BCBS: getting back to first principles
At first glance, the Basel Committee’s new Principles for stronger banking risk governance appear to represent another huge change management challenge for global institutions. At Ernst & Young we beg to differ, writes Derek Taylor.
In our view, banks can use a less heavy-handed approach to achieving compliance by piggy-backing on existing change programs. This in turn will open the door to further improvements in the efficiency and effectiveness of risk reporting.
Just before 0100 New York time on Monday 15 September 2008, Lehman Brothers announced its intention to file for bankruptcy. In the chaos that followed, banks around the world tried to put a single, reliable figure on their exposure to the failed firm. Most failed to do so in a timely manner. These widespread shortcomings in risk management and reporting led to rapid contagion, and a global financial crisis. The continuing effects of many banks’ inability to precisely measure counterparty and credit exposures are still being felt today.
In retrospect, it is hardly surprising that few banks could quantify their net exposure to Lehman at the push of a button. Most operated a patchwork of risk management systems and processes, set up to deliver a variety of reports to a range of users. Some risk reporting was available intra-day, but other data was only accessible at day-end, week-end or even month-end. The extreme market stress made it even harder to quantify exposures across products, businesses and legal entities, or to perform collateral and netting calculations. To borrow a political phrase, many banks’ risk systems proved ‘unfit for purpose’.
In the years since Lehman’s collapse, shareholders, regulators and politicians around the world have been encouraging banks to strengthen their risk governance. Even so, almost all have struggled to achieve the desired improvements. At a time of scarce capital, the lack of a tangible business case or investment return has undermined many risk reporting projects. Mandatory programmes focused on specific regulatory or legal requirements have also tended to receive greater priority. Without support from a champion at C-suite or Board level, general improvements in the gathering and reporting of risk data have been hard to come by.
This is about to change. The Basel Committee’s 14 Principles for Effective Risk Data Aggregation and Risk Reporting are placing risk governance at the forefront of the regulatory agenda for the first time. The Principles are grouped into four areas covering governance and infrastructure, risk data aggregation, risk reporting and supervisory mechanisms. The potential financial and reputational penalties for non-compliance – including the possibility of an additional ‘trust buffer’ of up to 50 basis points of regulatory capital – will concentrate minds wonderfully.
All systemically important banks – SIBs – will ultimately need to comply with the Principles, but institutions designated as Global SIBs by the Financial Stability Board face the tightest deadlines. The 28 current G-SIBs need to be fully compliant by January 2016, and will have their progress assessed by national supervisors – and shared with the FSB – from 2013 onwards. The G-SIBs will also face a particular challenge to reconcile the need for consistent, automated systems with the requirements of a range of local regulators.
The scale of the challenge should not be underestimated. The 14 Principles promise to do for risk data what Sarbanes-Oxley did for financial information, with scope extending to every aspect of lending and trading. Investment of financial and human capital in systems and processes will be required throughout the organisation. It follows from this that G-SIBs aiming to achieve compliance by 2016 will need to launch large, complex programmes that fundamentally redesign their data landscape. Or do they?
In our view, the key to successful implementation of Basel’s 14 Principles is to understand their underlying intent, namely to make banks easier to govern. Control, not data, is their ultimate goal. With this imperative in mind, we believe that a single Design Authority guiding a specific set of key activities can achieve compliance more cheaply and pragmatically than an ever-expanding data centralisation project.
The unique feature of this approach is to build on existing change programmes. Most banks are implementing a wave of national and international regulations, many of which already overlap each other in their content and output. The Design Authority should map the requirements of the 14 Principles against the scope of ‘in-flight’ projects, and identify the most cost effective solutions to any gaps. It should also align risk frameworks with the needs of good governance and external reporting, and incentivise change by including data quality in internal scorecards. Specifically, this Design Authority should govern two key activities. Firstly, the identification, management, and where required, the improvement of a core set of Critical Data Elements for in-scope global functions and business lines. Secondly, to provide a clear articulation of the desired set of business capabilities, and drive the change required to achieve these capabilities relative to the current state. Where possible, these change activities should be embedded within existing in-flight and pre-planned programmes of work.
To be clear, this type of approach is not a panacea. It will only succeed if the Design Authority enjoys a clear mandate from the board, has an appropriate budget and includes individuals qualified to make decisions affecting group risk, group finance and group IT.
Set against that, a comparatively light-touch approach has the potential to make huge strides in risk data quality at a comparatively low cost. Once compliance has been achieved, it also holds out the prospect of further improvements in efficiency and effectiveness. Based on our recent experience of similar projects, we expect a potential group-wide reduction of 25-30% in the total costs of internal and external risk reporting. Looking further ahead, we also anticipate significant benefits in terms of management information, leading to better risk transparency, organisational control and business steering.
Achieving compliance with the 14 Principles does not necessarily require a large change project, with a dubious business case and an ever-extending timeline. With a more intelligent approach, banks can deliver similar or improved results without ‘boiling the ocean’ all over again.