Dear Reviewer,

We thank you in advance for your comments and suggestions for our paper. We have
made adjustments and improvements to the paper based on your suggestions and
directions. Here we attach the response we did based on your suggestion.
Hopefully our paper can meet the criteria of this review process.
Thank you,
Regards.

Suggestions and Responses:

 Overall, I found the topic of the paper interesting and timely. However, I have major
concerns on it, namely the development of argument (superficial) and the depth of
analysis (insufficient), as explained below. I hope you find my comments useful to
improve your research
- Response:
Dear Reviewer,
Thank you for the positive comments and suggestions for this research.

Point 1: Page 1, line 11: the authors mention that “Examples of digital transaction system
risks are downtime and timeout services due to system failures”; on page 4, line 136,
they refer that “Some of the risks that may occur include the threat of cyber-attacks,
errors from system users (…) or service downtime (…)”  and, also, on page 4, line
147, they state that “This study focuses on operational risks originating from the
system, namely potential losses from digital transaction risks due to downtime and
service timeouts.” Since there are different types of risk, why do the authors focus
specifically on such types of digital banking risks? Valid arguments should be
provided.
- Response:
Dear Reviewer,
Thank you for your comments and suggestions, here are the responses that we have
corrected according to your directions.
We add arguments to support the reasons for choosing to focus on the types of
downtime and timeout risks. The argument is written at (Page 5 Line 187-191)
“The risks selection focuses on downtime and timeout because these risks are the
most common in the digital banking system. This is based on the system's need for
maintenance in a period that causes downtime. In addition, connection problems
often occur and interfere with transactions. If this happens, the system will timeout,
because the system loading exceeds the service level agreement time”

Point 2: Page 2, line 48: the authors state that “However, data digitization activities and bank
financial operations also create around 70% digital risk for banks.” Based on what
source(s) do the authors make this claim?
 - Response:
Dear Reviewer,
Thank you for your comments and suggestions, here are the responses that we have
corrected according to your directions.
This statement is obtained from previous studies/reports, namely:
Institute of International Finance. (2017). The Future of Risk Management in the
Digital Era. McKinsey & Company Report.
We have added the sentence stating the source of the argument (Page 2 Line 59)
“Referring to the report of the Institute of International Finance, data digitization activities
and bank financial operations also create around 70% digital risk for banks”

Point 3: Page 4, the section “literature overview” is weak and thus must be further developed.
- Response:
Dear Reviewer,
Thank you for your comments and suggestions, here are the responses that we have
corrected according to your directions.
We conducted further exploration regarding the “literature overview”. We added a
more detailed discussion related to E-Banking digital financial transactions. (Page 4
Line 167-171)

Point 4: Page 4 Line 167: the authors refer that “This research uses digital banking
transaction risk data due to downtime services and service timeouts. The nominal risk
loss data is obtained by simulating the risk data sample at one of the commercial
banks in Indonesia.” But, what time period do the data refer to? Please clarify.
- Response:
Dear Reviewer,
Thank you for your comments and suggestions, here are the responses that we have
corrected according to your directions.
We have added time period information to the data used. The sentence is added in
Page 5 Line 211-214.
“As for the initial sample data, it represents the risk of digital banking losses due to
downtime and timeouts. The sample data period is May 1, 2020 to August 31, 2020. Then
the sample data becomes material for digital banking risk simulation.”

Point 5: Page 4 Line 169: the authors state that “Banking companies as a sample cannot be
mentioned because they are protected by the Law No. 30/2000.” However,
information about the commercial bank used to obtain the nominal risk loss data, even
without identifying the bank, must be provided (e.g., bank size, as it is relevant to the
analysis of the maximum potential losses).
 - Response:
Dear Reviewer,
Thank you for your comments and suggestions, here are the responses that we have
corrected according to your directions.
We added information that describes the bank in general terms. The sentence is added
in Page 5 Line 217-220.
“The characteristics of these banking companies are in BUKU IV bank group. Based on the
Indonesian Financial Services Authority Regulation (6/POJK.03/2016), BUKU IV is a bank with
the highest core capital of at least IDR 30,000,000,000.”

