One of the most significant lessons learned from the global financial crisis was the inadequacy of the IT risk framework to support the management dealing with financial risks and the inability to aggregate risk exposures and identify risks concentrations timely and accurately at a group level. In response, the Basel Committee issued a set of Principles (BCBS 2391), as a supplemental Pillar 2 guidance in order to enhance banks’ ability to identify and manage bank-wide risks. The deadline defined for G-SIBs2 to meet these expectations was set at the beginning of 2016.
The Basel Committee emphasized the importance of a strong governance framework and a risk data architecture and IT infrastructure as a precondition to ensure sound risk data aggregation and risk reporting practices3. Within the euro area, the European Central Bank (ECB) needs to harmonize and ensure comparable prudential reports from banks under its direct supervision. Indeed, the quality of management information was a supervisory priority in 2015 and Danièle Nouy, President of the Supervisory Council at the ECB, has indicated that data integrity will again be a supervisory priority for 2016.
Already as part of the 2015 SREP exercise, risk infrastructure, data and reporting was assessed for each bank as a part of the internal governance and risk management assessment. This has also arisen as a SREP finding for some institutions who must now propose a remediation plan. Such issues may be subject to follow-up onsite inspections. The ECB has stressed the importance of drill-down capabilities to better understand individual risk drivers of aggregated key risk indicators.
A proper IT architecture for risk data aggregation and reporting could guarantee the following objectives:
Generally, banks’ IT framework falls into two categories:
During the 2013 self-assessment on the BCBS 239 Principles, G-SIBs showed a strong reliance on manual processes and significant issues related to data architecture and IT infrastructure.
In light of the difficulties encountered by the banks in launching and implementing intervention to reconfigure the IT architecture, the 2014 self-assessment continued to highlight deficiencies that did not allow the bank’s management to rely on strong data collection and aggregation processes through a robust IT infrastructure.
In a context of limited investment capabilities, a possible IT approach to be compliant with the Principles would be to leverage enhanced existing risk architecture for a sub-set of relevant metrics, instead of creating a centralized data management with a direct feeding by each single risk database (“Integrated MIS”).
The potential benefit of investing in such existing “vertical” systems includes a lower execution risk due to the possibility to leverage each risk owner competencies thus helping to ensure a better implementation control and achieving a reasonable compliance level with the regulation.
The most realistic approach to gain efficiency in the data aggregation process is to envisage a greater cooperation level between Risk and Finance functions, entrusting the emerging function of Chief Data Officer (CDO) with role of coordination and analysis.
One other topical issue remains, and that is the time needed to prepared risk reports and the interpretation of "timeliness" by the banks and the authorities. The general expectation of the ECB supervisors seems to be the "t+10" rule which most banks currently fail to meet.
1BCBS 239: “Principles for effective risk data aggregation and risk reporting”
2Global systemic important banks
3See BCBS 239, paragraph 26 (“Overarching Governance and Infrastructure: Bank should have in place a strong governance framework, risk data architecture and IT infrastructure, these are preconditions to ensure compliance with the other Principles included in this document”)