BCBS 239. Principles for effective risk data aggregation and risk reporting
Improving banks’ ability to aggregate risk data will improve their ability to resolve and survive future financial crisis. In crisis mode a bank’s ability to determine its true exposure quickly aggregated across asset and risk classes can make the difference between surviving and failing.
As a buyer if you can find it, you can measure, value, report, ring fence and regulate it. If you can’t, then there as no assurance about what else is hidden within the balancesheet of the bank that you are buying that will bring you down.
It is essential that regulatory authorities and stakeholders tasked to assess the future viability of a bank have access to tools, reports and cuts that aggregate, slice and dice risk data. For recovery, a robust data framework will help banks and supervisors anticipate problems ahead. It will also improve the prospects of finding alternative options to restore financial strength and viability when the firm comes under severe stress.
BCBS 239 is the new BIS standard that defines supervisory principles for data aggregation and risk reporting keeping in view the challenges faced by financial institutions across the globe during the last financial crisis. We present a a summarized and a slightly more user friendly version of the standard below.
BCBS 239 Objectives of the standard.
BCBS 239 Principles are expected to support a bank’s efforts to:
BCBS 239. Scope and initial considerations
Principles apply at both the banking group and on a solo basis. Common and clearly stated supervisory expectations regarding risk data aggregation and risk reporting are necessary for these institutions.
The Principles and supervisory expectations contained in this paper apply to a bank’s risk management data. Risk data and reports should provide management with the ability to monitor and track risks relative to the bank’s risk tolerance/appetite.
These Principles also apply to all key internal risk management models.
Banks should meet all risk data aggregation and risk reporting principles simultaneously. However, trade-offs among Principles could be accepted in exceptional circumstances. Decision-makers at banks, in particular the board and senior management, should be aware of these trade-offs and the limitations or shortcomings associated with them.
Banks should be able to explain the impact of these trade-offs on their decision- making process through qualitative reports and, to the extent possible, quantitative measures.
The concept of materiality used in this paper means that data and reports can exceptionally exclude information only if it does not affect the decision-making process in a bank. Banks should also take into account the potential future impact of the information excluded on the decision-making process at their institutions. Supervisors expect banks to be able to explain the omissions of information as a result of applying the materiality concept.
Banks should develop forward looking reporting capabilities to provide early warnings of any potential breaches of risk limits that may exceed the bank’s risk tolerance/appetite.
BCBS 239. Document Overview
The BCBS 239 document presents 14 principles spread across four sections. A final section review implementation timelines and transitional arrangements. The sections are:
The 14 BCBS 239 principles defined within these four sections are:
- Data, Risk and IT architecture and infrastructure
- Data Integrity
- Clarity and usefulness
- Remedial action
- Home / Host cooperation
Here is a more detailed look at individual sections and principles.
BCBS 239. Governance and infrastructure
Governance – A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee.
A bank’s board and senior management should promote the identification, assessment and management of data quality risks as part of its overall risk management framework. The framework should include agreed service level standards for both outsourced and in-house risk data-related processes, and a firm’s policies on data confidentiality, integrity and availability, as well as risk management policies.
A bank’s board and senior management should review and approve the bank’s group risk data aggregation and risk reporting framework and ensure that adequate resources are deployed.
A bank’s senior management should be fully aware of and understand the limitations that prevent full risk data aggregation. bank’s IT strategy includes ways to improve risk data aggregation capabilities and risk reporting practices and to remedy any shortcomings. identify data critical to risk data aggregation and IT infrastructure initiatives.
A bank’s board is responsible for determining its own risk reporting requirements and should be aware of limitations that prevent full risk data aggregation in the reports it receives.
Data architecture and IT infrastructure – A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles.
A bank should establish integrated data taxonomies and architecture across the banking group.
Roles and responsibilities should be established as they relate to the ownership and quality of risk data and information for both the business and IT functions.
Risk data aggregation capabilities
Accuracy and Integrity – A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of errors.
A bank should aggregate risk data in a way that is accurate and reliable:
Supervisors expect banks to measure and monitor the accuracy of data and to develop appropriate escalation channels and action plans to be in place to rectify poor data quality.
Completeness – A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations and emerging risks.
A bank’s risk data aggregation capabilities should include all material risk exposures, including those that are off-balance sheet.
Supervisors expect banks to produce aggregated risk data that is complete and to measure and monitor the completeness of their risk data. Supervisors expect banks’ data to be materially complete, with any exceptions identified and explained.
Timeliness – A bank should be able to generate aggregate and up-to-date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. The precise timing will also depend on the bank-specific frequency requirements for risk management reporting, under both normal and stress/crisis situations, set based on the characteristics and overall risk profile of the bank.
