligations require. In short, this type of audit is only performed on a minimal basis. In fact, OR audits should be the concern of the corporations themselves rather than the supervisory authority. On the contrary, only 28.8% of the participants agreed with the statement that the supervisory authority is sufficiently leading with regard to OR management, whereas 43% were neutral and the rest disagreed. With regard to the sufficiency of OR-based studies, only 41% agreed; in other words, it is emphasized that it is not sufficient.
A majority of respondents (82%) stated that the developments in the financial system increases OR (F1); however, the fact that around 20% gave neutral or negative responses is an important indicator that shows that there are professionals who still do not have any knowledge about OR. It is recognized that ORs that cause major losses may lead to even greater reputational losses (Perry & Fontnouvelle, 2005). For that reason, attempts are made to hide banking scandals that occur on an infrequent basis from the public. It is an undeniable fact that financial developments trigger OR. Although this has been confirmed, the fact that there are neutral and negative responses show that there are problems with regard to the perception of the subject.
It is well established that top management's objectives toward institutionalization (F8) and the precautions would reduce the OR. One of the recent debates surrounding Basel is about the guidelines and thresholds of banking management and corporate governance (Neifara & Jarbouib, 2018). Despite these developments, it is observed that there is a tendency toward indecisiveness and contradiction (40%) in a significant segment of the banking sector in the TRNC. The increasing importance of suitably equipped human resources, which is the most important resource in the banking sector, and enhancements to the corporate governance structure to avoid OR should be understood. This reveals that there is a strong need to improve the OR culture within the system.

Factors With Results Below 2
The questions that are collected under F2-OR Database is Important for OR Quantification, F5-Priority Issues to Reduce OR have been Understood, F6-Importance of Audit is Understood, and F7-The Responsibilities of the Top Management have been Understood include more leading and more generally accepted components. Therefore, the beliefs and attitudes of the participants are formed in that direction. Table 7 shows that there is almost no disagreement with regard to the responsibilities of top management regarding OR.

One-Way ANOVA Tests
In the one-way ANOVA tests (used to determine whether there are any statistically significant differences between the means of three or more independent variables), the only significant differences are between the ages and factors in the context of Factor 2 and the department of duty and factors in the context of Factor 4 and Factor 6.

ANOVA test between age and factors.
In the ANOVA test conducted between age and factors, in the context of F2 "OR Database is Important for OR Measurement" a significant difference is found between those aged 20-35 and 46-55. The 46-55 age group (Table 8) has the lowest average related to this subject. This means that this age group is differentiated from the others and has the highest support for the formation of an OR database along with its measurement. Based on the research findings, Kozubikova et al. (2016) reached the same conclusion that older firms more intensively perceive the importance of financial risk. The highest average appears in the 20-35 age group. It is considered that the reason for this perception could be entirely related to the crisis that occurred in 2000, as this age group of employees started working in the sector after this period.
ANOVA test between the department of duty and factors. In Table 9, the perceptual differences between the mentioned divisions are stated.  Below 3  3  Above 3 Below 3  3  Above 3 Below 3  3  Above 3 Below 3  3  Above 3   Numbers  303  7  10  304  6  10  292  18  10  317  1  In terms of the variables that analyze F4, a significant difference is observed between the Credits and Accounting departments and the Accounting and Treasury departments. When the subject is analyzed within the framework of the data in Table 10, the responses of the Credits departments are close to the "adequately performed" statement with an average of 2.43, whereas the Treasury Departments responses are closer to the "not performed adequately" statement with an average of 2.82. This can be interpreted as relatively normal considering the fact that Treasury personnel are more conservative and have higher awareness as they are more integrated with the outside world. However, the striking outcome is related to the attitudes of employees in Credit departments, who are responsible for managing a significant proportion of the bank balance sheets. The less anxious position of Credit personnel may be attributed to the fact that in the TRNC, the banks are more inward looking, whereas Treasury personnel face more risks as they are more integrated with the international system. It is thought that the perceptual differences between Accounting and Treasury employees may be based on the same reason. The interesting result here is that although the Risk Management, Compliance, and Internal Audit departments were expected to be as sensitive or even more sensitive than the Treasury department employees, they have relatively less awareness. On the contrary, the change in IT departments compared with the other departments is undeniable because, in recent years, the increasing dependence on IT has given IT personnel extraordinary self-confidence and has made the bankers dependent on the initiative of these departments. This may be considered as a process that could lead to the creation of new ORs.
While the Credits and Accounting department personnel reached the conclusion that the importance of auditing has been perceived, the personnel in the Internal Audit departments displayed a slightly more concerned attitude (Table 11). Table 10 shows that there is a trend that confirms about a similar situation to that observed in Factor 4. The employees who conduct the audits and are therefore exposed to risks have to pay more attention to the risks they encounter when performing their duties. In fact, one of the major risks the banking sector confronts is credit risk. For that reason, the departments that extend loans should be sufficiently aware of credit risk and OR, and the credit supply processes should be determined effectively. This result shows that the Credits and Accounting departments are less equipped with regard to the perception of risk and its nature. Here, the perceptions of the Risk Management and Compliance department employees yield interesting results. The fact that risk departments are more content while Internal Audit employees are more concerned indicates a contradictory situation.

