Risk Data Aggregation and Reporting Principles

After completing this reading, you should be able to:

• • Explain the potential benefits of having effective risk data aggregation and reporting.
  • Explain challenges to the implementation of a strong risk data aggregation and reporting process and the potential impacts of using poor-quality data.
  • Describe key governance principles related to risk data aggregation and risk reporting.
  • Describe characteristics of effective data architecture, IT infrastructure, and risk-reporting practices.

Risk Data Aggregation and Reporting

One lesson learned from the 2007-2009 Global Financial Crisis was that banks’ information technology (IT) and data architectures were inadequate to support the broad management of financial risks. Some financial institutions could not aggregate risk exposures and identify concentrations across business lines. Others were unable to manage their risks properly because of weak risk data aggregation capabilities and risk reporting practices.

This weakened the financial system’s stability. In response, the Basel Committee issued supplemental Pillar 2 (supervisory review process) guidance to enhance banks’ ability to identify and manage bank-wide risks.

Benefits of Effective Risk Data Aggregation and Reporting

The Basel Committee defines risk data aggregation as “defining, gathering, and processing risk data according to  a bank’s risk reporting requirements to enable the bank to measure its performance against its risk tolerance/appetite.”

Some of the activities carried out during risk data aggregation include sorting, merging, and breaking down sets of data.

However, how exactly do effective risk data aggregation and reporting benefit a bank? The benefits include:

• • An increased ability to anticipate problems. Aggregated data gives managers a holistic view of risk exposure and enables them to foresee problems.
  • An increased ability to find routes back to financial health in times of financial stress. For example, a bank may negotiate better credit deals or identify a suitable merger partner.
  • Improved resolvability. For global systemically important banks (G-SIBs) in particular, resolution authorities must have access to aggregate risk data that is compliant with FSB’s Key Attributes of Effective Resolution Regimes for Financial Institutions.
  • Improved capability of the risk function to make judgments that can bring about increased efficiency and profitability.

Key Governance Principles Related to Risk Data Aggregation and Risk Reporting

One of the issues widely blamed for the quick escalation of the 2007/09 financial crisis was the inability of banks to identify concentrations of risk across business lines as well as at the bank group level. Furthermore, the main reason why the banks were unable to identify such concentrations has much to do with the absence of aggregate risk data and bank-wide risk analysis.

In response, the Basel committee has since pushed for higher corporate governance and issued supplementary Pillar 2 guidance regarding bank capital models and risk management models (e.g., VaR). The following principles have specifically been set out:

Principle 1-Governance

Quoting the Basel committee,

“A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee.”

This principle suggests that risk data aggregation should be a central part of risk management. Senior management should make sure the risk management framework incorporates data aggregation before approving it for implementation.

A bank’s risk data aggregation capabilities and risk reporting practices should be:

• Fully documented.
• Validated and independently reviewed by individuals well versed in IT,  data, and risk reporting functions.
• Unaffected by the bank’s group structure.
• Senior management should go to great lengths to ensure risk data aggregation is part and parcel of the risk management function.
• Considered part of any new initiatives, including acquisitions and divestitures, IT change initiatives and new product development.

Data Architecture and IT Infrastructure Features That Can Contribute to Effective Risk Data Aggregation and Risk Reporting Practices

The importance of having a robust IT system cannot be underestimated, but building one for purposes of risk aggregation and reporting can be quite expensive. The benefits of such a system are realized in the long term. The Basel Committee believes that in the long-term, IT benefits outweigh the costs.

Principle 2-Data Architecture and Infrastructure

Quoting the committee,

“A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles.”

Principle 2 goes ahead to implore banks to:

• Make risk data aggregation and reporting practices a crucial part of the bank’s planning processes.
• Establish integrated data classifications and architecture across the banking group.
• Appoint individuals tasked with various data management responsibilities. For example, risk managers, business managers, and IT specialists should be tasked with ensuring that data is relevant, entered correctly, and aligned to data taxonomies.

