www.risk-finance.co.uk

Basel Committee on Banking Supervision Consultative Document

Principles for effective risk data aggregation and risk reporting

Published June 2012, Issued for comment by 28 September 2012

http://www.bis.org/publ/bcbs222.pdf

Review and Route to Compliance

Bruce TattersallDirector, Risk & Finance Project Management Services Limited

September, 2012

www.risk-finance.co.uk

Brief Summary of the Consultative Paper

• BIS view a key part of the 2007 crisis as banks’ information technology (IT) and data architectures being inadequate to support the broad management of financial risks.

• BIS highlights that some banks were unable to manage their risks properly because of weak risk data aggregation capabilities and risk reporting practice.

• Furthermore, banks’ ability to aggregate risk data should reduce the layers of doubt over results and detail.

• For global systemically important banks (G-SIBs) in particular, it is essential for resolution authorities to have access to aggregate risk data to ascertain true risk.

• The paper presents a set of principles to strengthen banks’ risk data aggregation capabilities and risk reporting practices with the aim to enhance banks’ risk management.

• Many in the banking industry recognise the benefits of improving risk data for gains in efficiency, reduced probability of losses and enhanced strategic decision-making, and ultimately increased profitability – turning Regulation from Compliance into Advantage.

www.risk-finance.co.uk

Response Structure

• Principle Theme• BCBS CP222 Principle Specifics• Suggestions for Financial Services Firms to Achieve the Principle

www.risk-finance.co.uk

I. Overarching governance and infrastructure

1. Governance – A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance consistent with other principles and guidance established by the Basel Committee

• Implementation of appropriate data governance and controls could be achieved through a control framework implemented across risk, finance and treasury. The control framework would focus on areas such as; data quality, data integrity at interfaces, reconciliation, attestation, defining and implementing controls and processes for data reporting.

• Additional effort could include defining the role and scope of Internal Audit in monitoring adherence to governance controls and processes or engaging independent external specialists to review IT, data and reporting capabilities. To prevent out of scope activity creeping in, a Bank could define detailed reporting requirements during the NPD process or acquisition process.

2. Data architecture and IT infrastructure – A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other principles.

• It makes sense for large banks to review their current risk data architecture with a view to enhancing data aggregation and risk reporting capability across risk, finance and treasury functions.

• In addition implementing a robust IT infrastructure to provide business continuity in the event of a major incident or during a period of high usage is suggested.

• Furthermore managing and co-ordinate ownership and management of risk systems used across the business and within divisional hierarchies is suggested.

• Roles and responsibilities to be defined for (control and command) for responding to market stress situations. In addition to Overseeing risk taxonomy and manage any Risk Data Authorities to ensure accurate data quality and naming conventions across the business are consistent.

www.risk-finance.co.uk

II. Risk data aggregation capabilities

3. Accuracy and Integrity – A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of errors.

• Risk & Finance suggest establishing a golden source of reconciled financial and risk data that’s available to Finance, Risk and Treasury. This could be achieved by establishing consistent data definitions and hierarchies across the group. Data will be obtained automatically from source and consolidated to provide a consistent set of data to support accurate reporting.

• And IT Design Authority to assess the appropriateness of technology solutions implemented is also suggested. The IT Design Authority should be appropriately staffed with competent staff that it does not become a blocker to progress. The use of desktop applications within key business process should be reviewed and where appropriate be transferred to a more robust IT infrastructure while maintaining the speed and flexibility that end user computing provides.

4. Completeness – A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings that permit identifying and reporting risk exposures, concentrations and emerging risks.

• Data should extracted at the most granular level electronically to improve deep dive reporting, quality and accuracy of information to support business decision making. Reporting tools should be implemented providing the ability for users to drill down into data across a range of dimensions and measures.

• To support the provision of complete and accurate data it will be necessary for data remediation activities to be performed in source systems including identifying weaknesses in data quality the bug bear of most financial institutions. It will be necessary for business divisions to support measures to improve reporting and DQ - bad in / bad out rules otherwise.

www.risk-finance.co.uk

II. Risk data aggregation capabilities (continued)

5. Timeliness – A bank should be able to generate aggregate and up to date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. This timeliness should meet bank-established frequency requirements for normal and stress/crisis risk management reporting.

• Utilising the improvements in data architecture to identify where frequency and timeliness of reporting can be enhanced. This would involve additional changes in business processes.

• Business initiatives should combine with technical solutions resulting in improvements in data reporting across the bank - IT technical architecture and design should play an enabler role here. Clearly management of scope and dependencies becomes more and more important.