Regression Analysis
The eight factors obtained as a result of factor analysis are deliberately divided into two main groups and associated with OR perception and the formation of risk culture (Table 3). The adjusted R 2 is same and is calculated as "1" for both two regressions that performed, which means independent variables that we used (factors) hundred percent explain the dependent variable. A hypothesis test via the F-statistic was also carried out to determine whether the independent variables (Factor 1-8) were significant. In all cases, the p-value was less than the significance level. This indicates that the null hypothesis (null hypothesis H 0 : β Fi = 0, alternative hypothesis H 1 : β Fi ≠ 0, i = 1, 2, . . . , 8.) is not valid and should be rejected. Therefore, the factors and hence the model are significant in explaining the data. Note that β Fi refers to the respective regression co-efficient.
Within the context of OR management, establishing a comprehensive structure for perception is an essential yet  difficult task. This type of structure should be formed in connection with the other departments of the bank, a steady information flow and reporting infrastructure should be developed, regular reports should be provided to the board of directors, and regular controls should be applied via internal and external audits. The results of the regression analysis conducted on the OR perception are illustrated in Table 12 and it can be seen that while all related factors affect the OR perception, factors F1, F3, and F4 have the greatest effects. The developments in the financial system, OR measurement elements, and the components of the OR audit are the factors that have the most impacts on perception. It can be seen that the number of ORs is continually increasing due to the growth in financial services. It is therefore necessary to develop systems and software, despite the tendency of senior management to ignore such factors. It appears that the sufficiency of bank supervision and the competency of auditors constitute the main influencers of perception. Under these circumstances, it can be said that where mid-level management is more effective and communication channels from midlevel upward and downward is formed efficiently, the OR perception can spread throughout the corporation in a smoother way. Hence, mid-level management and effective forms of communication are vital (Flores et al., 2006). The formation of culture is a more complex and processbased concept. North (1991) defined institutions as being either formal or informal. Formal institutions are those that defined in a written format in terms of a constitution, laws, property rights, or human rights. Unofficial institutions are unwritten structures, such as taboos, traditions, religious principles, manners, and habits, which are shaped within communities over time and belong to that community.
Informal institutions provide continuity from the past and play a major role in the formation of official institutions (Casson et al., 2010). Advanced predictive OR management programs can change employee sentiments, but deeper changes are also needed at the cultural level (O'Reilly et al., 2018). The formation of culture and the establishment and settlement of written rules can be managed by transferring them to the next generations. The formation of organizational memory is of great importance as it facilitates the settlement of culture. Table 13 shows that all related factors affect the OR culture but F8, which refers to institutionalization, is the most effective. The institutionalization objectives of management are closely related to the formation of culture and it is clear that it is not possible to mention culture without institutionalization.

Discussion and Limitations
This research falls in the framework of Resource-Based Approach Theory (Barney, 1991) and studied the human resource aspect of OR. Specifically, our research concentrated on factors that affected the formation of employee perception and culture. The attitudes of employees in the North Cyprus banking sector who are more integrated in banking activities and are exposed to risks analyzed from  the perspective of employee perception of OR and the formation of a culture within the sector. It is important to note that a severe crisis affected the banking sector in Northern Cyprus in 2000. Certain reconstructive measures were put in place in the aftermath of the crisis. These measures as Power et al. (2013) stated as regulatory culture enhanced the banking sector robustness, and as a result, it was less affected by the global financial crisis of 2008. To the best of the authors' knowledge, this is the first such study to be conducted in North Cyprus. The fact that North Cyprus is a small economy with its own peculiarities makes the study quite representative and potentially valuable for other small economies.
Our findings show that there is a strong correlation between employees' attitudes toward risk perception and financial crises that impact the country in which they work. The research shows that the personnel who experienced the 2000 crises are more sensitive to and at the same time more aware of the risks. This finding is in line with the empirical findings of Richter (2013). After the 2000 crises, measures toward the institutionalization and adoption of strict regulations resulted in an improvement of OR perception. The findings of Lim et al. (2017) about the relationship between effective risk management and strong risk culture strongly support our results.
The questions that were directed at the banking employees were aimed at measuring the basic concepts of OR in empirical way as suggested by Palermo et al. (2017) and concentrated on their perceptions and the specific factors that deepen the culture in these areas (Agarwal et al., 2019). The conducted factor analysis revealed that among the many factors that affect OR, eight of the factors had a more significant influence on OR perceptions. Via the ANOVA tests, it was found that the perceptions of Factors 4 and 6 showed significant differences with respect to the department in which the employees worked. Similarly, Factor 2 showed significant differences with respect to the age of the employees.
The eight factors were divided into two main groups and associated with OR perception and the formation of risk culture. In their research, Agarwal et al. (2019) also find out that, based on the empirical studies, researchers have discussed whether risk culture is measurable and reportable and what factors have more impact on risk culture. Further regression analysis on the two groups was then carried out to determine the factors that were more important for each of the two general groups, respectively. The results indicated that Factors 1, 2, and 4 are important for OR perception. For the formation of effective perceptions, financial institutions should follow the developments in the sector such as new products and services and new techniques for OR auditing, methods of measurement and infrastructure, internal control, and reporting methods of OR (Basel Committee on Banking Supervision, 2011). On the contrary, Factor 8 indicates that the institutionalization objective of top management has crucial importance for the formation of culture, which is in line with the research of Power et al. (2013).
The results presented in this article only reflect evidence from the North Cyprus banking sector. The fact that only one country that is representative of a small economy has been studied is a limitation. Therefore, the conclusions of this study should be supported with more evidence sourced from economies and banking sectors similar to North Cyprus. This will also allow for a comparison of the attitudes of employees from different countries. It is believed that this will make the results more valuable.
The above limitation also presents a direction for future research. Similar studies should be carried out for countries with similar economies and banking sectors. A good candidate would be the Republic of Cyprus, which also underwent a financial crisis in 2011. Another direction of future research that we believe will be important comes directly from the results of the risk literature, which indicate that the prevention of OR is more important than its measurement. This finding is also supported by this study. However, prevention depends on the extent to which perception transforms into a persistent culture. We believe that studies that concentrate on how acquired perception can be turned into a persistent culture are worth pursuing.

