Consultancy of the year: Ernst & Young

Regulatory pressure and the challenges of big data have led to increasing use of operational risk consultants, even in the face of tight budgets. Ernst & Young has been one beneficiary of this trend. Dan McKinney, the consultancy's co-leader of operational risk for the Americas, says: "Across the financial services industry there has been considerable regulatory pressure and scrutiny. Operational risk spending has definitely increased – it's a question whether overall spending is flat and that's coming from another area, but risk management spending in general has increased significantly, and operational risk is a major part of that."

Ernst & Young, winner of Operational Risk & Regulation's 2013 operational risk consultancy award, won particular praise from customers for the breadth of its expertise and industry knowledge. McKinney explains that the firm has deliberately taken an enterprise-level approach: "In many cases, the operational risk framework ends up becoming a de facto enterprise risk framework. We have found that, whenever we went in with an enterprise-risk framework, it looked very similar to an operational risk framework. If there is a large credit event, or some sort of macroeconomic event, people want to know how that affects all types of risk. A lot of these issues fall under the heading of operational risk, but they don't always come under the operational risk function."

Keeping up with regulatory reform has been the motive behind a lot of E&Y's recent projects, but individual loss events – especially the large ones that hit the headlines – are important stimuli as well, McKinney says. "In particular, unauthorised trading cases and cyber-security issues will lead organisations to ask: how confident are we about this? How comfortable are we with our ability to deal with this? Then they will come back and look in more detail about how they govern risk."

Regulatory focus is important as well, with two factors in particular underpinning many of E&Y's projects: the new requirement for recovery and resolution plans, or ‘living wills', and the increasing focus on incentives and compensation structures. "Post the incentive reviews, they're very interested in who is driving [risk managers'] compensation reviews and whether or not they are really an independent risk manager. There's a focus on understanding the risk managers' ability to challenge the business – if you are evaluated and compensated by the head of the business, there is a perception that you can't do that," McKinney explains.

A will to succeed

One of the biggest changes in the last five years is that people used to talk about operational risk in Basel terms – now there is much more attention on real operational risks

Meanwhile, the exercise of drawing up a living will – a requirement under several financial reform laws, including the forthcoming EU Crisis Management Directive – has proved to be a useful incentive for better management of a range of operational risks, he says. "Many companies have already looked at [outsourcing risk] as part of the recovery and resolution plan. You take a deep look at all your dependencies, internal and external – that's where op risk professionals have really benefitted from having that deeper understanding. They maybe haven't previously realised the criticality of one particular provider, or the details of the data they have access to. There is much more focus around data now."

And there's been a welcome shift, McKinney says, away from a compliance-focused approach to operational risk and towards a view from the perspective of harm to the company. "One of the biggest changes in the last five years is that people used to talk about operational risk in Basel terms – now there is much more attention on real operational risks, what could hurt them financially, or hurt their customers, or damage their reputation." Reputational damage can follow any significant operational risk loss – whether a systems failure or a regulatory fine – but the art of quantifying and modelling it is still in its very early stages, he says.

Another shift has been towards what he calls a "portfolio approach" - rather than treating individual risk classes in isolation, "many more firms are understanding their exposures and how events will impact the other risks they manage. There is much more focus on scenarios, and on combining operational risk scenarios with other scenarios such as macroeconomic events." Some of this is driven by regulatory moves – such as the US Comprehensive Capital Analysis and Review process, now scheduled to happen annually – but it's still a welcome change, McKinney says.