Over the years, management systems in banks – and other financial services companies – have had to cope with increasing regulatory requirements, new corporate structures, new products and operating models.
As with other infrastructure, systems for the collection, aggregation and analysis of risk data have typically developed in an incremental fashion, with different modules, incompatible data and a range of ad hoc processes.
In many cases, these systems have become so unwieldy and unstable that they are failing in their core purpose. Relevant data is missing or inadequately analysed, often resulting in the formation of 'reconciliation industries' within the organisation as data is passed between a multitude of systems across inconsistent integration mechanisms.
The extent to which these reconciliation industries have evolved within organisations is often underestimated and rarely quantified in terms of productivity loss. Risk data is being provided too late to influence the trading and operations which should depend on it. Responsible management and supervision are both compromised while operating costs are inflated unnecessarily.
Regulators have become increasingly concerned about the implications of these inadequate or misleading risk data systems. Their shortcomings were exposed at the height of the financial crisis when regulators asked for up-to-date assessments of risk and exposures.
Many institutions were unable to provide the data required, or found themselves coordinating a massive manual and ad-hoc intervention to assemble the data demanded of their management teams and regulators. Major market participants could not extract the necessary information quickly enough to understand the location and extent of risks and exposures. This was one major cause of the catastrophic collapse of confidence in the global financial system.
As a result, regulators are now focusing not only on the results and outcomes of risk figures but also on the machinery and processes behind them. In 2009, the Basel Committee on Banking Supervision (BCBS) issued supplemental Pillar 2 (supervisory review process) guidance designed to enhance banks’ ability to identify and manage bank-wide risks;1 and in 2013 the Committee published a set of principles to strengthen risk data aggregation capabilities and internal risk reporting practices, along with guidance on their implementation.2
The Principles, which provide qualitative and quantitative measures, cover four key areas:
- Importance of boards and senior management exercising strong governance over a bank’s risk data aggregation capabilities, risk reporting practices and IT capabilities.
- Accuracy, integrity, completeness, timeliness and adaptability of aggregated risk data.
- Accuracy, comprehensiveness, clarity, usefulness, frequency and distribution of risk management reports, including to the board and senior management.
- The need for supervisors to review and evaluate a bank’s compliance with the first three sets of principles listed above, to take remedial action as necessary, and to cooperate across home and host supervisors.3
Where banks have undertaken systematic analysis and testing of their current processes, the results have often been illuminating: in certain cases, it has revealed that compiling a comprehensive group-wide set of risk figures has been taking up to 60 days. The larger and more complex a bank, the more likely it is that risk data is incomplete, inadequate or out-of date, particularly on an aggregated and global level.
Banks may have all of the information, but it’s often inefficiently stored, inconsistently formatted, poorly integrated and difficult to interrogate. Senior management should be aware of the risk of ‘flying blind’, especially in extreme events, and of taking and implementing decisions in the absence of reliable risk metrics.
It is critical, therefore, that financial services firms review the strength and effectiveness of their risk data architecture and systems.
There are four key issues which need to be addressed:
- Efficiency: very often, data resides in different silos, owned by different functions (markets, risk control, finance, back-office), all with different attitudes and approaches to data management. With multiple systems and incompatible data, risk professionals spend too much time and effort on data aggregation, reconciliation and analysis and too little time on applying the results to risk management and decision making.
- Flexibility: it is important to be able to react quickly to market events in terms of preparing scenario analysis and reports which are not in the standard set up. Similarly, the flexibility to react rapidly to regulators’ requests for reports and data without a huge amount of manual work is also important.
- Quality: with multiple, discrete systems, the quality of data is degraded by incompatible definitions, inconsistency, incompleteness and duplication. Very often, efforts at data cleansing are only partially successful. With poor quality data, the effectiveness of risk management can be seriously compromised.
- Ownership: too often, ownership of risk data is shuffled uneasily between the control function and the IT function, with senior management taking little direct responsibility. Without a clear structure of governance and ownership there is no accountability and no prime commitment to quality.
This review of common problems naturally also suggests the scope for improvement, and the value that can be obtained from effective risk data aggregation, storage and analysis. The ability to consolidate and synchronise all relevant risk data can lay the foundation for a more overarching and consistent analysis, enabling better business management, better risk management and optimised operating models. Leading banks appreciate the potential benefits, and are working to strengthen the contribution of effective risk management to business judgment and corporate strategy.
High-quality and quality-assured risk data should lead to improved decision-making, greater confidence and more stable strategy. With greater confidence in data validity, risk IT architecture can be streamlined, leading to efficiencies in both routine operations and in maintenance and development.
In turn, these benefits offer improved ability to respond quickly and effectively to changes in corporate strategy, operating environment or indeed regulatory demands. If regulators have greater confidence in a bank’s risk data and the aggregation machinery underlying it, the whole regulatory compliance system can become simpler and less challenging.
Improved data aggregation can bring direct economic benefits and reduced capital requirements. Currently, for example, a significant proportion of a bank’s collateral contracts are ineffectively captured, and so cannot contribute to risk-weighted capital calculations. More comprehensive and accurate data aggregation methodology can bring this into the equation.
Systems for transmitting and reporting risk data need to be built into any improved data aggregation framework, since its value is dependent on the ease and timeliness with which senior management can take the results into account. The same argument applies to communication with regulators, who will value rapid and accurate regular reporting as well as a speedy response to ad hoc requirements.
Achieving the benefits requires moves towards greater standardisation, common data models, integrated systems and in some circumstances consolidated data warehouses. These initiatives need to be defined and implemented in ways which balance costs and potential benefits. But since the results should include increased confidence, reduced potential for loss, efficiency gains and increased profits, significant effort and expenditure can often be worthwhile.
Risk data aggregation and reporting are too important to be left to the risk function or – more seriously – IT professionals. Regulators are demanding better performance; but equally, senior executives and boards will derive significant benefits from improving their risk infrastructure and processes. However, this is not a simple or straightforward challenge. Success requires fundamental changes in the way core functions operate, with significant potential consequences for organisation and processes. Inevitably, this can be expensive. However, effective renovation of the risk IT infrastructure is a strategic investment which can not only satisfy regulatory demands but also lead to competitive advantage.
Responsible governance therefore requires that these issues are given appropriate strategic attention at the highest levels.
1 Basel Committee on Banking Supervision (BCBS), Enhancements to the Basel II framework July 2009, BCBS158, www.bis.org/publ/bcbs158.pdf
2 Basel Committee on Banking Supervision, Principles for effective risk data aggregation and risk reporting, BCBS239, www.bis.org/publ/bcbs239.pdf , January 2013
3 For more detailed discussion, cf BCBS 239 – another technical paper, or a fundamental challenge for the industry?, Journal of Business Compliance, forthcoming.
From KPMG’s Frontiers in Finance / March 2014.