Conclusion
Instead of mining from the reports as performed by Power et al. (2013) and Agarwal et al. (2019), this study used primary data and has determined differences in perception of OR and formation of culture by using factor analysis followed by one-way ANOVA tests. As a result of the ANOVA tests between departments and factors, a significant difference between credit, accounting, and treasury personnel has been observed. The treasury personnel are more sensitive about the subject when compared with the other two. With regard to the importance of audits, there is a significant difference between the credit, accounting, and internal audit departments. Here, another important aspect is that the perceptions of risk management/compliance departments do not differ from the credit and accounting departments. The structure of treasury departments means that they are more open to international transactions, which is accepted as an indicator that they are more sensitive in terms of perceiving risks. One of the issues to be addressed is whether the risk management and compliance departments implement their functions effectively and according to the international criteria for good practice. This is an indicator that in small banking sectors, these departments are not developed sufficiently and there is a need for active guidance from public supervisory authorities.
In the one-way ANOVA test between age and factors, there were more significant differences in the 46-55 age group compared with the 25-35 age group. As a result of the analysis, it has been determined that the 46-55 age group has the highest belief in the importance of the measurement of OR and the formation of a suitable database. This is important in the sense that it clearly shows that personnel who witnessed the crisis in 2000 are more sensitive about the subject. However, it is unfortunate that this awareness of older personnel has not been transmitted to the younger generation and it is thus hard to say that a permanent culture has been formed.
The majority of the survey participants emphasized that the main reason for OR is the lack of auditing. The results of the regression analysis confirm that the concept of auditing and the functions of the auditors are often confused. An effective audit can be preventive and act as a deterrent; however, the detection of corruption requires the creation of effective mechanisms in addition to the audit function. This finding is also consistent with the findings of Neifara and Jarbouib (2018).
Institutionalization is one of the most important factors in establishing an adequate framework related to this subject. The results for Factors 3, 4, and 1 about OR perception and Factor 8 on culture indicate that there is a significant amount of indecisive respondents. This suggests that although there are no settled, adopted concepts or detailed work about the subject or the scope of the subject in the TRNC, the participants preferred to stay neutral. However, a significant number of participants responded positively to the issue of institutionalization.
It is thus not difficult to conclude that there is a need to establish measures to improve the institutional nature of the industry (formal and informal institutions) which in turn will result in the formation of an OR culture. The formation of a culture is one of the key factors that will influence economic growth (North, 1991;Williamson, 2000).
Another finding of our study is that the participants accepted that there is a necessity to establish an effective database for OR control that can increase the awareness and lead to the formation of effective mechanisms. The perception of risk management is only possible by collecting and sharing information/data and making it a part of the corporate culture through these efforts, as stated by Flores et al. (2006).
It has been demonstrated that the auditing and reporting of the public supervisory authority about OR remain insufficient. OR is, in fact, an internal problem that should be addressed by the institutions themselves and it may be possible to prevent it by increasing the level of awareness. Therefore, it is also important to ensure that in the process of increasing awareness, the public supervisory authority fulfills its guiding duties effectively.
The participants agreed that auditors should be independent from managers. However, they also confirmed that OR audits do not extend beyond the legally stipulated requirements. The directing and guiding aspect of the supervisory authority with regard to this subject should therefore be made more effective. The subject of what is understood about the independence of the auditors should be examined in a separate study. Although it is confirmed that the developments in the financial system increase OR and the institutionalization targets of the top management reduce OR, the fact that there is a significant amount of neutral and negative views about these issues shows that there are still problems with regard to the perception of OR.

Declaration of Conflicting Interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding
The author(s) received no financial support for the research, authorship, and/or publication of this article.