The best people to work with
June 2015
WHITEPAPER ON RISK DATA AGGREGATION AND
REPORTING GUIDELINES (BCBS 239)
About the Authors
Anshuman Prasad Director, Risk & Analytics [email protected]
CRISIL Global Research and Analytics
Kshitij Bhatia
Director, Risk & Analytics [email protected]
CRISIL Global Research and Analytics
Anshuman Prasad is based in London and is the Global Head of Risk Modeling and Analytics at CRISIL GR&A. Anshuman heads a global team of quant modellers focussed on stress testing, market, credit and counterparty risk modelling assignments.
Anshuman has more than 11 years of industry experience in risk, derivatives and quantitative analytics and holds a Masters in Engineering from UC Berkeley and an M.B.A. in Finance from the Indian School of Business.
Kshitij Bhatia is Director of Risk and Analytics in CRISIL Global Research and Analytics. He is based out to Mumbai and is responsible for delivery of Derivatives and Global Markets solutions.
Kshitij Joined CRISIL in May 2006 and has lead several analytics projects in valuation of structured products, regulatory risk modelling and reporting, Front Office and Middle Office solutions. He has spent large part of his experience in London, UK providing solutions to Top tier Investment Banking client of CRISIL.
Kshitij is certified Financial Risk Manager and member of Global Association of Risk Professional. His current focus area is regulatory risk management.
Kshitij is a MBA with Specialisation in Finance from Faculty of Management Studies, University of Delhi and a Bachelor in Engineering in Computer Science from University of Delhi.
Executive Summary
A bank's ability to get a holistic view of its risks in times of stress is critical to survive a crisis.
Against the backdrop of the 2008 financial crisis, the Basel Committee on Banking Supervision (BCBS) published a consultative paper (BCBS Regulation 239) on the 'Principles for Effective Risk Data Aggregation and Risk Reporting' in January 2013. The paper is aimed at strengthening risk management at banks to avert instability of the global financial system. It enlists 14 principles, out of which 11 are relevant to banks. These principals offer to improve risk data architecture and reporting systems as a fundamental requirement for robust risk management.
The Basel committee expects the Global Systemically Important Banks (G-SIBs) to comply with the regulations by January 2016. In January 2015, the committee published a progress report on implementation of the principles. Based on the information obtained from the surveyed banks, it was inferred that most of them faced difficulty in implementing four principles. They are data architecture, accuracy/integrity, adaptability in data aggregation, and accuracy in risk reporting. To tackle these difficulties, the banks have devised alternate methods that are not very comprehensive and are likely to impair risk data aggregation and reporting processes. Majority of the banks have expressed their inability to follow at least one of the 11 principles within the deadline.
CRISIL GR&A believes that implementation of the 11 principles will primarily impact four areas:
risk management personnel, governance and infrastructure, risk data aggregation capabilities, and risk reporting practices. Some of the key challenges within these impact areas will be:
resistance to change, complexity in integrating data across geographies and Lines of Businesses (LoBs), loss of data traceability, and different reporting standards across geographies and LoBs.
With a view to assist the banks, CRISIL GR&A proposes an approach to set-up Golden Risk Data Sources to store risk data. The existing risk system comprises risk data repositories in silo, which makes risk aggregation complex and cost intensive. The idea is to streamline the approach towards data management by breaking the whole process into smaller achievable steps. The first step is to store, treat and retain high quality data in the form of Golden Risk Data Source. This document will elaborate on CRISIL GR&A's area of focus and the approach for implementing BCBS 239.
The best people to work with
Objective and Scope of BCBS 239 Guidelines
The objective of the BCBS 239 framework is to improve risk data architecture and reporting systems as a fundamental requirement for robust risk management. This is the first time the regulator has set out specific requirements for Information Technology (IT) risk architecture and risk data management at banks. Here is an overview of the actual scope and requirements of the framework.
The guidelines on 'Principles for Effective Risk Data Aggregation and Risk Reporting' have two dimensions:
A set of principles to be adopted by banks (for Effective Risk Data Aggregation and Reporting), and
The role of regulators in monitoring end-to-end implementation of these principles
The overall risk data aggregation and risk reporting process combines the reporting requirements of the banks (Effective Risk Data Aggregation and Reporting) with the Supervisory Review Process of the regulators, as given in Figure 1.
