Building a new risk architecture
Deadlines are a fact of life for financial institutions (and journalists). It seems that at each Sibos, certainly since the financial crisis of 2008, a regulatory deadline is looming large. This year’s model is the Basel Committee on Banking Supervision’s (BCBS’) 11 principles for effective risk data aggregation and risk reporting (BCBS 239), with which globally systemically important banks (GSIBs) must comply by 1 January 2016. However, a report on the progress of adoption reveals a lack of preparedness.
The Committee has identified 31 financial institutions as globally systemically important, including Bank of China, Societe Generale, Deutsche Bank, Mitsubishi UFJ, Barclays Bank, UBS and Citi. Further banks that are identified as GSIBs in future annual updates from the Committee will have to comply with the principles within three years of their designation.
In January this year the Committee published a report, Progress in adopting the principles for effective risk data aggregation and risk reporting. The report was based on responses to a questionnaire sent to the GSIBs, assessing their progress on compliance with the 11 principles. The survey is designed to enable supervisory authorities to monitor progress towards full compliance by the 2016 deadline and to help identify and remedy any implementation issues.
The Committee found “only minor improvements” in the average ratings banks gave themselves in terms of compliance. The three principles with the lowest reported compliance were principle 2 (related to data architecture and IT infrastructure), principle 6 (adaptability) and principle 3 (accuracy and integrity). Within those principles, data taxonomies, the balance between automated and manual systems, documentation of risk data aggregation processes and accuracy requirements for regular and stress cases are deemed ‘essential requirements’ by the Committee. The three principles with the highest reported compliance for both 2013 and 2014 were principle 8 (comprehensiveness), principle 9 (clarity/usefulness) and principle 11 (report distribution).
Compared to the 2013 results, says the report, many banks “continue to encounter difficulties in establishing strong data aggregation governance, architecture and processes”. Banks reported that they often rely on manual workarounds. Similar to the results of the 2013 progress report, many firms failed to recognise that governance/infrastructure principles were important prerequisites for facilitating compliance with the other principles.
The GSIBs were asked additional questions about their large-scale IT and data related projects. The respondents typically described IT projects related to the principles as “high priority” and “enterprise wide”. Most respondents identified multiple IT projects in place that were expected to achieve compliance with the principles, reduce complexity and improve efficiencies. Many of them prioritised projects by risk or market, given that multiple projects with competing resources were in progress.
At the end of last year, global consultancy Ernst & Young (EY) conducted a BCBS 239 readiness survey of its own. It found that the majority of GSIBs believed that a significant part of their BCBS-related change projects would not be completed by the deadline. However, they viewed the principles as enablers for other strategic objectives aimed at transforming the business to “survive in the new marketplace”. Banks are challenged in making the connection between BCBS 239 principles, specific capability-based requirements and their existing book of work across different functional areas, lines of business and regions. This is often evidenced by a limited number of BCBS 239 initiatives, especially at divisional and regional levels, said the consultancy.
E&Y identified a number of challenges for banks as they adopt BCBS principles:
- Translate principles into meaningful and measurable changes;
- Understand the gap to target capabilities (calibrated against peers);
- Connect strategic change across risk, finance, data and technology;
- Gain sufficient momentum in 2015 and beyond with the depth and breadth of skills required to deliver; and
- Measure and monitor progress to January 2016 and demonstrate sustained alignment to the principles beyond 2016.
The company found that banks were prioritising on a number of specific areas, such as data ownership and data quality frameworks, policy change, documentation of risk processes, service level agreements and data dictionaries and lineage. A significant majority (89 per cent) of the banks it surveyed viewed BCBS 239 as an enabler to shape their IT strategy and develop their IT infrastructure. Also, many respondents viewed BCBS 239 as an enabler for their enterprise-wide data management capability objectives. It is also viewed as an initiative to help drive operational efficiency and other cost reduction initiatives
The “real challenge” of BCBS 239 is that an enterprise-wide approach is required whereas most financial institutions approach regulatory compliance in a tactical way, says Neill Vanlint, managing director, global sales and client operations at GoldenSource. Writing in Banking Technology earlier this year, Vanlint commented that “compartmentalised compliance” isn’t possible with a regulation as far-reaching as BCBS 239. “It’s vital that banks approach the principles strategically, starting with an all-encompassing assessment of existing data management processes,” he wrote.
Vanlint believes that reviewing the core principles of data management best practices will set the foundation for the BCBS 239 principles to be enacted. The most logical place to start, he wrote, is to push for clarity across the organisation by setting and agreeing definitions of terms. The GSIBs should be asking questions such as “which data elements matter the most and what should they be called” and “are meanings consistent across the enterprise”? A common data dictionary, which maps different attribute names to a single underlying definition should be central. He also advises institutions to implement strong control of the “data supply chain”. Without good governance, banks risk misunderstandings and mistakes when aggregating data. This governance goes beyond IT and into business, operations, auditing and risk management.
