"Some banks were unable to manage their risks properly because of weak risk data aggregation capabilities and risk reporting practices. This had severe consequences for the banks themselves and for the stability of the financial system as a whole ..."This is the assessment from a document known as "BCBS 239“, which was published in January 2013, and entitled: "Principles for Effective Risk Data Aggregation and Risk Reporting". The subsequent self-assessment completed by the institutions and published in BCBS 268 reinforced the fears of the regulator: "Many institutions, on account of a shortage of reporting capacities and of possibilities for ad hoc analysis, lacked the ability to aggregate risk exposures quickly and to identify concentrations accurately at the bank group level, across business lines and between legal entities."
Therefore, the Basel Committee formulated 14 Principles that are intended to form the future basis for the automated generation of reports on the risk and income positions of institutions. The Principles have to be transposed into national law by 2016. In view of the significance of reporting, as well as of the stringent demands placed on internal processes, the main target groups are the globally and nationally systemically important institutions. In accordance with the principle of proportionality (MaRisk), it can be expected that, for smaller institutions, too, incrementally, this will also become important in a similar form. Here, in particular, it should be noted that the institutions will have to comply with all of the risk data aggregation and risk reporting principles at the same time.
In effect, the requests from the regulator, which cut across reporting requirements and internal reports, (e.g. stress tests or checks), show that, currently, the not-so-big institutions should also be focussing on this issue.
The timetable for implementation
A classification of the principles
The principles can be summarised in four overarching categories:
- Corporate management - Infrastructur
- Data architecture and infrastructure
- Risk data aggregation capacities
- Accuracy and integrity
- Risk reporting capabilities
- Accuracy of reports
- Coverage of all main risk areas
- Clarity and usefulness of reports
- Reporting frequency
- Distribution of reports
- Supervisory Measures
- Review of compliance with the Principles
- Use of tools and resources for effective and timely remedial action to address a bank's deficiencies
- Cross-border cooperation of the supervisory authority with the authorities of other countries
Even with centralised data repositories (less common in complex groups of companies), for many banks additional processes have arisen that are based on end-user developed applications (EUDA) for reporting. These are indeed suitable for specific analyses. However, they do not fulfil the requirement for timely, flexible and quality assured standardised and ad hoc reporting.
In terms of a classic business intelligence solution, the requirements for the different reporting levels can be shown as follows:
In summary, 11 of the 14 Principles aim at improving the analytical layer and the reporting (please see yellow framing). The classification of the Principles listed in BCBS 239 was done on the basis of the layers for a classic reporting architecture with the levels [legacy systems], [processing], [storing] as well as [analysis & reporting].
Implementing the Principles
Across-the-board control and infrastructure
Potential data quality risks have to be identified, evaluated and ultimately controlled as part of the overall risk management. An essential prerequisite for quality assured risk data aggregation and risk reporting is the availability of suitable data and reporting architecture. It is advisable to implement an integrative and institution-wide platform for risk data aggregation.
This can be achieved by means of the following measures:
- Unambiguous data taxonomies
- Clearly defined responsibilities
- A functioning plan for stress/crisis situations
- A data model that is scalable and flexibly adaptable
- Standardised processes that are aligned with regulatory requirements -
they have to ensure that the data used is consistent and reliable
- Appropriately defined responsibilities -
these have to be specified right up to the corporate management
- Departments that supply data, such as risk management, reporting and accounts should already be involved at the level of the specialist department's system-based data supply
- The processes for data provision to the institution-wide platform for data risk aggregation have to be optimised across-the-board with respect to the required timeliness and currentness of the data
Risk data aggregation efficiency
The availability of aggregated risk data at the group level has to be ensured so that it can be flexibly evaluated on the basis of business divisions, countries and other entities. Moreover, the supervisors require the assurance that ad hoc reporting requests can be met when there is a change in the prevailing internal or external circumstances and also if there are requests to meet supervisory queries.
The key factors to consider when setting up a central database are:
- Data quality assurance should be carried out by the specialist departments
- Data definitions and taxonomies should be specified across the specialist departments
- Institution-wide/ group-wide standard data definitions and data processes should be established
- Manual processes and recourse to end-user developed applications (EUDA) should be kept to a minimum.
