Robust Data Management for Effective Risk Management at Banks
Lack of Information Technology (IT) competencies and data architecture to effectively warn decision makers about the aggregate risk exposure poses severe threats not only to individual banks, but also to the stability of the entire global banking system. In this regard, Basel Committee of Bank Supervision (BCBS) issued BCBS 239 guidelines in 2012 to be implemented by 2016, with the objective of acknowledging and addressing the underlying issues associated with risk data aggregation and reporting capabilities of banks. BCBS 239 is a set of 14 principles predominantly aimed at strengthening bank’s risk management practises, decision making process and resolvability and have become the de facto standard for bank’s risk data processes, controls and systems.
How Banks can Benefit?
Overview of the Guidelines
Banks identified as Globally Systematically Important Banks (G-SIBs) as on November 2012 should meet the guidelines by January 2016. Also, Banks which are designated as G-SIBs after November 2012 should adhere to these within three years of designating. However, as on June 2018 only 3 out of 30 G-SIBs have fully complied to the guidelines.
National supervisors are encouraged to apply these principles for banks identified as Domestically Systematically Important Banks (D-SIBs), three years after designating as D-SIBs.
The principles are predominantly applicable to risk management data, processes and models including Pillar 1 regulatory capital models, Pillar 2 capital models and other risk management models such as value-at-risk. It should be applied at banking group level, across legal entities and even for outsourced processes. In addition, the banks are also encouraged to apply these principles to other processes such as finance and operations.
RDARR guidelines include 14 interlinked principles out of which 11 are focused on overarching governance and infrastructure, risk data aggregation capabilities and risk reporting practises. The remaining 3 principles are focusing on supervisory review. The guidelines emphasize the importance of meeting all RDARR principles simultaneously. Trade-offs are only permitted in exceptional circumstances such as urgent or ad-hoc requests related to new areas of risks.
1. Overarching Governance and Infrastructure
Governance: The management should encourage implementation and allocate sufficient resources to ensure the quality, review and signoff of the RDARR framework. The management should also be fully aware of the limitations and ensure adherence to agreed timelines. The board is responsible to determine requirements and oversee the overall function.
Data Architecture and IT Infrastructure: A bank should design, build and maintain a risk data and IT infrastructure to facilitate RDARR; owners of both business and IT functions along with risk managers are accountable for the quality and controls of infrastructure.
2. Risk Data Aggregation Capabilities
Accuracy and Integrity: A bank should ensure accuracy and reliability of risk data by imposing necessary control mechanisms and processes such as reconciliation of risk data with accounting data, maintain a balance between automated & manual systems and defining & documenting RDA processes and concepts.
Completeness: While risk data should be captured and aggregated at the group level, there should also be a provision to segment data based on the business line, legal entity, asset type, industry, region etc. RDA capabilities should be complete and include all material risk exposures including off-balance sheet items.
Timeliness: RDA should happen in a timely fashion depending on the risk reporting frequency, nature of risk, risk profile and potential volatility of the risk being measured.
Adaptability: RDA capabilities should be flexible and customizable to meet a range of demands including ad-hoc requests, supervisory requests, crisis management requests and to cater to changing internal needs.
3. Risk Reporting Practices
Accuracy: Risk reporting should be accurate, precise and reliable to reflect risk in an exact manner. Reports should be reconciled and validated.
Comprehensiveness: Risk reporting should cover exposure and position information of all material risk areas. The reports scope should address the requirements of the recipient and be in line with the size, level of sophistication and risk profile.
Clarity and Usefulness: The report should be presented in a meaningful, clear and concise manner, customized to the requirement of the recipient. It should have a suitable balance between data, analysis and interpretation.
Frequency: The board and the senior management should specify the reporting frequency based on the type and volatility of risk, along with the requirement. The frequency should be higher during crisis/stress situations.
Distribution:Timely dissemination of the reports is important while maintaining confidentiality.
4. Supervisory Review, Tools and Cooperation
Review: Banking supervisors should periodically review the compliance of banks with the principles in the guideline.
Remedial Actions and Supervisory Measures: Supervisors should have the appropriate tools and resources to address deficiencies in the RDARR practices. They should use these effectively for a timely remedial action by the bank.
Home/ Host Cooperation: A country’s banking supervisor should coordinate with supervisors of other countries regarding the supervision and review of the principles and imposing any remedial action if applicable.
The 14 BCBS 239 principles are primarily aimed at strengthening the information reporting infrastructure and improving information efficiency and risk aggregating capabilities of banks. By complying with these guidelines, a bank will be able to effectively manage crisis/ stress situations, as it enables a bank to efficiently and accurately analyse risk data and exposures, as well as key risk metrics that affects decision making process.