What is ERM?
After completing this reading, you should be able to: Describe enterprise risk management... Read More
After completing this reading, you should be able to:
One lesson learned from the 2007-2009 Global Financial Crisis was that banks’ information technology (IT) and data architectures were inadequate to support the broad management of financial risks. Some financial institutions could not aggregate risk exposures and identify concentrations across business lines. Others were unable to manage their risks properly because of weak risk data aggregation capabilities and risk reporting practices.
This weakened the financial system’s stability. In response, the Basel Committee issued supplemental Pillar 2 (supervisory review process) guidance to enhance banks’ ability to identify and manage bank-wide risks.
The Basel Committee defines risk data aggregation as “defining, gathering, and processing risk data according to a bank’s risk reporting requirements to enable the bank to measure its performance against its risk tolerance/appetite.”
Some of the activities carried out during risk data aggregation include sorting, merging, and breaking down sets of data.
However, how exactly do effective risk data aggregation and reporting benefit a bank? The benefits include:
One of the issues widely blamed for the quick escalation of the 2007/09 financial crisis was the inability of banks to identify concentrations of risk across business lines as well as at the bank group level. Furthermore, the main reason why the banks were unable to identify such concentrations has much to do with the absence of aggregate risk data and bank-wide risk analysis.
In response, the Basel committee has since pushed for higher corporate governance and issued supplementary Pillar 2 guidance regarding bank capital models and risk management models (e.g., VaR). The following principles have specifically been set out:
Quoting the Basel committee,
“A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee.”
This principle suggests that risk data aggregation should be a central part of risk management. Senior management should make sure the risk management framework incorporates data aggregation before approving it for implementation.
A bank’s risk data aggregation capabilities and risk reporting practices should be:
The importance of having a robust IT system cannot be underestimated, but building one for purposes of risk aggregation and reporting can be quite expensive. The benefits of such a system are realized in the long term. The Basel Committee believes that in the long-term, IT benefits outweigh the costs.
Quoting the committee,
“A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles.”
Principle 2 goes ahead to implore banks to:
Firms should monitor their data continuously to ensure the accuracy and integrity of data. Risk data should be complete and consistent with sources and include all material risk disclosures at a granular level. To ease reporting to the executive management, data should be categorized and classified accordingly. Note, however, that when the classifications of the data are too broad, information can be lost.
Banks are required to produce aggregate risk information in a timely manner. However, the timeliness is often compromised in an attempt to extract and map data from different trading systems into other systems.
Effective risk data aggregation involves certification of data elements, data quality documentation, data quality assurance mechanisms, and assessment of data quality per risk type.
On the other hand, ineffective risk data aggregation capabilities may involve a lack of well-established data quality rules such as minimum standards for data quality reporting thresholds; absence of a designated authority; lack of an effective escalation model; and weaknesses in quality control and overreliance on manual processes without proper documentation; lack of consistency for some key reports; inability to promptly source risk data from foreign subsidiaries and lack of standardized reference data.
Quoting the committee,
“A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis to minimize the probability of errors.”
According to Principle 3:
“A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region, and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations, and emerging risks.”
Principle 4 requires that:
Banks should ensure that risk data is always complete. If the data is not complete, the banks should explain the reasons to bank supervisors.
“A bank should be able to generate aggregate and up-to-date risk data promptly while also meeting the principles relating to accuracy and integrity, completeness, and adaptability. The precise timing depends on the nature and the volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. The precise timing will also depend on the bank-specific frequency requirements for risk management reporting, under both normal and stress/crises, set based on the characteristics and overall risk profile of the bank.”
Banks need to build their risk systems to produce aggregated risk data rapidly during times of stress or crisis for all critical risks. Critical risks include:
“A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress or crises, requests due to changing internal needs, and requests to meet supervisory queries.”
A bank’s risk data aggregation capabilities should be flexible:
“Risk management reports should accurately and precisely convey aggregated risk data and accurately reflect risk. In addition, reports should be reconciled and validated.”
Risk management reports should be accurate and precise to ensure a bank’s board and senior management can rely with confidence on the aggregated information to make critical risk-related decisions.
Approximations are an integral part of risk reporting and risk management (scenario analyses, and stress testing, among others.) Therefore, banks should follow the reporting principles in this document and establish expectations for the reliability of approximations (accuracy, timeliness, etc.)