Figure 1: Overview of BCBS 239 Guidelines and Timeliness
Supervisory Review Process for Regulators
IV. Supervisory Review , Tools & Cooperation
Principle 12 : Review
Principle 13: Remedial Actions & Supervisory Measures
Principle 14: Home/ host Cooperation
Dialogue Challenge
Effective Risk Data Aggregation &
Reporting Guidelines for Banks I. Overarching Governance &
Infrastructure
Principle 1 : Governance
Principle 2 : Data Architecture
II. Risk Data Aggregation Capabilities
Principle 3 : Accuracy & Integrity
Principle 4 : Completeness
Principle 5 : Timeliness
Principle 6 : Adaptability
III. Risk Reporting Practices
Principle 7 : Accuracy
Principle 8: Comprehensiveness
Principle 9 : Clarity & Usefulness
Principle 10 : Frequency
Principle 11 : Distribution
Month – Year Description
January 2013 Principles on Risk Data Aggregation are issued by BCBS
March 2013 Questionnaire for self-assessment are sent out to G-SIBs
July 2013 G-SIBs to submit responses for self- assessment
December 2013 BCBS report on ndings of self- assessment by G-SIBs
January 2016
Date by which G-SIBs need to be compliant with principles of Risk Data Aggregation
Timelines
Internal Governance
In the regulation 239, the BCBS has specified 11 principles for the banks, covering three interrelated key areas: Overarching Governance and Infrastructure; Risk Data Aggregation Capabilities; and Risk Reporting Practices. High-quality risk reports rely on strong data aggregation capabilities, and sound governance and infrastructure to ensure adequate information flow within the bank. The principles aim to strengthen the banks' risk data aggregation and risk reporting practices and improve their risk management practices. In addition, an improved ability to quickly access comprehensive risk data at the legal entity level and business level will enhance a bank's decision-making processes and improve its resolvability.
The principles have stringent rules regarding governance, management, aggregation, calculation, and reporting of risk data. They also require banks to take a critical look at their existing IT infrastructure and make significant changes to their current systems and processes. The appendix here provides a brief description of these principles.
The best people to work with
Present Status of BCBS 239 Compliance
The Basel committee expects the G-SIBs banks to implement the BCBS 239 framework by January 2016.
In January 2015, the Basel committee published a progress report on implementation of the principles.
Based on the information obtained from the surveyed banks, it was inferred that they are facing a difficulty in implementing the BCBS guidelines. Figure 2 presents the average ratings based on the level of compliance achieved by the banks against each BCBS 239 principle.
Source: “Progress in adopting the principles for effective risk data aggregation and risk reporting” – BCBS,January 2015
Figure 2: Progress of Implementation of BCBS 239 Guidelines as on December 2014
Table 1: Rating Scale
Description Degree of Compliance
Banks have not yet implemented the principle/requirement
B a n k s a r e m a t e r i a l l y n o n - c o m p l i a n t w i t h t h e principle/requirement, and significant actions are needed to achieve full compliance with the principle/requirement
Banks are largely compliant with the principle/requirement, and hence, only minor actions are needed to achieve full compliance with the principle/requirement
Banks are fully compliant with the principle/requirement, and the objective of the principle/requirement is fully achieved with the existing architecture and processes Non-compliant
Materially non-compliant Largely compliant
Fully Compliant Overarching Governance &
Infrastructure
Risk data aggregation capabilities
Risk reporting practices
Governance Data architecture and IT infrastructure Accuracy and Integrity
Completeness Timeliness
Adaptability
Accuracy
Comprehensiveness Clarity and usefulness
Frequency
Distribution
Non- compliant
Materially non-compliant
Largely Compliant
Fully Compliant
Following are the key findings from the Basel committee's progress report:
Many global banks are unable to establish strong data aggregation, architecture, and processes.
Hence, they are resorting to extensive manual workarounds, which are likely to impair risk data aggregation and reporting.
Most of the banks under survey have reported difficulty in complying with principle 2 (data architecture/IT infrastructure), principle 3 (accuracy/integrity), principle 6 (adaptability), and principle 7 (accuracy).
Most of the surveyed banks have expressed their inability to fully comply with at least one principle within the deadline.
Though the banks have significantly improved their compliance with BCBS 239 principles, a majority of the banks are still facing serious challenges regarding comprehensiveness, clarity, and utility of the current risk reporting framework. Hence, the adoption of the BCBS 239 guidelines is a tough task.
