In January 2013, the Basel Committee on Banking Supervision (BCBS) published Principles for the effective aggregation of risk data and risk reporting (aka BCBS 239) to strengthen risk management at global systemically important banks (G-SIBs) through enhanced internal risk-reporting practices, complementing other existing international initiatives.
Banks should be able to aggregate risk exposures and identify concentrations quickly and accurately, unlike during the financial crisis. They should also be able to take risk decisions in a timely fashion, thus avoiding negative consequences for the bank and the financial system. In addition to the requirements with respect to the structural and procedural organisation of the risk function in banks, precise regulatory requirements for the IT architecture and data management in banks were formulated for the first time.
The principles include a new reporting cycle in which overall risk reports are to be prepared quarterly. Manual data deliveries (keyword: Excel) are no longer permitted: Excel should only be used to illustrate but not to calculate risk figures. Also, data-quality management/data governance must be monitored, and higher demands are placed on ad-hoc reporting. The preparation of the reconciliation of finance and risk figures (e.g. IFRS book values) is required. Furthermore, risk controllers should no longer have to spend most of their time on data collection and data quality assurance but rather focus on analysis. The principles include the definition and implementation of future risk-report content and target architecture ("single point of truth") and more future-oriented reporting parameters (e.g. also stress testing).
In Germany, the transfer into national law is achieved via the Minimum Requirements for Banks' Risk Management (Mindestanforderungen an das Risikomanagement – MaRisk).
BCBS 239 was meant to be implemented in full by all G-SIBs by the beginning of 2016. Furthermore, the BCBS strongly suggested that national supervisors apply these principles to institutions identified as domestic systemically important banks (D-SIBs) no later than three years after their designation as such.
However, in its latest report, Progress in adopting the Principles for effective risk data aggregation and risk reporting, from June 2018, the BCBS noted that, by the original deadline of 1 January 2016, each of the individual principles were met by fewer than half of the monitored G-SIBs. Based on data from 31 December 2017, the situation is only marginally better, with low levels of compliance of banks with the first 11 of the 14 principles (the other three cover supervisory responsibilities). Only three G-SIBs have been assessed by their supervisors to be fully compliant to date.
In May 2018, the ECB published the report from their Thematic review of the effective aggregation of risk data and risk reporting, based on a sample of 25 G-SIBs and D-SIBs, which also showed an unsatisfactory state of implementation in the EU. None of the G-SIBs or D-SIBs were fully compliant with respect to all the BCBS 239 principles. Follow-up actions will be monitored within the framework of the Supervisory Review and Evaluation Process (SREP).
The first two principles, covering governance, data architecture and IT infrastructure, are considered pre-requisites for the remaining principles. Weaknesses in governance stem from a lack of clarity regarding responsibility and accountability for data quality. It is often difficult to understand what the roles and responsibilities of business, control and IT functions are, and how those roles are allocated and exercised. Concerning data architecture, the lack of integrated solutions in the data aggregation and report compilation processes was identified as one of the main areas of concern. Incomplete (or manual) consistency checks and manual processes (often not properly identified) show an unsatisfactory level of automation even for key and complex tasks. The complexity and interdependence of projects to improve IT, in addition to legacy IT issues, pose a significant challenge.
The BCBS progress report calls for banks to continue to implement the principles according to the roadmaps agreed with their supervisors and to consider how implementation would benefit other data-related initiatives and requirements. Furthermore, supervisors should maintain their emphasis on ensuring the implementation and to promote co-operation among competent authorities in relation to the implementation of the principles by global banking groups.
Allocating sufficient resources to enhance IT systems and making dedicated appointments (for e.g. Chief Data Officer) as well as improving capabilities for automating the production of data, using integrated data taxonomies and dictionaries as well as pulling data from common, granular data sources and using integrated IT risk platforms, have helped some banks facilitate their implementation. Thorough documentation (audit trails), comprehensive controls and the use of automated reporting processes are key to success in this very complex landscape, which will most likely be occupying banks for some considerable time to come.