The world's largest banks face major challenges in implementing the Basel Committee's demanding new principles for risk data aggregation. These new principles could see banks spending much more on new governance in an effort to meet the January 2016 deadline.
2. BCBS
Autumn 2014 29
The Basel Committee’s
principles for effective
risk data aggregation and
risk reporting (BCBS 239) may
be among the least well known
components of the post-financial
crisis reform package. Yet they
could ultimately bring about the
most significant changes to the
world’s largest banks.
The 14 principles, (11 for banks,
three for supervisors), due for
implementation by January 2016,
came about as a result of one of the
great weaknesses exposed by the
financial crisis, which was that
systemically important banks
lacked the ability to aggregate
exposures and identify large
concentrations of risk at group
level, jeopardising the stability of
the broader financial system.
Risk data aggregation is the
process of defining, gathering and
processing risk data to enable a
bank to measure its performance
against its risk tolerance/appetite.
That might sound a fairly
humdrum practice, but in the
context of a financial system that
was proven to be dangerously
unstable during the crisis, the
Financial Stability Board identified
the improvement of risk data
aggregation as a priority in 2011.
Progess required
Fixing the
problem remains
a work in progress
or, perhaps more
accurately, a work
in need of
progress. The
drafting of the 14
principles was a
good first step, but only nine firms
responded to the Basel
Committee’s original consultative
document in 2012. This illustrates
the lack of awareness of the
principles by the 30 globally
systemically important banks
(G-SIBs) that must now implement
them by 2016.
As that deadline edges closer,
implementing the principles is
proving to be a major challenge.
That is partly because the principles
are mostly qualitative in nature,
setting a high standard for risk data
aggregation, but failing to define
precisely how it should be achieved.
The prevalence of adjectives such
as ‘strong’, ‘accurate’, ‘reliable’ and
‘timely’ in the standards, without
quantitative definitions of exactly
what is required, has been cited by
many banks as a key challenge.
Whether it is the failure of the
regulators or the banks themselves
to be more specific, many
practitioners are still scratching
their heads over vague
recommendations from consultants
over the best way to comply.
The principles are split broadly
into four categories, covering
governance and infrastructure; risk
data aggregation; risk reporting;
and supervisory review.
Risk off
Fixing the problem remains a work in
progress or, perhaps more accurately, a
work in need of progress.
The world’s largest banks face major
challenges in implementing the Basel
Committee’s demanding new principles
for risk data aggregation by 2016, but risk
hefty bills if they get it wrong, says
PJ Di Giammarino, ceo of JWG Group.
Basel, Switzerland
01.2013
The Basel Committee’s 14 principles
were finalised
3. BCBS
30 Autumn 2014
Overarching governance and infrastructure
1. Governance—a bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee
2. Data architecture and IT infrastructure—a bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while meeting the other principles
Risk data aggregation capabilities
3. Accuracy and integrity—a bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of errors
4. Completeness—a bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations and emerging risks
5. Timeliness—a bank should be able to generate aggregate and up-to-date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as its criticality to the bank’s overall risk profile. The precise timing will also depend on the bank-specific frequency requirements for risk management reporting, under both normal and stress/crisis situations, based on the bank’s characteristics and overall risk profile
6. Adaptability—a bank should be able to generate aggregate risk data to meet a broad range of on demand, ad hoc risk management reporting requests, including requests during stress/ crisis situations, requests due to changing internal needs and requests to meet supervisory queries
Risk reporting practices
7. Accuracy—risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated
8. Comprehensiveness—risk management reports should cover all material risk areas within the organisation. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients
9. Clarity and usefulness—risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision making. Reports should include an appropriate balance between risk data, analysis and interpretation and qualitative explanations. Reports should include meaningful information tailored to the needs of the recipients
10. Frequency—the board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision making across the bank. The frequency of reports should be increased during times of stress/ crisis
11. Distribution—risk management reports should be distributed to relevant parties while ensuring confidentiality is maintained
Supervisory review, tools and cooperation
12. Review—supervisors should periodically review and evaluate a bank’s compliance with the eleven principles above
13. Remedial actions and supervisory measures—supervisors should have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices. Supervisors should have the ability to use a range of tools, including Basel’s Pillar 2
14. Home/host cooperation—supervisors should cooperate with their relevant counterparts in other jurisdictions regarding the supervision and review of the principles and the implementation of any remedial action if necessary
Source: Basel Committee on Banking Supervision, Bank for International Settlements
Principles for effective risk data aggregation and risk reporting
Some principles are perhaps more challenging to interpret and implement than others. For example, the first principle tackles governance, requiring that risk data aggregation and reporting should be subject to ‘strong governance arrangements’. The Basel Committee provides some further detail on what kind of internal oversight is required, but it remains unclear precisely how banks should get senior management involved in the process of risk data aggregation. Some might choose to appoint an entirely new business function such as a risk aggregation officer. Others might decide to allocate the practice to the remit of chief data officer. The implication is a lack of consistency in governance arrangements.
