Over the last 10-15 years, banks’ escalating reliance on technology means that weakness in systems and processes can have a serious impact on bank risk management. Technology risk is becoming a major component of operational risk, as bank supervision focuses on data integrity in risk data aggregation and risk reporting.
Historically, technology risk was managed in the chief technology officer’s silo but in recent times the focus has been redirected to integrate it into an enterprise-wide bank risk management framework. Today, operational risk (including information technology (IT) risk) must truly become the ‘third leg’ of the risk stool alongside credit risk and market risk.
As a result, technology risk is too important to be left solely to IT people and the chief information officer (CIO) must play a key role in informing the risk assessments of the chief risk officer (CRO). Accordingly, regulators are increasingly examining how technology risk is being incorporated into a bank’s overall risk management framework, particularly data integrity and risk data aggregation that feeds risk reporting.
Risk management is intimately dependent on issues of data: data integrity, completeness, relevance and accuracy. Thus, good risk management, and reduction of data risk, depends on the IT architecture and systems used to store and process data, but many banks with multiple aging IT systems, or poorly integrated inherited systems, find it difficult to aggregate and report data to support risk management.
These shortcomings were harshly exposed by the financial crisis when large parts of the financial services industry in the US and Europe could not identify and aggregate risk across the financial system or quantify its potential impact.
More than six years after the crisis, many of these weaknesses remain. The Basel Committee published, at the end of last year, the results of a self-assessment by 30 global systematically important banks (G-SIBs) of their progress in meeting the committee’s principles for effective risk data aggregation and risk reporting.
The results show the lowest reported compliance rates for data architecture and IT infrastructure, the accuracy and integrity of data and the ability of banks to adapt to changing demands for data analysis and reporting. One-third of the banks will be unable to comply fully with the principles by the 2016 deadline.
With such weaknesses also hampering the ability of banks and supervisors to run reliable stress and scenario tests, supervisors are increasingly emphasizing the need for improvement. For systemically important banks, supervisors have already increased the intensity of their supervision of banks’ IT systems and data management.
Supervisors will likely require banks to take remedial action or they will reflect inaction in a bank’s overall supervisory assessment, which could impact the amount of risk capital a bank must hold. They may also impose fines and take actions against specific individuals performing senior management functions in the bank.
While the banks appreciate the need for action, they are wary of the scale of the task and the IT and data system expenditures required. There is a long way to go before the industry can convince regulators that it has the quality of data necessary to satisfy their risk reporting requirements.