“Risk management reports should cover all material risk areas within an organization. The depth and scope of these reports should be consistent with the size and complexity of a bank’s operations and risk profile, as well as the requirements of the recipients.”
Risk management reports should include exposure and position information for:
“Risk management reports should communicate information clearly and concisely. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. In addition, reports should include meaningful information tailored to the needs of the target audience,”
Risk reports should ensure that information is meaningful and tailored to the needs of the target audience, in particular, the board and senior management. The board is responsible for determining its risk reporting requirements and complying with its obligations to shareholders and other relevant stakeholders.
Moreover, the right balance of qualitative and quantitative information is important. Therefore, the board should alert senior management when risk reports do not meet its requirements.
“The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision-making across a bank. The frequency of reports should be increased during times of stress/crisis.”
A bank should routinely test its ability to produce accurate reports within established timeframes, particularly in times of stress/crises. Some exposure information may be needed intraday to allow for timely reactions.
“Risk management reports should be distributed to the relevant parties while ensuring confidentiality is maintained.”
Banks should strike a balance between the need to ensure confidentiality and the timely dissemination of reports to all appropriate recipients.
“Supervisors should periodically review and evaluate a bank’s compliance with the eleven Principles above.”
“Supervisors should have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices.”
“Supervisors should have the ability to use a range of tools, including Pillar 2.”
“Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the supervision and review of the principles and the implementation of any remedial action if necessary.”
Question
A large multinational bank is restructuring its risk management framework to align with the Basel Committee’s principles for effective risk data aggregation. As the newly appointed Chief Risk Officer, you are evaluating different strategic options. Which of the following strategies is most consistent with the Basel Committee’s guidelines?
A. Implementing an automated risk data aggregation system, but excluding potential risk exposures that are considered unlikely to materialize.
B. Developing a comprehensive risk data aggregation process that includes data on all existing and potential risk exposures, even those that might not align with the current regulatory requirements.
C. Investing heavily in manual intervention for risk data reconciliation to maintain the integrity of the data, despite a significant increase in operational costs and time.
D. Frequently updating the risk reporting systems, but focusing exclusively on adapting to changes in best practices without consideration for changing regulations or specific business needs
Solution
The correct answer is B.
The completeness principle, as recommended by the Basel Committee, stresses that a financial institution should capture data on all existing and potential risk exposures. This means not only focusing on current regulatory requirements but also considering any risk that could materialize, even if considered unlikely at the present time. By having a comprehensive understanding of all possible risks, the bank is better positioned to manage its overall risk profile.
A is incorrect. While automation aligns with the principles, excluding potential risk exposures considered unlikely would conflict with the completeness principle, which emphasizes capturing all possible risks.
C is incorrect. Although the integrity of data is crucial, relying heavily on manual intervention might conflict with the efficiency and effectiveness principle. Automation and proper controls are often more scalable and accurate.
D is incorrect. Updating risk reporting systems is important, but focusing only on best practices without consideration for changing regulations or specific business needs would likely fall short of the adaptability principle, which encourages responsiveness to the broader risk landscape.
Things to Remember
- The Basel Committee’s principles for effective risk data aggregation emphasize a comprehensive approach that encompasses all potential and existing risks, regardless of their likelihood.
- A proper risk data aggregation system must balance these principles to ensure a holistic approach to risk management.
- Automation in risk data aggregation can enhance accuracy and efficiency but must be implemented without excluding any relevant risks.
- Adaptability is essential, requiring alignment not only with best practices but also with evolving regulations and specific business needs.
- The emphasis on comprehensiveness in risk data reflects the need for financial institutions to be prepared for unexpected scenarios, reinforcing resilience in the face of uncertain risk landscapes.
1 Comments
Why is Risk Data Aggregation Important for Your Company? - IT Governance Journal
December 1, 2020 at 12:30 pm -[…] Undertaking a comprehensive risk data infrastructure assessment will provide you with a better picture to conceive. You can implement a well-thought-out compliance strategy and offer enough time for effective remediation actions. To read the original article, click on https://analystprep.com/study-notes/frm/part-1/risk-data-aggregation-and-reporting-principles/. […]