Point 6: Page 10: the authors calculate de maximum potential losses in Indonesian rupiah
(IDR). Also, on page 11, line 395, they conclude that “This huge value shows the
number of potentially large losses from digital banking risks.” For a better
understanding  of the magnitude of such value, the authors should convert Indonesian
rupiah to a currency commonly used in international transactions.
- Response:
Dear Reviewer,
Thank you for your comments and suggestions, here are the responses that we have
corrected according to your directions.
We add up the conversion value of that potential loss, equivalent to USD. (Page 12
Line 448-450)
“The result of the estimation of the maximum potential loss from digital banking risk is IDR
144,357,528,750.94 or equivalent to USD 10,014,601.46”

Point 7: The discussion of results is weak. On the one hand, the theoretical narrative is not
linked with the existing literature on the subject. On the other hand, it is rather
descriptive than analytical. It should be noted that the discussion of results is critical
as it allows not only to relate the study findings to previous studies but mainly to
explain any new understanding or insights that emerged from the research developed
(i.e., strengthen the contribution of the research). Moreover, for instance, figure 3
must be removed from the “discussion” section.
- Response:
Dear Reviewer,
Thank you for your comments and suggestions, here are the responses that we have
corrected according to your directions.
We added further exploration regarding “discussion”. We go deeper into the analysis
of the potential losses of E-Banking. It can be seen in the addition of sentences that
explain the results of downtime being greater than the timeout associated with the
data. (Page 12 Lines 436-440).
Then we also add a discussion related to the comparison with the BIA method. (Page
12 Lines 470-473).
In addition, we also adjusted to remove figure 3.
  

Point 8: Page 11, line 397: the authors state that “Banks and other financial institutions must
evaluate and manage operational risk through various tools and mitigation
strategies.” However, they neither mention them nor analyse their implications.
- Response:
Dear Reviewer,
Thank you for your comments and suggestions, here are the responses that we have
corrected according to your directions.
We added an explanation of the mitigation process that must be carried out by
banking companies. The form of the mitigation strategy is described on page 12 line
453-459.
“The main strategic step is to detect potential operational risks. Collect operational risk data,
then track the losses incurred. After that the mitigation process is carried out by determining
the size of the risk as an expectation of loss. This process has been carried out in this
research. Furthermore, it is necessary to interpret the results of maximum potential losses as
a measure of reserve funds, that prepared to manage digital banking risk. So that bank
companies are ready to face possibility of risks through these mitigation strategies”

Point 9: Page 12, line 409: according to the authors, “(…) the results of this study provide a
comparison of the minimum size of operational risk capital with the Basel II
approach, i.e., the Basic Indicator Approach (BIA)” thus, why they did not make
such comparison?
-  Response:
Dear Reviewer,
Thank you for your comments and suggestions, here are the responses that we have
corrected according to your directions.
We added further discussion related to the comparison with the BIA method. (Page 12
Lines 470-475).
“The BIA formula is risk capital=Gross ´income × β , with β=15 % . The BIA formula is
very simple when compared to the EvaR formula on equation (11). BIA which uses gross
income as an indicator of operational risk exposure can be categorized as a traditional
measure. Meanwhile, the maximum potential loss value with EVaR is included in the
Advanced Measurement Approach (AMA)”

Point 10: The authors should include some limitations that they consider for the study.
-  Response:
Dear Reviewer,
Thank you for your comments and suggestions, here are the responses that we have
corrected according to your directions.
We add the limitations of this study at the end of the conclusion. (Page Line 495).
“This study still has limitations related to the exploration of digital banking risk data.”

 
Point 11: Some minor issues (list not exhaustive): Page 2, line 85, 88, 92 and 95: EVT and not
Extreme Value Theory
-  Response:
Dear Reviewer,
Thank you for your comments and suggestions, here are the responses that we have
corrected according to your directions.
We have adjusted the EVT and not Extreme Value Theory writing in the intended
sentences.

Point 12: Please revise the references.

-  Response:
Dear Reviewer,
Thank you for your comments and suggestions, here are the responses that we have
corrected according to your directions.
We have revised some references related to writing procedures