Autumn 2014

BCBS

29 Autumn 2014

T he Basel Committee’s principles for effective risk data aggregation and

risk reporting (BCBS 239) may be among the least well known components of the post-financial crisis reform package. Yet they could ultimately bring about the most significant changes to the world’s largest banks.

The 14 principles, (11 for banks, three for supervisors), due for implementation by January 2016, came about as a result of one of the great weaknesses exposed by the financial crisis, which was that systemically important banks lacked the ability to aggregate exposures and identify large concentrations of risk at group level, jeopardising the stability of the broader financial system.

Risk data aggregation is the process of defining, gathering and processing risk data to enable a bank to measure its performance

against its risk tolerance/appetite. That might sound a fairly humdrum practice, but in the context of a financial system that was proven to be dangerously unstable during the crisis, the Financial Stability Board identified the improvement of risk data aggregation as a priority in 2011.

Progess requiredFixing the problem remains a work in progress or, perhaps more accurately, a work in need of progress. The drafting of the 14 principles was a good first step, but only nine firms responded to the Basel Committee’s original consultative document in 2012. This illustrates the lack of awareness of the principles by the 30 globally

systemically important banks (G-SIBs) that must now implement them by 2016.

As that deadline edges closer, implementing the principles is proving to be a major challenge. That is partly because the principles are mostly qualitative in nature, setting a high standard for risk data aggregation, but failing to define precisely how it should be achieved.

The prevalence of adjectives such as ‘strong’, ‘accurate’, ‘reliable’ and ‘timely’ in the standards, without quantitative definitions of exactly what is required, has been cited by many banks as a key challenge. Whether it is the failure of the regulators or the banks themselves to be more specific, many practitioners are still scratching their heads over vague recommendations from consultants

over the best way to comply.The principles are split broadly

into four categories, covering governance and infrastructure; risk data aggregation; risk reporting; and supervisory review.

Risk off

Fixing the problem remains a work in progress or, perhaps more accurately, a work in need of progress.

The world’s largest banks face major challenges in implementing the Basel Committee’s demanding new principles for risk data aggregation by 2016, but risk hefty bills if they get it wrong, says PJ Di Giammarino, ceo of JWG Group.

Basel, Switzerland

01.2013 The Basel Committee’s 14 principles were finalised

BCBS

30 Autumn 2014

Overarching governance and infrastructure1. Governance—a bank’s risk data aggregation capabilities and risk

reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee

2. Data architecture and IT infrastructure—a bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while meeting the other principles

Risk data aggregation capabilities3. Accuracy and integrity—a bank should be able to generate

accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of errors

4. Completeness—a bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations and emerging risks

5. Timeliness—a bank should be able to generate aggregate and up-to-date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as its criticality to the bank’s overall risk profile. The precise timing will also depend on the bank-specific frequency requirements for risk management reporting, under both normal and stress/crisis situations, based on the bank’s characteristics and overall risk profile

6. Adaptability—a bank should be able to generate aggregate risk data to meet a broad range of on demand, ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs and requests to meet supervisory queries

Risk reporting practices7. Accuracy—risk management reports should accurately and

precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated

8. Comprehensiveness—risk management reports should cover all material risk areas within the organisation. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients

9. Clarity and usefulness—risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision making. Reports should include an appropriate balance between risk data, analysis and interpretation and qualitative explanations. Reports should include meaningful information tailored to the needs of the recipients

10. Frequency—the board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision making across the bank. The frequency of reports should be increased during times of stress/crisis

11. Distribution—risk management reports should be distributed to relevant parties while ensuring confidentiality is maintained

Supervisory review, tools and cooperation12. Review—supervisors should periodically review and evaluate a

bank’s compliance with the eleven principles above

13. Remedial actions and supervisory measures—supervisors should have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices. Supervisors should have the ability to use a range of tools, including Basel’s Pillar 2

14. Home/host cooperation—supervisors should cooperate with their relevant counterparts in other jurisdictions regarding the supervision and review of the principles and the implementation of any remedial action if necessary

Source: Basel Committee on Banking Supervision, Bank for International Settlements

Principles for effective risk data aggregation and risk reporting

Some principles are perhaps more challenging to interpret and implement than others. For example, the first principle tackles governance, requiring that risk data aggregation and reporting should be subject to ‘strong governance arrangements’. The Basel Committee provides some further detail on what kind of internal oversight is required, but it remains unclear precisely how banks should get senior management involved in the process of risk data aggregation. Some might choose to appoint an entirely new business function such as a risk aggregation officer. Others might decide to allocate the practice to the remit of chief data officer. The implication is a lack of consistency in governance arrangements.