A bank’s risk data aggregation capabilities should ensure that it is able to produce aggregate risk information on a timely basis to meet all risk management reporting requirements.
Supervisors will review that the bank specific frequency requirements, for both normal and stress/crisis situations, generate aggregate and up-to-date risk data in a timely manner.
Adaptability – A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs and requests to meet supervisory queries.
A bank’s risk data aggregation capabilities should be flexible and adaptable to meet ad hoc data requests, as needed, and to assess emerging risks.
Risk reporting practices
To manage risk effectively, the right information needs to be presented to the right people at the right time. Risk reports based on risk data should be accurate, clear and complete.
Accuracy – Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.
To ensure the accuracy of the reports, a bank should maintain, at a minimum, the following:
Comprehensiveness – Risk management reports should cover all material risk areas within the organisation. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients.
Risk management reports should include exposure and position information for all significant risk areas. Risk management reports should also cover risk-related.
Reports should identify emerging risk concentrations, provide information in the context of limits and risk appetite/tolerance and propose recommendations for action where appropriate. Risk reports should include the current status of measures agreed by the board or senior management to reduce risk or deal with specific risk situations.
Clarity and usefulness – Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include meaningful information tailored to the needs of the recipients.
Risk reports should ensure that information is meaningful and tailored to the needs of the recipients.
Reports should include an appropriate balance between risk data, analysis and interpretation, and qualitative explanations.
Reporting policies and procedures should recognise the differing information needs of the board, senior management, and the other levels of the organisation (for example risk committees).
The board should ensure that it is asking for and receiving relevant information that will allow it to fulfil its governance mandate relating to the bank and the risks to which it is exposed.
Frequency – The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed, at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision-making across the bank. The frequency of reports should be increased during times of stress/crisis.
A bank should assess periodically the purpose of each report and set requirements for how quickly the reports need to be produced in both normal and stress/crisis situations.
Supervisors expect that in times of stress/crisis all relevant and critical credit, market and liquidity position/exposure reports are available within a very short period of time to react effectively to evolving risks.
Distribution – Risk management reports should be distributed to the relevant parties while ensuring confidentiality is maintained.
Procedures should be in place to allow for rapid collection and analysis of risk data and timely dissemination of reports to all appropriate recipients.
Supervisory review, tools and cooperation
Review – Supervisors should periodically review and evaluate a bank’s compliance with the eleven Principles above.
Supervisors should review a bank’s compliance with the Principles. Reviews should be incorporated into the regular programme of supervisory reviews and may be supplemented by thematic reviews covering multiple banks with respect to a single or selected issue.
Supervisors should draw on reviews conducted by the internal or external auditors to inform their assessments of compliance with the Principles. Supervisors must have access to all appropriate documents such as internal validation and audit reports, and should be able to meet with and discuss risk data aggregation capabilities with the external auditors.
Supervisors should test a bank’s capabilities to aggregate data and produce reports in both stress/crisis and steady-state environments.
Remedial actions and supervisory measures – Supervisors should have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices. Supervisors should have the ability to use a range of tools, including Pillar 2.
Supervisors should require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices and internal controls.
Supervisors should have a range of tools at their disposal to address material deficiencies in a bank’s risk data aggregation and reporting capabilities.
Supervisors should be able to set limits on a bank’s risks or the growth in their activities where deficiencies in risk data aggregation and reporting are assessed as causing significant weaknesses in risk management capabilities.
When a supervisor requires a bank to take remedial action, the supervisor should set a timetable for completion of the action.
Home/host cooperation – Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the supervision and review of the Principles, and the implementation of any remedial action if necessary.
Effective cooperation and appropriate information sharing between the home and host supervisory authorities should contribute to the robustness of a bank’s risk management practices across a bank’s operations in multiple jurisdictions.
Cooperation can take the form of sharing of information within the constraints of applicable laws, as well as discussion between supervisors on a bilateral or multilateral basis.
Supervisors should discuss their experiences regarding the quality of risk data aggregation capabilities and risk reporting practices in different parts of the group. Such exchanges will enable supervisors to identify significant concerns at an early stage and to respond promptly and effectively.
Implementation timeline and transitional arrangements
Supervisors expect that a bank’s data and IT infrastructures will be enhanced in the coming years to ensure that its risk data aggregation capabilities and risk reporting practices are sufficiently robust and flexible enough to address their potential needs in normal times and particularly during times of stress/crisis.
The Basel Committee will track G-SIBs progress towards complying with the Principles through its Standards Implementation Group (SIG) from 2013 onwards. The Basel Committee will share its findings with the FSB at least annually starting from the end of 2013.