The best people to work with
Impact Assessment of BCBS 239 Guidelines
CRISIL GR&A has been supporting a number of banks in various activities related to BCBS 239 guidelines compliance. Based on the feedback obtained from the banks, CRISIL GR&A has analysed the impact of implementing the BCBS 239 guidelines on the current risk data aggregation and reporting framework.
Figure 3 presents the details of CRISIL GR&A's impact analysis of the BCBS 239 guidelines. It was assessed that the implementation of the BCBS 239 principles would keep the banks' boards better informed about the overall risk and would help them make critical strategic decisions. It would also bring about a radical change in the operational, technical, governance, and reporting structure of the banks' risk management process. Moreover, a dynamic reporting system is required to generate risk data that can be used for making real-time decisions.
Figure 3: Potential Impact of BCBS 239 Guidelines on the banks
Risk Management
Personnel
Risk Data Architecture
and Management
Risk Governance
Risk Reporting
Impact Challenge Solu on
Detailed examination of the inter- linkages between the different data structures for developing an integrated risk data management architecture.
POTENTIAL IMPACT OF BCBS 239 GUIDELINES ON G-SIBs
Risk Data Generating
Process
Risk Management
Systems
Revamping the process to generate accurate data at the most granular level of the system
Complexity in the existing processes can make the transition to risk processes difcult
Critical examination of the entire process regard to its transparency and exibility.
Incorporating stress scenario modeling, tests, and a wide range Managing potential changes in the roles and the nature of work due to an overall change in the risk management process
Risks associated with the loss of traceability and lineage can result
Develop processes which incorporate different stress scenarios and test procedures which can be meaningfully integrated with the mainstream risk management system
Potential changes in the roles and nature of work due to overall change in the risk management process.
Complexity involved in the transition process could make the personnel across different hierarchies resistant to the change
Extended communication to create awareness regarding the long term benets of the guidelines for the organization.
Revising to avoid multiplicity of data generating processes while preventing the exclusion of any risk data
Complexity and inter-linkages i n t h e s t r u c t u r e o f d a t a generated across different geographies and lines of business (LoBs) could make the overall integration of risk data difcult
Existence of a data quality assurance mechanism at the data collection source
Integration of the entire process could distort the r e p o r t i n g a n d v a l i d a t i o n process
Governance structure should o u t l i n e t h e r o l e s a n d responsibilities of different parties involved. Appropriate service-level agreements (SLAs) should be created with external parties
Reporting tools to support ad hoc statistical analyses.
Broader risk coverage to provide relevant information to senior management on a timely basis
Differences in the structure and timelines of reporting requirements in different geographies and LoBs could make the overall integration difcult
Integrating additional data
exibly and traceability in order to have rapid responses to new data streams or new product structures.
Source: CRISIL GR&A's analysis of data, systems, and processes of the seven banks
: Major Impact : Moderate Impact : Low Impact
The best people to work with
Key observations from CRISIL GR&A's impact analysis:
Higher level of automation and connected risk processes would be required to generate risk data
Greater flexibility is required in the existing risk management system to accommodate ad hoc and integrated stress scenario modelling, back testing, and a wide range of data aggregation and analysis
Potential changes in the roles of the risk management personnel are imminent due to transformation in the risk management process.
Ad hoc statistical analyses, broader risk coverage, and a distribution mechanism would be required to provide relevant information to senior management on a timely basis.
Risk Data Sourcing as Central Requirement
CRISIL GR&A leveraged its experience in the risk IT domain to conduct an in-depth study of the banks' existing risk data architecture and risk reporting framework. Based on this study, CRISIL GR&A proposes a three-step approach to help banks comply with BCBS 239 guidelines
1. Data Storage – Collate critical information and data elements in the form of data dictionaries and taxonomies. This would help in the collection of data for all risk categories at the group level, thus reducing the time required for data aggregation and risk reporting.
2. Data/Risk Aggregation – Aggregate risk data at various levels of risk and consolidate them across all geographies and LoBs to expedite data reconciliation and risk reporting.
3. Robust reporting – Dynamic and real-time reporting with active feedback mechanism at various levels of management.
Based on our engagement with numerous banks, we identified data-related challenges such as inconsistencies in the market, static data, and risk measures across multiple asset classes as primary impediments to comply with BCBS 239 guidelines. Risk aggregation will be inefficient if risk data is not stored and treated appropriately. Hence, CRISIL GR&A proposes that the sourcing and treating of risk data should be the primary focus of the banks at present.
