The failure of firms to take an integrated view of their risk positions in the lead-up to the financial crisis was a costly mistake for the banking industry. Just as credit and market issues were found to impact liquidity, operational risk failures were severe enough to damage reputations and trigger concerns about credit and liquidity risk.
Those stark lessons have broadened the scope and stature of operational risk, says Dan McKinney, New York-based operational risk lead partner at consultancy EY. This has occurred alongside a more gradual transformation in how banks manage their non-financial risks, which has been driven by increased regulatory and public scrutiny. "If you look back 15 years, you would see a very different profile of operational risk management leaders and size of their teams," he says. "I don't think people truly appreciate how much the discipline has changed, but that's because it has happened slowly over time."
EY's financial risk practice – a 3,500-strong team boasting backgrounds across risk, business, regulatory, technology and data analytics – has kept pace with the trajectory of the operational risk discipline, an achievement that has helped it win Operational Risk's award for consultancy of the year. The consultancy takes an enterprise-wide approach to support firms as they enhance their systems and control frameworks or carry out regulatory remediation programmes, in order to better cover sub-categories of op risk including cyber security, vendor risk, corporate governance, conduct risk, GRC (governance, risk and compliance), and risk culture.
McKinney says that while sub-topics such as cyber risk may have been owned in the past by other areas of the firm, such as IT, chief risk officers are now also sizing them up, alongside the work of their firm's chief information security officers. "There probably isn't a single risk committee not asking questions about cyber right now," he says. "Firms are realising that it's not just the size of the fine or how much money you could lose due to a control failure; it's the reputational damage that can have a significant and lasting impact. And so it's these events that impact the public perception of the institution that are really getting the board's attention."
The breadth and size of EY's team allows it to tackle projects that require multiple skill-sets from different disciplines. "It's something we've worked hard at," says McKinney. "We make sure we look broadly across our skill-sets to ensure we have the right skills, no matter what team our consultants may technically come from. If we approached our clients with our blinders on – that the client is the head of operational risk and this is therefore an operational risk issue – we would not be doing our best for our clients. We really look at how the problem extends to other risk types and try to make sure we bring the right skills to bear."
The approach extends to setting risk appetite, too, with EY working with clients to assess how their unique operational risk, market risk and credit risk exposures and appetites tie together as part of a consistent and comprehensive risk appetite framework. That means team members dedicated to operational risk management often work closely with those more focused on enterprise risk management, and can cross into both disciplines when called upon. They could also find themselves working alongside the portion of the EY credit risk team predominantly focused on the annual stress tests carried out by the US Federal Reserve – formally known as the Comprehensive Capital Analysis and Review – because of the operational risk element now included in this.
As they work closely with all levels of an organisation, EY consultants are able to keep an eagle-eye on risk management trends as they develop, many of which are occurring in the operational risk space, McKinney says. For instance, while op risk managers have long used scenario analysis and market simulations for capital modelling purposes, managers are realising that more qualitative risk management frameworks can also benefit from the same form of review, and are asking consultants for advice on how they should tackle such an opportunity.
Another new tool can be found in advanced data analytics. The continual flow of real data points stemming from a bank's processes, indicators, metrics and loss data can be used to help clients to unearth trends and patterns in a firm's risk and control self-assessment, for instance, which helps to nurture an enterprise-wide view.
McKinney says that a growing number of firms are also realising they can leverage their operational risk programmes to identify and define processes for regulatory pressure points such as recovery and resolution planning and risk programmes for cyber security or outsourcing services to third parties.
"Operational risk can add value by looking across the firm, front-to-back, to identify hand-off points and dependencies and potential weaknesses," he says. "You're not just simply rolling out a framework any more. You're actually using the framework, the data, to drive risk management decisions."