6. Adaptability – A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during crisis situations, requests due to changing internal needs and requests to meet supervisory queries.

• By performing a comprehensive analysis of business requirements to ensure that both existing and future risk data reporting requirements can be met, a good level of understanding of key business drivers and FSA objectives can be achieved.

• The implementation of an architecture which is extensible, scalable and able to support changes in data reporting requirements is essential.

• The recruitment and allocation resource with sufficient subject matter expertise to assist in the creation and ongoing development of data reporting requirements is critical.

www.risk-finance.co.uk

III. Risk reporting practices

7. Accuracy - Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.

• By performing rigorous assurance and testing to ensure the accuracy of all reports generated via the new architecture business buy in can be achieved. The time and effort involved in assuring the numbers produced should not be underestimated.

• The implementation of a control framework to ensure that reconciliation, substantiation and attestation processes are implemented as part of the end to end business operating model plays a key role here.

• The Bank may need to assist any programme of work by adopting changes to existing business processes or by divisional mandate enforced at Group level.

8. Comprehensiveness - Risk management reports should cover all material risk areas within the organisation. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients.

• By seeking requirements input across the organisation from key stakeholders with appropriate and considered sign off by senior management and day to day staff that any solution is a comprehensive fit against business needs, the objective of comprehensiveness can be met.

• The advantage to the bank is in the broadened and deepened data coverage, increasing the level of data held centrally and integrating data sets to support cross divisional reporting.

• Risk management must work with their finance and treasury colleagues to regularly appraise the content and value of reports. Where new reporting requirements are identified these must be conveyed to development teams with appropriate prioritisation to enable them to be developed within the programme.

www.risk-finance.co.uk

III. Risk reporting practices (continued)9. Clarity - Risk management reports should communicate information in a clear and concise manner. Reports should be easy to

understand yet comprehensive enough to facilitate informed decision-making. Reports should include an appropriate balance between risk data, analysis and interpretation, and qualitative explanations.

• For example, Oracle OBIEE or SAS Analytics or Business Objects BI reports provides users with the ability to tailor the report display to their needs. Users are provided with access to metadata which will provide guidance on data held within reports.

• The Bank in question would need to provide the development team with input in the design of standard reports so that they meet the needs of recipients within the business and are able to be customised, removed or re-created with a low cost and short time frame.

10. Frequency – The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective/efficient decision-making across the bank. The frequency of reports should be increased during times of crisis.

• By implementing a reporting capability that supports business requirements in respect to reporting frequency and deliver significant reductions in current reporting cycles using enhanced reporting tools this objective is met.

• With regulatory requirements and market disclosures typically driving the frequency of report production, this will be a key factor in internal demand for reports. During times of stress the frequency is likely to be much greater and as such, some "quick and dirty" reporting capability should be developed.

11. Distribution - Risk management reports should be distributed to the relevant parties and include meaningful information tailored to the needs of the recipients, while ensuring confidentiality is maintained.

• Suggest the definition and implementation of user access controls for report data to ensure that data confidentiality is maintained.

• Ongoing input or ownership of report distribution and maintenance of user lists, ensuring that updates are provided immediately when staff leave or move from departments or role types is critical.

www.risk-finance.co.uk

IV. Supervisory review, tools and cooperation

12. Review - Supervisors should periodically review and evaluate a bank’s compliance with the eleven principles above. • Supervisory review would be possible through the Governance & Management Information tools that could be

implemented within the control framework mentioned earlier.• The Bank must identify business representatives who are accountable for maintaining compliance with the above principles.

13. Remedial actions and supervisory measures - Supervisors should have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices. Supervisors should have the ability to use a range of tools, including Pillar 2.

• Enabling supervisory review of data on a more frequent basis and at a greater degree of granularity should be the objective. Reviewing such documentation as ARROW reviews or CPP requests from the FSA would point to the level of granularity sought. This will support early identification of any deficiencies in risk data aggregation and reporting.

• The Bank must identify business representatives responsible for identifying and overseeing the implementation of changes to risk data aggregation and reporting.

14. Home/host cooperation - Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the supervision and review of the principles, and the implementation of any remedial action if necessary.

• Most large systemically important institutions gather data across multiple jurisdictions enabling supervisors to identify aggregation or cross-border issues impacting group reporting and this must be visible to internal decision makers as well as external regulators. As such the bank must implement and maintain a framework to support supervisory communication across jurisdictions.

www.risk-finance.co.uk

Further Detailed Discussion

To discuss your specific Risk Data Aggregation & Reporting needs,please contact bruce@risk-finance.co.uk

www.risk-finance.co.uk