Once these core fundamentals are in place, wrote Vanlint, banks can focus on honing more specific capabilities required for compliance. “Effective management of data quality ensures the accuracy of risk data aggregation. Quality measurement is an important first step and needs to happen at multiple points in the data supply chain,” he wrote. However, measurement alone is not enough and banks needs to actively manage quality as well. That requires efficient workflows for error detection, research and resolution and a framework for root cause analysis.
After the effective management of data quality, banks must prove the timeliness of their reporting capabilities. Extensive manual ‘data massaging’ will hinder compliance with BCBS 239, where time is of the essence. However, banks that have already taken steps to define their terms, implement sound governance and establish a single, authoritative source for each data set will have an easier time responding to fire alarms, he wrote.
BCBS 239 Principles
Governance: A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee.
Data architecture and IT infrastructure: A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other principles.
Accuracy and integrity: A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of errors.
Completeness: A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations and emerging risks.
Timeliness: A bank should be able to generate aggregate and up to date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. The precise timing will also depend on the bank-specific frequency requirements for risk management reporting, under both normal and stress/crisis situations, set based on the characteristics and overall risk profile of the bank.
Adaptability: A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs and requests to meet supervisory queries.
Accuracy: Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.
Comprehensiveness: Risk management reports should cover all material risk areas within the organisation. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients.
Clarity and usefulness: Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include meaningful information tailored to the needs of the recipients.
Frequency: The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed, at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision making across the bank. The frequency of reports should be increased during times of stress/crisis.
Distribution: Risk management reports should be distributed to the relevant parties while ensuring confidentiality is maintained.
BCBS 239 demands a flexible infrastructure that can aggregate risk data across multiple dimensions. Hard coding simply won’t work and neither will inflexible legacy architectures. Instead, banks need to standardise, link and classify information so they can call upon it quickly and make timely decisions. Finally, Vanlint points out that any BCBS 239-ready data management operation must be able to trace critical data forward from source to use, and vice versa. Several elements drive this, including ‘four-eyes controls’ to ensure accuracy when critical data elements are subject to manual intervention. Banks also need audit trails for every transformation.
Because of its “immense scope” Vanlint wrote that there are no short cuts to BCBS 239 compliance. The hard work of establishing fundamentals and putting core capabilities in place has its merits. The clarity that effective risk data aggregation provides will help banks streamline their business, he wrote.
“The competitive advantage of excellent risk data aggregation can positively affect a bank’s bottom line and allow it to make better judgements through more accurate risk analysis,” wrote Vanlint. “Moreover, by aggregating information across the business, banks will be able to on-board customers more quickly and cross-sell through existing relationships, all while providing more comprehensive support and services to existing customers.”
Perhaps the most important benefit is stability. At the height of the last crisis, some firms took over a month to work out their exposure to distressed counterparties. BCBS 239 compliance puts banks in a far stronger position to cope in the future, wrote Vanlint. This is because they’ll be able to identify and roll up exposures involving multiple bank subsidiaries and multiple counterparties.
‘Compliance with BCBS 239 is unavoidable and banks are feeling the strain. However, in some ways this is all about common sense in enterprise data management. By adopting a strategic, enterprise-wide approach, banks can create a robust foundation to achieve compliance and, ultimately, a significant competitive edge.’
The regulatory provisions of BCBS 239 will “lead to a harmonisation of IT infrastructures, flexible and consistent processes in risk management and to enhanced analytical capabilities, said Dr Joachim Nagel, member of the executive board of the Deutsche Bundesbank, at a banking technology conference in Frankfurt in December last year. Under BCBS 239, risk information should be complete, correct, consistent and current and made available in a form appropriate to the addressees. “This has always been a demand of the supervisory authorities. However, the Basel standards now set out, for the first time, globally coordinated, specific regulatory requirements for the architecture of risk and data management,” he said.
The implementation of these provisions should make possible improved management information across all legal entities, an improved quality of strategic planning options and a complete assessment of the risk exposure at the highest consolidated level. Responsibility for this lies with senior management.
“The challenges in implementing these principles are highly ambitious and will require considerable input in terms of human resources and technology,” Nagel said. “This applies in particular to risk management, finance and information technology. In the medium and long term, however, this will also bring many opportunities. Even at an early stage, it should be possible to assess risks more quickly and more reliably; there will also be a crucial improvement in the quality of the basic elements of management. These changes are therefore also in the interests of the enterprises themselves.”