After completing this reading, you should be able to:
- Explain the potential benefits of having effective risk data aggregation and reporting.
- Describe key governance principles related to risk data aggregation and risk reporting practices.
- Identify the data architecture and IT infrastructure features that can contribute to effective risk data aggregation and risk reporting practices.
- Describe characteristics of a strong risk data aggregation capability and demonstrate how these characteristics interact with one another.
- Describe the characteristics of effective risk reporting practices.
Risk Data Aggregation and Reporting
One lesson learned from the 2007-2009 Global Financial Crisis was that banks’ information technology (IT) and data architectures were inadequate to support the broad management of financial risks. Some financial institutions could not aggregate risk exposures and identify concentrations across business lines. Some others were unable to manage their risks properly because of weak risk data aggregation capabilities and risk reporting practices.
This weakened the financial system’s stability. In response, the Basel Committee issued supplemental Pillar 2 (supervisory review process) guidance to enhance banks’ ability to identify and manage bank-wide risks.
Benefits of Effective Risk Data Aggregation and Reporting
The Basel Committee defines risk data aggregation as “defining, gathering, and processing risk data according to the bank’s risk reporting requirements to enable the bank to measure its performance against its risk tolerance/appetite.”
Some of the activities carried out during risk data aggregation include sorting, merging, and breaking down sets of data.
However, how exactly do effective risk data aggregation and reporting benefit a bank? The benefits include:
- An increased ability to anticipate problems. Aggregated data gives managers a holistic view of risk exposures and enables them to foresee problems before they occur.
- An increased ability to find routes back to financial health in times of financial stress. For example, a bank may be able to negotiate better credit deals or identify a suitable merger partner.
- Improved resolvability. For global systemically important banks (G-SIBs) in particular, resolution authorities must have access to aggregate risk data that is compliant with FSB’s Key Attributes of Effective Resolution Regimes for Financial Institutions.
- Improved capability of the risk function to make judgments that can bring about increased efficiency and profitability.
Key Governance Principles Related to Risk Data Aggregation and Risk Reporting
One of the issues widely blamed for the quick escalation of the 2007/09 financial crisis was the inability of banks to identify concentrations of risk across business lines as well as at the bank group level. Furthermore, the main reason why the banks were unable to identify such concentrations has much to do with the absence of aggregate risk data and bank-wide risk analysis.
In response, the Basel committee has since pushed for higher corporate governance and issued supplementary Pillar 2 guidance regarding bank capital models and risk management models (e.g., VaR). The following principles have specifically been set out:
Quoting the Basel committee,
“A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee.”
This principle suggests that risk data aggregation should be a central part of risk management, and senior management should make sure the risk management framework incorporates data aggregation before approving it for implementation.
A bank’s risk data aggregation capabilities and risk reporting practices should be:
- Fully documented.
- Validated and independently reviewed by individuals well versed in IT and data and risk reporting functions.
- Unaffected by the bank’s group structure.
- Senior management should go to great lengths to ensure risk data aggregation is part and parcel of the risk management function.
- Considered as part of any new initiatives, including acquisitions and divestitures, IT change initiatives, and new product development.
Data Architecture and IT Infrastructure Features That Can Contribute to Effective Risk Data Aggregation and Risk Reporting Practices
The importance of having a robust IT system cannot be underestimated, but building one for purposes of risk aggregation and reporting can be quite expensive. The benefits of such a system are realized in the long-term. The Basel Committee believes that in the long-term, IT benefits outweigh the costs.
Principal 2-Data Architecture and Infrastructure
Quoting the committee,
“A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles.”
Principle 2 goes ahead to implore banks to:
- Make risk data aggregation and reporting practices a crucial part of the bank’s planning processes.
- Establish integrated data classifications and architecture across the banking group.
- Appoint individuals tasked with various data management responsibilities. For example, risk managers, business managers, and IT specialists should be tasked with ensuring the data is relevant, entered correctly, and aligned with data taxonomies.
Characteristics of a Strong Risk Data Aggregation Capability
Principle 3-Accuracy and Integrity
Quoting the committee,
“A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis to minimize the probability of errors.”
According to Principle 3:
- Data aggregation and reporting should be reliable.
- Controls surrounding risk data should be as robust as those applicable to accounting data.
