What will firms need to solve internally, and what will need industry collaboration? In 2009, the G20 committed, in their action plan, to strengthening risk management controls and policy principles. This was followed up with a 2010 report by the Senior Supervisors Group (SSG), highlighting poor IT infrastructure practices which were having a negative impact on risk data. During the Olympics, the BCBS sprang into action with a consultation paper entitled Principles for Effective Risk Data Aggregation and Risk Reporting. This paper received only nine responses but it was adopted with minimal changes and the final principles issued in January.
[accordion][pane title=”Known unknowns”]
- What does compliant risk data aggregation look like?
- What is on the critical path to success? How are current regulatory reform efforts helping or hindering progress?
- What will firms need to solve internally, and what will need industry collaboration?
The BCBS expects firms to implement these measures in full by the beginning of 2016 “at the latest”. However, if that comes as a shock, they are also planning to begin checking up on firms from “early 2013” (i.e., pretty much as you are reading this) to make sure that implementation goes according to schedule.
JWG research has identified four big capabilities that require significant upgrades.
Firstly, governance: both the board and senior management will be required to explicitly consider risk data issues and set the firm-wide agenda. In this regard, firms will have to think about how they introduce leadership of material data issues without overburdening themselves. Not only will a data officer need to be hired, they will need to be given the support required to do the job.
Secondly, new policies and procedures will have to be implemented, such as formalised SLAs, internal and external reconciliations and alignment across the firm of how data is provided during a crisis – including business continuity.
Thirdly, improvements will have to be made to existing data architecture. The requirements call for new functionality, more automation and better cohesion across departments and risk data types. For instance, firms should be moving towards a “single authoritative source for risk data” within their organisation – for each type of risk – which is flexible enough to meet ad hoc requests from both colleagues and supervisors. In a surprisingly granular principle, regulators have called for a common dictionary with consistent data definitions and a taxonomy that includes the metadata from across the group.
Finally, the new principles tackle one of the biggest industry elephants: the way in which end user controls are put in place for spreadsheets. databases, wikis and the like.
With no explicit technical specifications, or further regulatory documents, due in this space, firms will have to interpret the ‘so what’ and create internal guidance. At this juncture, it is unclear how much appetite there is for external guidance – but there is a distinct opportunity for the firms to define ‘what good looks like’.
Some of the problems posed by these principles could well help the industry come to a consensus on de minimis practice soon. For instance, the problem of singular counterparty identifiers, which is slowly being brought to a conclusion, could be expedited by a statement from the risk community that they require it.
What should be in the budget this year to get the programme moving? A lot. In 2011, McKinsey and the International Institute of Finance estimated that a mid-sized firm would spend between €35 and €45 million on IT and operations in order to comply with new risk data requirements. Then add the caveat that outlay would increase should the Basel Committee for Banking Supervision consultation result in stricter demands for firms – which it did. The report also said that, on average, investments of approximately $390 million would be required by each firm to continue its journey toward the target state over the next five years. This represents roughly a 46% increase in the average firm’s current spending on risk IT and operations. Clearly, efficiency savings will have to be made.
Most worryingly, the BCBS Principles seem to have come in largely under the radar. There is a distinct lack of noise surrounding the issue, and awareness among professionals is relatively low.
To be Rumsfeldian, we have unknown unknowns in our midst. What are the workstreams that should be running now? Which milestones are on your critical path? What targets will you set for 2013 and who will set them?
With hundreds of regulatory change projects active in any one firm this year, it’s time to see what you are already doing to improve your risk management programme.
The reality is that the BCBS Principles are part of a much larger regulatory movement towards enhanced supervision of all stages of risk monitoring and management – and eventually all functions within a bank. These principles are a good way to get moving and rationalise the totality of the impact of regulatory reform.
- The principles require four robust capabilities to be defined in 2013: governance, policies & procedures, architecture and infrastructure
- There are real synergies to be achieved in getting the programme right across the group
- Work should start as soon as possible; the regulators may be knocking soon…
[pane title=”Top alerts”]
- Smarter way to look at risk data req: OFR calls for “agentbased” risk modelling to chart amplifying feedback effects
- Questions remain; time for industry guidance? BCBS issues final risk data aggregation principles & JWG’s CP response!
- ESMA issues final #AIFM remuneration guidelines; incl remuneration committee “unfettered” access to risk mgmt data