Figure 4 presents the flow of risk data from the upstream systems (front office) to downstream systems (RWA/Margin calculators) -
The front office systems gather exposure information on different asset classes. The exposure information is a dynamic data that varies with time. The front office systems also capture risk measures and static trade data. The banks may have separate processes for computation of exposures and risk metrics by asset class.
The front office systems capture huge volume of transaction data on a daily basis. This data needs to be reconciled and stored in a structured manner. Qualitative and quantitative checks are required to remove any noise in the data that may produce incorrect results.
To maintain a ready-to-use repository of risk data CRISIL GR&A proposes setting up of a Golden Risk Data Source which will source, clean, reconcile and maintain the risk data. This will form a centralised repository that will feed the downstream systems for risk weighted assets (RWA) and margin calculations.
The best people to work with
Figure 4 : Risk Data as Focus Area
Risk Measures Across Asset Classes Sta c Trade Data
Source relevant data from various systems
Data cleaning (segrega on of relevant data)
Check data quality between systems
Validate migra on to standard risk taxonomy Control frameworks to track and
resolve issues Sign-offs and repository
maintenance
Data Sourcing/Validation and Excep on Handling
RWA Calcula ons Margin Calcula ons
Golden Risk Data Repository
Downstream Systems
Details of Golden Risk Data Source
Sourcing of data from various systems will help to create a master database. It can be further used to retrieve information at any stage. Banks should strive to identify a single source for each type of data.
Data cleanup will retain the relevant information related to data variables. Segregation or segmentation is one of the few techniques that could be used to group relevant data.
Quality check will ensure that any transformation of the raw data is validated, and loss of data through inefficient data cleaning technique is minimised. Data quality can be measured at multiple points—at data source level, at standardisation level and at point of distribution to business. This ensures that the data is fit for business.
Migration to standard risk taxonomy will provide a common standard reference point for data alignment and standardise data for various asset classes and geographies.
Control frameworks should be established for exception reporting of data and to resolve data- related issues. This requires efficient workflow for error detection, research and resolution, as well as a framework for root cause analysis and continuous improvement to ensure that data quality remains at acceptable levels or follows an upward trend.
Signoffs and maintaining the repository to ensure integrity of key risk data elements FO Systems Across Asset Classes
Benefits of Golden Risk Data Source
Maintains data history and increases the quality and accuracy of data
Provides better risk coverage of trades across systems
Increases the operational efficiency across lines of businesses
Reduces the time for identifying and fixing gaps in data flow process
Expedites risk reporting and reconciliation of data
The best people to work with
Recommended Actionable Steps
CRISIL GR&A recommends the following steps to set-up a Golden Risk Data Source – 1. Standardisation of Risk Data Inventories
CRISIL GR&A suggests banks to establish a taxonomy and dictionary of risk data. All models of risk data should be derived from these standards and aggregated across the group or business lines using standard naming conventions. This should culminate in maintainable and robust physical data models. Data lineage should be strengthened by establishing defined and documented processes, along with responsibilities and data ownership. Risk and accounting data should be aligned and reconciled. The level of data details across the organisation must be consistent to allow aggregation and flexible reporting. Banks should consolidate data sources and strive toward a single authoritative and golden (data) source for each risk type and a high degree of automation. Desktop and end-user computing should be reduced and phased out wherever possible.
2. Data Testing and Quality Check
Banks must establish a data-quality management system, which includes data profiling, data lineage, monitoring, reporting, and escalation procedures. Banks should establish a testing process to evaluate the market data, which is used as an input in the risk system. Comprehensive data governance must be established, including identifying data owners and creating service-level agreements (SLAs) (between units within the bank and with external parties regarding processes related to risk data). Risk reporting and reconsolidation should be documented and automatic (or manual) quality checks for risk-reporting practices should be implemented.
Mentioned below are the recommended action points to enhance the risk infrastructure and achieve compliance with BCBS 239 principles -
Unification of risk functionalities - A scenario management feature would unify risk functionalities and provide flexibility to compare risks across LoBs and geographies.
Risk Detailing - Banks need to ensure that the controls applied to risk data should be as robust as the ones applied to accounting data.
