Consultancy of the Year: Deloitte

The introduction of the Basel Committee’s standardised measurement approach (SMA) to operational risk is still more than three years away, but it represents a fundamental change to what is still a relatively new discipline. Deloitte, already recognised as one of the best consultancies in this particular field, is heavily focused on both the challenges and opportunities arising from the SMA.

“This shift has major implications for banks’ internal loss data, but it could also be used to derive business value and risk management insight. Investment that institutions have made in operational risk loss databases can be leveraged in the new environment. With historical data on internal losses, banks will be better positioned to capitalise on advanced capabilities like big data analytics, machine learning, correlation and root-cause analysis,” says Nitish Idnani, managing director in regulatory and operational risk at Deloitte.

Historical loss data can be used to predict future risks and help banks to identify patterns that could reduce losses in the future, he suggests. Strong risk management should be considered a source of competitive strength rather than purely a back-office requirement.

“Forward-looking institutions have the opportunity to view risk as an enabler to power enhanced performance. Boards can enable, and encourage, this shift in mindset without giving up their stewardship role or losing their focus on the long-term stability and performance of the institution,” Idnani explains. 

Deloitte’s expertise across multiple areas – ranging from op risk capital to cyber risk and data privacy – has put it in a strong position in the operational risk industry. Cyber risk is an area where the firm is seeing rising demand for its expertise, and while there may be no such thing as ‘perfect’ security, strength of systems, vigilance and resilience are considered critical.

Forward-looking institutions have the opportunity to view risk as an enabler to power enhanced performance

Nitish Idnani, Deloitte

“Being secure means an organisation has implemented administrative, technical and physical capabilities and solutions to help prevent a cyber-security incident,” says Dan Frank, principal in cyber risk at Deloitte.

“We advise organisations to also be vigilant, meaning they have implemented capabilities to detect when they have had a cyber incident as quickly as possible to help minimise its potential impact. Being resilient means an organisation has implemented capabilities to mitigate the impact of a cyber incident, not solely as a cyber security function but as a business,” he continues.

Deloitte’s specialism in cyber risk provided a strong platform to serve clients ahead of the European Union’s General Data Protection Regulation, which came into force last month. “A pragmatic, risk-based approach has always been a fundamental aspect of our approach to cyber risk — and we have treated GDPR no differently,” says Frank.

“Perhaps the most important thing in the event of a GDPR-related incident or inquiry is to be able to demonstrate that controls were designed, implemented and intended to prevent the incident from occurring, and that controls and resolution monitoring were assessed periodically,” he adds.

Deloitte’s approach to operational risk is deliberately forward-looking, aiming to incorporate technology to identify increasing risks beyond pre-defined thresholds.

“It is about combining traditional operational risk management tools with a deep understanding of our clients’ businesses and new technology to get to continuous risk monitoring, and driving the necessary management action to reduce unacceptable risks and support the achievement of business strategies,” says Idnani. 

Model risk

Elsewhere, Deloitte’s SR 11-07 programme provides support to financial institutions in model risk management (MRM), which has helped to mitigate model risk across divisions.

“Financial institution clients have navigated the strictest MRM regulatory environments, reduced their model risk levels, and achieved efficiency, scale and sustainability in their MRM lifecycle,” says Clifford Goss, partner in financial services industry regulatory and operational risk at Deloitte.

“In particular, Deloitte has helped financial institutions [to] manage resource challenges in model development and model validation by delivering large, end-to-end projects and offering a variety of staffing arrangements, such as co-sourcing, managed services and staff augmentation,” Goss explains.

Deloitte has also been closely involved with banks in their work relating to the European Central Bank’s Targeted Review of Internal Models (Trim), which aims to improve consistency in modelling and reduce the variability of risk-weighted assets.

“Banks are increasingly using methodologies such as robotic process analysis, text mining and machine learning in their model development, governance and validation processes. Beyond increasing efficiency, robotics and other tools can also support banks in meeting supervisory expectations, including those resulting from the Trim,” says Thomas Moosbrucker, partner at Deloitte in Germany.