- A separate data repository with a connection to various source systems is advisable
- It is important that the heterogeneous data in the central reporting platform (understood as being the "single point of truth") should be stored in a harmonised persistent data structure in order to generate optimal reporting results
Risk reporting methods
Risk-relevant reports have to provide accurate and precise risk data on all the main risk areas. In the course of this, due consideration should be given to information about positions and exposures in all the main risk areas (e.g. credit, market, liquidity and operational risks) as well as to all the significant components in these risk areas (in the case of credit risk, for example, individual counterparty risks, country risks and industry risks).
In order to be able to analyse RDA reports quickly, there is a requirement for their presentation to be clear and concise as well as, at the same time, comprehensive and accurate. BI systems can provide the functionality that is necessary for this in the form of a cross-divisional central platform:
- Reports can be grouped into RDA clusters here
- Attention should be paid to the intelligibility and qualitative explanations of the risk ratios
- Flexible distribution of reports in terms of frequency, group of recipients and risk type
- Reporting has to be done in a way that is proactive and forward-looking
- The implementation has to be geared towards the appropriate early warning capabilities
- Data quality assurance on the basis of standardised requirements and processes should be realised by using automated as well as manual change control and plausibility checks
- It has to be possible to make ad hoc requests and risk analyses right to the transaction level
- The data in the reports should be presented by means of tables, graphics and dashboards (graphical user interfaces where ratios can be visualised and analysed in a consolidated format)
- Forward-looking reporting via broadcasting functions or BI-based early warning components have to be implemented
Regulatory audit - Tools - Cooperation
To ensure compliance with regulatory principles, regulatory reporting requirements have to be frequently audited with respect to their implementation status and their need for enhancement. The underlying BI architecture should likewise regularly undergo a process of review.
- The supervisory authorities are seeking to cooperate with each other across borders
- The aim of this is the effective control of institutions with national and international operations
- The supervisor will have the possibility to apply appropriate corrective measures and sanctions
- The requirements will be fulfilled when all RDA stakeholders (risk management, reporting and accounts etc.) have access to archived data at all times
Best practice example
In order to create a uniform data resource and to aggregate risk relevant data it can be useful to specify institution-wide/group-wide data taxonomies. The self-assessment that was carried out by the institutions (BCBS 268) showed that there were a lot of deficiencies precisely in this area. A feasible approach would be to establish, at the meta data level, standardised identifiers and definitions of terms that would be valid across all the specialist departments. This would include unambiguously identifying reporting dates, reporting units, exposure classes, counterparties and the various ratios (here, using the example of a standard disclosure report).
The aim of using a risk reporting system is to elucidate all the main enterprise-related risk categories (risk types) from different perspectives. Risk reporting thus constitutes a key instrument for bank-wide risk management.
Incorporating RDA principles using the risk report as an example:
- The data comes from a disclosure set under Pillar III
- It has been broken down according to country clusters, i.e. main geographical regions
- The main types of exposure are listed separately
- This enables the identification of the geographic distribution of exposures and the associated country or systemic risks
- Drill down and detailed analysis of the risks that have been entered into right down to the country level
- Report items can be easily added or deleted by using the drag-and-drop feature
- Flexibility via changes to the layout of the presented report items (dimensions) in order to be able to the view the data from different perspectives (so-called "dicing")
- Drill down, drill through, drill across as well as roll up by clicking on the appropriate feature
- Various graphical displays
- Export in Excel or PDF format
Summary. Potentials. Outlook.
The Principles in BCBS 239 will present financial institutions with the huge challenge of adapting their reporting architecture to the new requirements. In this case, reducing the risk of losses will be the primary objective for providing information on the basis of a high-performance and resource-saving system in order to enhance a bank's reporting infrastructure and its decision-making process.
Implementation of an institution-wide platform for risk data aggregation:
- Separate data repository optimised for reporting
- Connection to heterogeneous source systems
- Multidimensional, risk-relevant information stored in a harmonised format ("Single Point of Truth")
- Data consistency (ensured by a data quality process)
- For standard reporting, regular reusable reports are combined into one disclosure set
- For ad hoc reporting, there is the capability for deriving other risk analyses
- Flexible report presentation formats (tables, various visualisations)
- Proactive reports (suitable for use as early warning components)
- Reports and analysis tools available to all RDA stakeholders
- Benefits of a BI solution:
- High degree of mechanisation and automation of risk data aggregation and risk reporting and,
- at the same time, wider-ranging data quality control while incorporating all the source systems and specialist departments involved in the data process