Characteristics of a Strong Risk Data Aggregation Capability

Firms should monitor their data continuously to ensure the accuracy and integrity of data. Risk data should be complete and consistent with sources and include all material risk disclosures at a granular level. To ease reporting to the executive management, data should be categorized and classified accordingly. Note, however, that when the classifications of the data are too broad,  information can be lost.

Banks are required to produce aggregate risk information in a timely manner. However, the timeliness is often compromised in an attempt to extract and map data from different trading systems into other systems.

Effective risk data aggregation involves certification of data elements, data quality documentation, data quality assurance mechanisms, and assessment of data quality per risk type.

On the other hand, ineffective risk data aggregation capabilities may involve a lack of well-established data quality rules such as minimum standards for data quality reporting thresholds; absence of a designated authority; lack of an effective escalation model; and weaknesses in quality control and overreliance on manual processes without proper documentation; lack of consistency for some key reports; inability to promptly source risk data from foreign subsidiaries and lack of standardized reference data.

Principle 3-Accuracy and Integrity

Quoting the committee,

“A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis to minimize the probability of errors.”

According to Principle 3:

• Data aggregation and reporting should be reliable.
• Controls surrounding risk data should be as robust as those applicable to accounting data.
• A bank should strive to have a single authoritative source of risk data for each type of risk.
• A bank’s risk management personnel should be granted access to risk data to ensure they can aggregate, validate, and properly reconcile data.
• A bank must strike a balance between automated and manual systems. Where professional judgment is paramount, human intervention can be quite necessary.
• Banks should have policies designed to keep the accuracy of risk data in check and correct poor data quality.
• All manual, as well as automated risk data aggregation systems, should be well documented. Besides, they should explain manual workarounds and propose actions that could minimize the impact of manual workarounds.
• When a bank is relying on manual processes and desktop applications such as spreadsheets, there should be effective controls that safeguard the quality of data.
• Data should be defined consistently across a bank.
• Data should always be reconciled with other bank data, including accounting data, to ensure its accuracy.

Principle 4-Completeness

“A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region, and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations, and emerging risks.”

Principle 4 requires that:

• Both on- and off-balance sheet risks should be aggregated.

• Banks should ensure that risk data is always complete. If the data is not complete, the banks should explain the reasons to bank supervisors.

• It is not necessary to express all forms of risk in a common metric or basis, but risk data aggregation capabilities should be the same regardless of the choice of risk aggregation systems implemented.

Principal 5-Timeliness

“A bank should be able to generate aggregate and up-to-date risk data promptly while also meeting the principles relating to accuracy and integrity, completeness, and adaptability. The precise timing depends on the nature and the volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. The precise timing will also depend on the bank-specific frequency requirements  for  risk  management  reporting,  under  both  normal  and stress/crises,  set  based on  the characteristics and overall risk profile of the bank.”

Banks need to build their risk systems to produce aggregated risk data rapidly during times of stress or crisis for all critical risks. Critical risks include:

• Counterparty credit risk exposures (derivatives);
• Trading exposures;
• Operational risk indicators;
• Aggregated credit exposure to a large corporate borrower, among others.

Principle 6-Adaptability

“A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk   management   reporting   requests,   including   requests   during   stress or crises,   requests   due   to changing internal needs, and requests to meet supervisory queries.”

A bank’s risk data aggregation capabilities should be flexible:

• To assess emerging risks;
• To incorporate changes in the regulatory framework;
• To produce quick summary reports, etc.

Characteristics of Effective Risk Reporting Practices

Principle 7-Accuracy

“Risk management reports should accurately and precisely convey aggregated risk data and accurately reflect risk. In addition, reports should be reconciled and validated.”

Risk management reports should be accurate and precise to ensure a bank’s board and senior management can rely with confidence on the aggregated information to make critical risk-related decisions.

Approximations are an integral part of risk reporting and risk management (scenario analyses, and stress testing, among others.) Therefore, banks should follow the reporting principles in this document and establish expectations for the reliability of approximations (accuracy, timeliness, etc.)

Principle 8-Comprehensiveness

“Risk management reports should cover all material risk areas within an organization. The depth and scope of these reports should be consistent with the size and complexity of a bank’s operations and risk profile, as well as the requirements of the recipients.”