The third principle deals with the accuracy and integrity of risk data, requiring that data should be aggregated on a “largely automated basis” to minimise errors. The Basel Committee asks that banks create a data dictionary to ensure that data are defined consistently across the bank. Such a requirement could also be fulfilled in several different ways. It is also unclear what degree of automation is required, and what level of manual intervention in data aggregation would render a bank non-compliant.
Lack of clarity
A similar lack of clarity pervades many of the other principles, but the inherent challenge underlying all of them is that risk data aggregation is a practice that spans so many different parts of a bank’s architecture that it has proven difficult to find a single business function to take complete ownership.
The wide reach of the standards is crystallised in the fourth principle, which requires banks to capture and aggregate all “material risk data” across the group, spanning business lines, legal entities, asset types, industries, regions and other groupings. As most large banks typically operate thousands of legal entities, accurately capturing the risk data in a timely way is a monumental challenge.
The Basel Committee is clearly not blind to the scale of the challenge, and in December 2013 it published a progress report on the adoption of the principles. Based on a self- assessment questionnaire completed by 30 G-SIBs, the exercise revealed a
PJ Di Giammarino,
ceo of JWG Group
4. BCBS
Autumn 2014 31
varying state of readiness for the
2016 deadline, and the Basel
Committee conceded that many
banks are struggling to establish
strong data aggregation governance.
National supervisors, the Basel
Committee said, would investigate
the root causes of non-compliance
and use ‘supervisory tools and
appropriate discretionary measures’
to get the banks in shape by 2016.
Exactly what that means is as
unclear as the principles
themselves, and while the final
three principles deal with the role
supervisors will play in monitoring
and enforcing implementation,
there is no indication of the
penalties banks might ultimately
face for non-compliance.
Attention please
Despite the worrying lack of clarity,
the Basel Committee principles
require greater attention from all
market participants, from the
regulators themselves to banks not
yet affected, as supervisors have been
advised to consider applying the
principles to domestic systemically
important banks as well as G-SIBs.
While other regulations such as
the Dodd-Frank Act, Basel III and
the European Union’s Mifid and
Emir have received much greater
mainstream attention in recent
years, the principles venture much
deeper into banks’ operating
mechanics. Basel III, for example,
broadly requires a higher quality
and quantity of capital and liquid
assets, but it is left largely up to
the banks how they achieve that.
The more complex the current
business and underlying enterprise
model, the more we need
integration to deliver the right
regulatory reforms in a cost-effective
manner. Factors that will
affect complexity will include the
bank’s products and services, target
customer base and the
jurisdictional framework.
Though the principles have not
so far been as large a focus area as
Basel III implementation, the
principles are necessarily tied to
it. This is not just because they
share the focus on risk, but
because they alter what needs to
be considered in banks’
operational risk frameworks, such
as the Basel III advanced
measurement approach.
Costly
As regulators have
now laid out the
principles and have an
admission from the
banks, via the progress
report, of their
inability to manage
the standards, there is
the potential for banks to be hit
with capital surcharges for
inappropriately calibrated
operational risk frameworks. As
the principles cross all of their
business lines, this could prove
incredibly costly.
The challenge is that there is no
single ‘right’ answer about precisely
which capabilities an individual
regulator will expect of a firm for
risk data aggregation, and it is
unlikely we will see a definition of
a ‘good’ implementation.
However, if firms invest in a
proper implementation, the risk
data aggregation principles could
see banks spending much more on
new governance than in the past.
With the current scant level of
detail from regulators, doing that
effectively before 2016 is going to
be an almighty challenge.
2016
The principles are to be implemented
by January 2016
A JOINED-UP PERSPECTIVE IS REQUIRED
Risk
regulation
COREP,
FINREP,
liquidity
metrics,
etc.
What does good
risk data compliance
look like?
Risk data
regulation
BCBS RDA and
national guidance
Infrastructure standards
(e.g., audit principles,
RRP, outsourcing)
Industry IT
efforts FIBO, big
data
Shareholders EDTF
overlap/underlap
COREP – the European Banking Authority’s
common regulatory reporting framework
FINREP – Financial reporting under
European rules
BCBS RDA – Basel Committee on Banking
Supervision Risk Data Aggregation
RRP – Recovery and Resolution Plan
FIBO – Financial Industry Business
Ontology
EDTF – Enhanced Disclosure Task Force