Risk reporting and Control - Banks should implement a strong risk management function with accountability and responsibility going up to the board
Conclusion
The Basel committee's proposed regulations have brought a paradigm shift in the risk data aggregation and risk reporting processes. The regulations have mandated that the G-SIBs banks should set up a framework, which will help them to effectively aggregate risk data and produce risk reports related to their exposures to different counterparties at various levels of aggregation.
The banks are facing enormous challenges while implementing these regulations at a granular level, mainly because of their size, complexity of operations, and enormity of data generated by source systems. CRISIL GR&A would like the banks to focus on sourcing and treating of the risk data initially.
Without attending to the issues that arise at the first step of risk aggregation, the banks will be unable to set up and test the existing risk system.
CRISIL GR&A has analysed the various challenges the banks are facing and offered practical approach to overcome them. Setting up a Golden Risk Data Source is at the core of establishing a risk system that will be accurate, consistent, and completely auditable.
The best people to work with
Appendix: Overview of BCBS 239 guidelines
Areas of Focus Principles Brief Details
Overarching Governance and Infrastructure
Governance A robust governance system should be built around risk data aggregation capabilities and risk reporting practices
Data architecture and IT infrastructure
Data architecture and IT infrastructure should be designed, built, and maintained to fully support their risk data aggregation capabilities and risk reporting practices, not only in normal times but also in times of stress or crisis
Risk Data Aggregation Capabilities
Accuracy and Integrity
Accurate and reliable risk data should be generated at an aggregate level to meet the reporting requirements under normal and stress/crisis scenarios on a largely automated basis
Completeness
All material risk data should be captured and aggregated across the banking group, business line, legal entity, asset type, industry, region,and other groupings
Timeliness
Risk data should be generated and updated on an aggregate level in a timely manner while meeting the principles relating to accuracy,integrity, completeness ,and adaptability
Adaptability
Risk data should be generated on an aggregate level to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis situations
Risk Reporting Practices
Accuracy
Risk management reports should accurately and precisely convey aggregated risk data and exactly reect the risk involved.
Reports should be reconciled and validated
Comprehensiveness
Risk management reports should cover all material risk areas of the organisation. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk prole
Clarity and usefulness
Risk management reports should communicate information in a clear and concise manner
Frequency
Frequency requirements should reect the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change
Distribution Risk management reports should be distributed to relevant parties while ensuring that condentiality is maintained
CRISIL Ltd is a Standard & Poor’s company Stay Connected | Twitter | LinkedIn | YouTube | Facebook
About CRISIL Limited
CRISIL is a global analytical company providing ratings, research, and risk and policy advisory services. We are India's leading ratings agency. We are also the foremost provider of high-end research to the world's largest banks and leading corporations.
About CRISIL Global Research & Analytics (GR&A)
CRISIL Global Research & Analytics (GR&A) is the world's largest and top-ranked provider of high-end research and analytics services. We are the world's largest provider of equity and credit research services. We are also the foremost provider of end-to-end risk and analytics services to trading and risk management functions at world's leading financial institutions and corporations. We offer corporate strategy, competitive intelligence and key account management support to corporations globally. We operate from research centers in Argentina, China, India and Poland, working with our clients across several time zones and in multiple languages. We are proud to be an organization that has the vision to proactively invest in its people and get them future-ready. We are committed to delivering cutting-edge analysis, opinions, and solutions. This underscores our proposition of “Making Markets Function Better”.
CRISIL Privacy Notice
CRISIL respects your privacy. We use your contact information, such as your name, address, and email id, to fulfil your request and service your account and to provide you with additional information from CRISIL and other parts of McGraw Hill Financial you may find of interest.
For further information, or to let us know your preferences with respect to receiving marketing materials, please visit www.crisil.com/privacy. You can view McGraw Hill Financial's Customer Privacy Policy at http://www.mhfi.com/privacy.
Last updated: August, 2014 Disclaimer
CRISIL has taken due care and caution in preparing this report. Information has been obtained by CRISIL from sources which it considers reliable. However, CRISIL does not guarantee the accuracy, adequacy or completeness of any information, and is not responsible for any errors in transmission; and especially states that it has no financial liability whatsoever to the subscribers / users/ transmitters/ distributors of this report.
No part of this report may be reproduced in any form or any means without permission of the publisher.
Contents may be used by news media with due credit to CRISIL.
© CRISIL. All rights reserved.
Argentina China Hong Kong India Poland Singapore UK USA
For further information regarding our services, please contact
United States Europe
+1 646 292 3520 +44 870 333 6336 Email us at [email protected]