Risk management reports should include exposure and position information for:

• Significant risk areas (e.g., credit risk, market risk, liquidity risk, operational risk)
• Significant components of those risk areas (e.g., single name, country, and industry sector for credit risk).
• Risk-related measures (e.g., regulatory and economic capital).
• Emerging risk concentrations through forward-looking forecasts and stress tests.

Principle 9-Clarity and Usefulness

“Risk management reports should communicate information clearly and concisely. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. In addition, reports should include meaningful information tailored to the needs of the target audience,”

Risk reports should ensure that information is meaningful and tailored to the needs of the target audience,  in particular, the board and senior management. The board is responsible for determining its risk reporting requirements and complying with its obligations to shareholders and other relevant stakeholders.

Moreover, the right balance of qualitative and quantitative information is important. Therefore, the board should alert senior management when risk reports do not meet its requirements.

Principle 10-Frequency

“The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision-making across a bank. The frequency of reports should be increased during times of stress/crisis.”

A bank should routinely test its ability to produce accurate reports within established timeframes, particularly in times of stress/crises. Some exposure information may be needed intraday to allow for timely reactions.

Principle 11-Distribution

“Risk management reports should be distributed to the relevant parties while ensuring confidentiality is maintained.”

Banks should strike a balance between the need to ensure confidentiality and the timely dissemination of reports to all appropriate recipients.

Supervisory Review, Tools, and Cooperation

Principle 12-Review

“Supervisors should periodically review and evaluate a bank’s compliance with the eleven Principles above.”

Principle 13-Remedial Actions and Supervisory Measures

“Supervisors should have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices.”

“Supervisors should have the ability to use a range of tools, including Pillar 2.”

Principle 14-Home/Host Cooperation

“Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the supervision and review of the principles and the implementation of any remedial action if necessary.”

Question

A large multinational bank is restructuring its risk management framework to align with the Basel Committee’s principles for effective risk data aggregation. As the newly appointed Chief Risk Officer, you are evaluating different strategic options. Which of the following strategies is most consistent with the Basel Committee’s guidelines?

A. Implementing an automated risk data aggregation system, but excluding potential risk exposures that are considered unlikely to materialize.

B. Developing a comprehensive risk data aggregation process that includes data on all existing and potential risk exposures, even those that might not align with the current regulatory requirements.

C. Investing heavily in manual intervention for risk data reconciliation to maintain the integrity of the data, despite a significant increase in operational costs and time.

D. Frequently updating the risk reporting systems, but focusing exclusively on adapting to changes in best practices without consideration for changing regulations or specific business needs

Solution

The correct answer is B.

The completeness principle, as recommended by the Basel Committee, stresses that a financial institution should capture data on all existing and potential risk exposures. This means not only focusing on current regulatory requirements but also considering any risk that could materialize, even if considered unlikely at the present time. By having a comprehensive understanding of all possible risks, the bank is better positioned to manage its overall risk profile.

A is incorrect. While automation aligns with the principles, excluding potential risk exposures considered unlikely would conflict with the completeness principle, which emphasizes capturing all possible risks.

C is incorrect. Although the integrity of data is crucial, relying heavily on manual intervention might conflict with the efficiency and effectiveness principle. Automation and proper controls are often more scalable and accurate.

D is incorrect. Updating risk reporting systems is important, but focusing only on best practices without consideration for changing regulations or specific business needs would likely fall short of the adaptability principle, which encourages responsiveness to the broader risk landscape.

Things to Remember

• The Basel Committee’s principles for effective risk data aggregation emphasize a comprehensive approach that encompasses all potential and existing risks, regardless of their likelihood.
• A proper risk data aggregation system must balance these principles to ensure a holistic approach to risk management.
• Automation in risk data aggregation can enhance accuracy and efficiency but must be implemented without excluding any relevant risks.
• Adaptability is essential, requiring alignment not only with best practices but also with evolving regulations and specific business needs.
• The emphasis on comprehensiveness in risk data reflects the need for financial institutions to be prepared for unexpected scenarios, reinforcing resilience in the face of uncertain risk landscapes.