- A bank should aim to have a single authoritative source of risk data per each type of risk.
- A bank’s risk management personnel should be granted access to risk data to ensure they can aggregate, validate, and properly reconcile data.
- A bank must strike a balance between automated and manual systems. Where professional judgment is paramount, human intervention can be quite imperative.
- Banks should have policies designed to keep the accuracy of risk data in check and correct poor data quality.
- All manual, as well as automated risk data aggregation systems, should be well documented and explain manual workarounds and propose actions that could minimize the impact of manual workarounds.
- When the bank is reliant upon manual processes and desktop applications such as spreadsheets, there should be effective controls that safeguard the quality of data.
- Data should be defined consistently across the bank.
- Data should always be reconciled with other bank data, including accounting data, to ensure its accuracy.
“A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region, and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations, and emerging risks.”
Principle 4 requires that:
- Both on- and off-balance sheet risks should be aggregated.
- Banks should ensure that risk data is always complete. In case the data is not complete, the banks should be able to explain the reasons for bank supervisors.
- It is not necessary to express all forms of risk in a common metric or basis, but risk data aggregation capabilities should be the same regardless of the choice of risk aggregation systems implemented.
“A bank should be able to generate aggregate and up-to-date risk data promptly while also meeting the principles relating to accuracy and integrity, completeness, and adaptability. The precise timing depends on the nature and the volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. The precise timing will also depend on the bank-specific frequency requirements for risk management reporting, under both normal and stress/crises, set based on the characteristics and overall risk profile of the bank.”
Banks need to build their risk systems to be capable of producing aggregated risk data rapidly during times of stress/crisis for all critical risks. Critical risks include:
- Counterparty credit risk exposures (derivatives);
- Trading exposures;
- Operational risk indicators;
- Aggregated credit exposure to a large corporate borrower, among others.
“A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs and requests to meet supervisory queries.”
A bank’s risk data aggregation capabilities should be flexible:
- To assess emerging risks;
- To incorporate changes in the regulatory framework;
- To produce quick summary reports, etc.
Characteristics of Effective Risk Reporting Practices
“Risk management reports should accurately and precisely convey aggregated risk data and accurately reflect risk. Reports should be reconciled and validated.”
Risk management reports should be accurate and precise to ensure a bank’s board and senior management can rely with confidence on the aggregated information to make critical decisions about risk.
Approximations are an integral part of risk reporting and risk management (scenario analyses, and stress testing, among others.) Banks should follow the reporting principles in this document and establish expectations for the reliability of approximations (accuracy, timeliness, etc.)
“Risk management reports should cover all material risk areas within the organization. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients.”
Risk management reports should include exposure and position information for:
- Significant risk areas (e.g., credit risk, market risk, liquidity risk, operational risk)
- Significant components of those risk areas (e.g., single name, country, and industry sector for credit risk).
- Risk-related measures (e.g., regulatory and economic capital).
- Emerging risk concentrations through forward-looking forecasts and stress tests.
Principle 9-Clarity and Usefulness
“Risk management reports should communicate information clearly and concisely. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include meaningful information tailored to the needs of the recipients.”
Risk reports should ensure that information is meaningful and tailored to the needs of the recipients, in particular, the board and senior management. The board is responsible for determining its risk reporting requirements and complying with its obligations to shareholders and other relevant stakeholders.
Moreover, the right balance of qualitative and quantitative information is important. The board should alert senior management when risk reports do not meet its requirements.
“The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision-making across the bank. The frequency of reports should be increased during times of stress/crisis.”
A bank should routinely test its ability to produce accurate reports within established timeframes, particularly in stress/crises. Some exposure information may be needed intraday to allow for timely reactions.
“Risk management reports should be distributed to the relevant parties while ensuring confidentiality is maintained.”
Banks should strike a balance between the need to ensure confidentiality and the timely dissemination of reports to all appropriate recipients.
Supervisory Review, Tools, and Cooperation
“Supervisors should periodically review and evaluate a bank’s compliance with the eleven Principles above.”
Principle 13-Remedial actions and supervisory measures
“Supervisors should have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices.”
“Supervisors should have the ability to use a range of tools, including Pillar 2.”
Principle 14-Home/host cooperation
“Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the supervision and review of the principles and the implementation of any remedial action if necessary.”