A global systemically important bank (G-Sib) recently called on EY’s operational risk team with a giant regulatory headache: how to route more than 35,000 regulatory obligations to the correct lines of business without exhausting its internal resources.
EY designed and implemented a machine-learning algorithm that executed the process based on the obligation’s text and metadata, allowing the client to complete the process in half the time as before. EY then helped it to develop a broader regulatory change-management operating model.
Its ability to pull together regulatory, information technology and compliance skills is an example of the interdisciplinary approach that led Risk.net’s judges to give EY the OpRisk Consultancy of the Year award. Judges cited the firm’s ability to work across operational risk silos, creating measures and policies that allow its clients to make effective decisions about increasingly interconnected but disparate risks.
EY’s Risk Practice covers compliance, reputational, vendor, information technology, security/privacy, cyber and business continuity/resiliency risks. From an operational risk perspective, it has excelled at helping clients who manage these things in different silos – for example, cyber in technology and vendor in procurement – to work across them, especially for new or rapidly evolving challenges, such as artificial intelligence’s (AI) increasing impact on compliance and model risks.
AI used in retail marketing efforts, for instance, needs to be monitored carefully to ensure it does not lead to unfair biases in retail business lines, which could involve huge reputational risks of the sort that are not easily quantifiable in dollar terms. Finding a way to integrate this meaningfully into a company-wide operational risk assessment requires developing appropriate metrics that can be compared across exposures.
There’s always a new risk, but the most pressing question for our clients is how to organise themselves to align their risk and compliance organisationsDaniel McKinney, EY
“The risk of being labelled an unfair lender is hard to put a figure on, but it can be devastating to the business,” says Daniel McKinney, partner in financial services at EY.
“There’s always a new risk, but the most pressing question for our clients is how to organise themselves to align their risk and compliance organisations,” he says. “Then you add in vendor, cyber, privacy, and other functions that might all measure and manage their risks in different ways.”
This manifests as a problem when these constituencies see different risks measured in different ways as senior management can find it difficult to prioritise and address them, McKinney observes. Finding a tractable common metric and strategy can be a challenge, especially when some of a client’s operational risk objectives or methods clash.
For example, poor collaboration between the fraud and cyber security groups can lead to control vulnerabilities and gaps that can be exploited by sophisticated attacks, he says. Uncovering fraud often requires information sharing, but that is inimical to comprehensive cyber security initiatives, which typically segregate data to minimise loss in the event of a breach.
To achieve an integrated approach, EY offers strategy and operating model design, such as end-to-end risk strategy design integrated into business strategy, and process redesign and enhancement. The latter involves assessing risk management frameworks and standards, developing a target state and helping to implement it.
One judge said he was very impressed with EY’s comprehensive approach to evaluating and optimising operational resiliency. One example is the work EY did for a G-Sib that sought to understand its ability to recover and sustain key operations during an extended outage of key systems. Unlike standard stress tests, this exercise examined the client’s operational resiliency comprehensively regarding factors that affected clients, counterparties and internal processes.
EY arranged a two-day simulation that brought together more than 400 participants, including senior executive leadership, from all lines of businesses and corporate functions globally. EY’s subject-matter advisers across various disciplines reviewed and challenged the strategies and assumptions discussed during the exercise. The firm then evaluated the results against leading industry practices and regulatory expectations to identify potential areas of improvement.
The simulation considered a range of possibilities. For example, it ran a scenario where the client lost connectivity to its offshoring locations for several days, which could have a significant systemic impact due to the status of the bank.
McKinney notes: “We were challenging the whole firm’s resilience to an extreme event to see how the recovery strategy performed, down to the level of who would do what.”
Another hot-button issue is how to risk-manage the increasing use of cloud resources for data storage and, in some cases, processing. EY completed a project for a US insurance company that highlighted the challenges of cloud strategy development and risk management. It assessed technology risk, security, and third-party, legal and compliance issues.
Cloud risk analysis can start with a pre-existing model, but the area is still novel and evolving so quickly that these assessments have to be highly tailored. EY’s ability to draw on its cyber, technology, data and analytics expertise proved a strong differentiator, and allowed it to deliver an actionable evaluation and strategy.