This article originally appeared in the autumn 2014 edition of Markit Magazine.
The Basel Committee’s principles for effective risk data aggregation and risk reporting (BCBS 239) may be among the least well known components of the post-financial crisis reform package. Yet they could ultimately bring about the most significant changes to the world’s largest banks.
The 14 principles, (11 for banks, three for supervisors), due for implementation by January 2016, came about as a result of one of the great weaknesses exposed by the financial crisis, which was that systemically important banks lacked the ability to aggregate exposures and identify large concentrations of risk at group level, jeopardising the stability of the broader financial system.
Risk data aggregation is the process of defining, gathering and processing risk data to enable a bank to measure its performance against its risk tolerance/appetite. That might sound a fairly humdrum practice but, in the context of a financial system that was proven to be dangerously unstable during the crisis, the Financial Stability Board identified the improvement of risk data aggregation as a priority in 2011.
Fixing the problem remains a work in progress or, perhaps more accurately, a work in need of progress. The drafting of the 14 principles was a good first step, but only nine firms responded to the Basel Committee’s original consultative document in 2012. This illustrates the lack of awareness of the principles by the 30 globally systemically important banks (G-SIBs) that must now implement them by 2016.
As that deadline edges closer, implementing the principles is proving to be a major challenge. That is partly because the principles are mostly qualitative in nature, setting a high standard for risk data aggregation, but failing to define precisely how it should be achieved. The prevalence of adjectives such as ‘strong’, ‘accurate’, ‘reliable’ and ‘timely’ in the standards, without quantitative definitions of exactly what is required, has been cited by many banks as a key challenge. Whether it is the failure of the regulators or the banks themselves to be more specific, many practitioners are still scratching their heads over vague recommendations from consultants over the best way to comply.
The principles are split broadly into four categories, covering governance and infrastructure; risk data aggregation; risk reporting; and supervisory review. Some principles are perhaps more challenging to interpret and implement than others. For example, the first principle tackles governance, requiring that risk data aggregation and reporting should be subject to ‘strong governance arrangements’. The Basel Committee provides some further detail on what kind of internal oversight is required, but it remains unclear precisely how banks should get senior management involved in the process of risk data aggregation. Some might choose to appoint an entirely new business function such as a risk aggregation officer. Others might decide to allocate the practice to the remit of chief data officer. The implication is a lack of consistency in governance arrangements.
The third principle deals with the accuracy and integrity of risk data, requiring that data should be aggregated on a “largely automated basis” to minimise errors. The Basel Committee asks that banks create a data dictionary to ensure that data are defined consistently across the bank. Such a requirement could also be fulfilled in several different ways. It is also unclear what degree of automation is required, and what level of manual intervention in data aggregation would render a bank non-compliant.
Lack of clarity
A similar lack of clarity pervades many of the other principles, but the inherent challenge underlying all of them is that risk data aggregation is a practice that spans so many different parts of a bank’s architecture that it has proven difficult to find a single business function to take complete ownership.
The wide reach of the standards is crystallised in the fourth principle, which requires banks to capture and aggregate all “material risk data” across the group, spanning business lines, legal entities, asset types, industries, regions and other groupings. As most large banks typically operate thousands of legal entities, accurately capturing the risk data in a timely way is a monumental challenge.
The Basel Committee is clearly not blind to the scale of the challenge and in December 2013 it published a progress report on the adoption of the principles. Based on a self-assessment questionnaire completed by 30 G-SIBs, the exercise revealed a varying state of readiness for the 2016 deadline, and the Basel Committee conceded that many banks are struggling to establish strong data aggregation governance.
National supervisors, the Basel Committee said, would investigate the root causes of non-compliance and use ‘supervisory tools and appropriate discretionary measures’ to get the banks in shape by 2016. Exactly what that means is as unclear as the principles themselves, and while the final three principles deal with the role supervisors will play in monitoring and enforcing implementation, there is no indication of the penalties banks might ultimately face for non-compliance.
Despite the worrying lack of clarity, the Basel Committee principles require greater attention from all market participants, from the regulators themselves to banks not yet affected, as supervisors have been advised to consider applying the principles to domestic systemically important banks as well as G-SIBs.
While other regulations such as the Dodd-Frank Act, Basel III and the European Union’s MiFID and EMIR have received much greater mainstream attention in recent years, the principles venture much deeper into banks’ operating mechanics. Basel III, for example, broadly requires a higher quality and quantity of capital and liquid assets, but it is left largely up to the banks how they achieve that.
The more complex the current business and underlying enterprise model, the more we need integration to deliver the right regulatory reforms in a cost-effective manner. Factors that will affect complexity will include the bank’s products and services, target customer base and the jurisdictional framework.
Though the principles have not so far been as large a focus area as Basel III implementation, the principles are necessarily tied to it. This is not just because they share the focus on risk, but because they alter what needs to be considered in banks’ operational risk frameworks, such as the Basel III advanced measurement approach.
As regulators have now laid out the principles and have an admission from the banks, via the progress report, of their inability to manage the standards, there is the potential for banks to be hit with capital surcharges for inappropriately calibrated operational risk frameworks. As the principles cross all of their business lines, this could prove incredibly costly.
The challenge is that there is no single ‘right’ answer about precisely which capabilities an individual regulator will expect of a firm for risk data aggregation, and it is unlikely we will see a definition of a ‘good’ implementation.
However, if firms invest in a proper implementation, the risk data aggregation principles could see banks spending much more on new governance than in the past. With the current scant level of detail from regulators, doing that effectively before 2016 is going to be an almighty challenge.