OpRisk Awards 2016
For a financial services group of any size, operational risk management is a high-stakes game of ‘whack-a-mole' – with potential exposures constantly popping up and demanding attention. With clients facing a dizzying array of operational risk issues, any effective consultancy offering needs to draw on a wide pool of expertise.
"A couple of years ago, we recognised that risk and regulation would be a focus of our clients, so we created a virtual global team of professionals doing reg and risk work, allowing us to approach it in a more cohesive and coherent fashion," says Angela Calapa, a director at PwC in London.
PwC's financial services, risk and regulation team brings together 78 partners and 1,100 staff around the world, and grew by 15% during the past year alone.
Op risk is quite extensive – as well as the framework knowledge, you need professionals with deep technical expertise. Right now, it's cyber risk
Angela Calapa, PwC
"[The team has] enabled us to better deliver operational risk services," Calapa says. "Op risk is quite extensive – as well as the framework knowledge, you need professionals with deep technical expertise. Right now, it's cyber risk; last year, it was conduct and mis-selling; and before that, it was IT."
Initially, much of the team's work was driven by regulatory scrutiny of operational risks at large retail and investment banks, in the wake of the financial crisis. More recently, the regulatory focus has shifted to insurers and asset managers, she says. However, remorseless pressure on costs is encouraging larger clients to look at efficiencies in their op risk management.
"We're seeing a change from seeking assistance from a framework development or redesign perspective towards opportunities around effectiveness or efficiency of the framework," she says. "It's a chance to step back and ask, ‘do we have the right people doing the right things? Is what we say in risk management actually helping us to manage our op risk?'"
When it comes to identifying opportunities for cost savings, "we're in investigation mode", Calapa says. She notes that cost-cutting in any risk management function needs to be approached extremely carefully, as no-one wants to recommend an efficiency saving that is linked to an operational risk loss down the line.
"Control testing is perhaps an area to consider where clients are expending human and financial resources," she suggests. "The pendulum has potentially swung too far, in terms of optimised control testing in a risk-based fashion, particularly in the retail banking environment. Does every control need to be tested every quarter, for example?"
Such rationalisation plays into a broader theme that PwC's team is exploring: namely, going back to basics and attempting to simplify how clients approach risk management. "Have we defined our top risks? Have we got the right controls? Are they supported by the right processes? There's a case for going back and considering how we do risk management."
Specifically, Calapa predicts the so-called second line of defence – the risk management and compliance function – will change shape. "Because of the scrutiny we saw after the financial crisis, second-line teams grew quite significantly... You're essentially exposed to operational risk as a first-line risk-taker in your day-to-day activities. The management of that risk should be part of your daily activities as well."