The third principle deals with

the accuracy and integrity of risk data, requiring that data should be aggregated on a “largely automated basis” to minimise errors. The Basel Committee asks that banks create a data dictionary to ensure that data are defined consistently across the bank. Such a requirement could also be fulfilled in several different ways. It is also unclear what degree of automation is required, and what level of manual intervention in data aggregation would render a bank non-compliant.

Lack of clarityA similar lack of clarity pervades many of the other principles, but the inherent challenge underlying all of them is that risk data aggregation is a practice that spans so many different parts of a bank’s

architecture that it has proven difficult to find a single business function to take complete ownership.

The wide reach of the standards is crystallised in the fourth principle, which requires banks to capture and aggregate all “material risk data” across the group, spanning business lines, legal entities, asset types, industries, regions and other groupings. As most large banks typically operate thousands of legal entities, accurately capturing the risk data in a timely way is a monumental challenge.

The Basel Committee is clearly not blind to the scale of the challenge, and in December 2013 it published a progress report on the adoption of the principles. Based on a self-assessment questionnaire completed by 30 G-SIBs, the exercise revealed a

PJ Di Giammarino, ceo of JWG Group

BCBS

31 Autumn 2014

varying state of readiness for the 2016 deadline, and the Basel Committee conceded that many banks are struggling to establish strong data aggregation governance.

National supervisors, the Basel Committee said, would investigate the root causes of non-compliance and use ‘supervisory tools and appropriate discretionary measures’ to get the banks in shape by 2016. Exactly what that means is as unclear as the principles themselves, and while the final three principles deal with the role supervisors will play in monitoring and enforcing implementation, there is no indication of the penalties banks might ultimately face for non-compliance.

Attention pleaseDespite the worrying lack of clarity, the Basel Committee principles require greater attention from all market participants, from the regulators themselves to banks not yet affected, as supervisors have been advised to consider applying the principles to domestic systemically important banks as well as G-SIBs.

While other regulations such as

the Dodd-Frank Act, Basel III and the European Union’s Mifid and Emir have received much greater mainstream attention in recent years, the principles venture much deeper into banks’ operating mechanics. Basel III, for example, broadly requires a higher quality and quantity of capital and liquid assets, but it is left largely up to the banks how they achieve that.

The more complex the current business and underlying enterprise model, the more we need integration to deliver the right regulatory reforms in a cost-effective manner. Factors that will affect complexity will include the bank’s products and services, target customer base and the jurisdictional framework.

Though the principles have not so far been as large a focus area as Basel III implementation, the principles are necessarily tied to it. This is not just because they share the focus on risk, but because they alter what needs to be considered in banks’ operational risk frameworks, such as the Basel III advanced measurement approach.

Costly As regulators have now laid out the principles and have an admission from the banks, via the progress report, of their inability to manage the standards, there is the potential for banks to be hit with capital surcharges for inappropriately calibrated operational risk frameworks. As the principles cross all of their business lines, this could prove incredibly costly.

The challenge is that there is no single ‘right’ answer about precisely which capabilities an individual regulator will expect of a firm for risk data aggregation, and it is unlikely we will see a definition of a ‘good’ implementation.

However, if firms invest in a proper implementation, the risk data aggregation principles could see banks spending much more on new governance than in the past. With the current scant level of detail from regulators, doing that effectively before 2016 is going to be an almighty challenge.

2016 The principles are to be implemented by January 2016

A JOINED-UP PERSPECTIVE IS REQUIRED

Risk regulationCOREP,FINREP, liquiditymetrics,

etc.

What does good risk data compliance

look like?

Risk data

regulation

BCBS RDA and

national guidance

Infrastructure standards

(e.g., audit principles,

RRP, outsourcing)

Indu

stry

IT

effor

ts FI

BO, b

igda

taShareholders EDTF

overlap/underlap

COREP – the European Banking Authority’s common regulatory reporting framework

FINREP – Financial reporting under European rules

BCBS RDA – Basel Committee on Banking Supervision Risk Data Aggregation

RRP – Recovery and Resolution Plan

FIBO – Financial Industry Business Ontology

EDTF – Enhanced Disclosure Task Force