Progress in adopting the Principles for effective risk data aggregation and risk reporting 2023

Original by BIS, 2023, 17 pagesHamster_gagarin_linkedin
hamster writter This summary note was posted on 24 December 2023, by in Credit risk Finance #, #, #
  • BCBS 239 Principles for effective risk data (Principles) aggregation and risk reporting (Principles) in January 2013
  • Between 2013 and 2020, the Committee published six reports on banks’ progress
  • Last progress report, published in April 2020

Progress

  • Banks are at different stages
  • Additional work is required at all banks to attain and/or sustain full compliance
  • Global pandemic and recent stress events provided a stark reminder that banks’ ability to manage risk-related data is essential for sound decision making.
  • Of the 31 banks assessed, only two banks are fully compliant with all the Principles.
  • Not a single Principle that has been fully implemented across all banks.
  • Not all jurisdictions actually require compliance with the Principles since certain jurisdictions did not transpose them into their national framework
  • Some banks are still struggling with the adoption.
  • Most banks have achieved the rating of largely compliant (ie rating of “3”)
  • In comparison to the 2017 assessment, the 2022 assessment shows a general improvement of the compliance ratings on an aggregated level across Principles.
  • Aggregated compliance rating has even deteriorated from 2019 to 2022.
  • Increase in the percentage of banks that fully comply (ie rating of “4”) with Principles 1 (governance) and 2 (data architecture and IT infrastructure),
  • Average compliance rating for Principle 1 reveals a slight deterioration from 2019 to 2022 on an aggregated level.
  • Principles 5 (timeliness) and 7 (accuracy of risk reports) the average compliance ratings have deteriorated from 2019 to 2022, while for Principles 4 (completeness), 6 (adaptability) and 9 (clarity) the average compliance ratings remained rather stagnant.
  • A few banks have made progress in implementing mature enterprise data management frameworks, appropriate committee oversight and end to end ownership, accountability, and monitoring of data throughout the data lifecycle.
  • Some banks have also developed well documented policies and procedures that regulate how IT/data processes (ie data quality criteria and controls, meta data management, data models, etc) should be implemented and enforced.
  • Some banks managed to simplify their IT landscapes through material reduction in IT systems and applications, harmonisation of IT systems between local entities and the banking group and the use of central data repositories and monitoring tools.
  • Banks are also introducing cloud computing that helps to improve continuity and compatibility of applications, security and performance.
  • Some banks are implementing automated reporting platforms and business intelligence tools for on-demand creation of customisable reports and analysis.
  • Banks have reported the rollout of specific training initiatives, thematic audits, and validation activities pertaining to risk data aggregation and reporting.
  • Banks initiated projects to increase data granularity and improve their ad-hoc reporting capabilities
  • Some banks make use of regular surveys among data users.

Key Challenges

  • Programmes were often underfunded,
  • Limited in scope and lacking sufficient attention from boards of directors
  • Failed to fully assess the complexity and interdependence of related projects, especially to address IT legacy systems and set ambitious timelines.
  • Slower pace than envisaged.
  • Persistent challenges with fragmented IT landscapes,
  • Legacy systems and manual processes that are not fit for purpose.
  • Many banks still struggle with the large number of manual processes and interventions in their risk data aggregation and reporting processes with negative implications not only on accuracy and timeliness of data, but also on the overall costs.
  • complexity of banks’ operating environments globally.
  • some banks have reassessed or expanded the scope of their initial action plans to adopt the Principles
  • New technologies such as artificial intelligence have not yet materially impacted banks’ risk data aggregation and risk reporting processes.
  • Many banks still lack quality data, which is a prerequisite for embarking on any digitalisation project.
  • Stress situations, where data are often required to be tailored to the specific circumstances and reported at a higher frequency, can be a strain on banks’ IT systems, requiring some banks to re-design and/or simplify certain internal processes.
  • Delayed compliance with the Principles is largely attributed to lack of prioritisation, insufficient ownership by the board and senior management

Recommendations

  • Recommendations to banks that were identified in the previous reports persist.
  • Banks should foster a culture of ownership and accountability for data quality across the organisation,
  • Supervisors should consider making greater use of the more intensive targeted activities (eg onsite inspections, deep dive reviews or fire drills)
  • Supervisors should consider more forceful measures to address long-standing risk data aggregation and reporting deficiencies.
  • Applying more forceful measures to address long-standing risk data aggregation and reporting deficiencies (eg capital add-ons, restrictions on capital distributions and other penalties/fines),
  • Importance of standardisation and automation of data governance /management
  • Continue to work on improving their IT infrastructures, establishing a common taxonomy, and completing data lineage to make data more useful and valuable.
  • Bank boards should prioritise and intensify their oversight of data governance, including the development, implementation, and maintenance of robust data governance frameworks, risk data aggregation and reporting.
  • A key success factor for implementing the Principles is strong board and senior management ownership. Alignment with the Principles should be a top priority for banks, and the board of directors should formulate their expectations for senior management to meet this requirement.
  • Banks should establish distinct ownership and accountability for data quality by designating data owners,
  • Banks should formulate and present a standard set of key performance indicators (KPIs)
  • Before embarking on any digitalisation project, banks should ensure the quality of source data, which is commonly recognised as the root cause for either good or poor outcomes downstream.
  • Measures which carry a significant impact on banks (eg restrictions on capital distributions or business activities, capital or other Pillar 2 add-ons), by contrast, are only very rarely utilised, despite the lack of progress by several banks.
  • Continue to apply the proportionality concept in assessing banks

Case Studies

  • The importance of tone from the top and sound data culture are common success factors, while legacy systems, manual processes, the integration of IT systems, increasing costs of sound data management and talent retention / subject matter expertise are recurring challenges.
  • Importance of sound data controls that act as important checks at the different stages of the data lifecycle.
  • Group-wide comprehensive data governance framework that includes compliance with BCBS 239. The framework requires board and senior management review and approval to ensure adequate deployment of resources for a successful outcome.
  • The group data office reports to a member of the board, who is ultimately responsible for data quality.
  • Business areas regularly report on their data framework status through the governance structure.
  • End-to-end definition of roles and responsibilities
  • Another critical element for successful BCBS 239 adoption is establishing clear roles and responsibilities for data quality along the complete (end-to-end) data flow.
  • Adoption of the governance framework was set by a realistic and committed plan that includes clear measures and monthly monitoring by a senior steering committee (chaired by the CEO)
  • An independent validation process is an important component of a strong governance framework.
  • One bank has created a dedicated team within the second line of defence to perform independent data validation activities
  • The team’s success comes from an agreed mandate between the business lines (first line of defence) and control functions (second line of defence), with the operational processes documented and clear guidance from all sides.
  • These activities are performed in addition to the regular activities of the internal audit function (third line of defence).
  • Surge of regulatory requirements driven by the Basel III final reform package, growing demand for internal analyses to support executive management decision making and significant increase in external disclosure requirements.
    • Legacy data sourcing, aggregation and reporting processes required significant manual intervention and end-user compensating controls to ensure reports and analyses were complete, accurate and timely.
  • Create a platform that could be adjusted to meet internal and external reporting needs.
    • re-platforming of all technology components,
    • establishing a clearer data sourcing strategy from authoritative sources,
    • using standardised data formats, and developing a data hub.
    • deploy data quality checks (including robust issue management practices) at source and data hub, business-driven analytics and reconciliations,
    • uSE visual analytics and machine learning techniques to identify and monitor data quality issues.
  • One bank implemented a group data dictionary with integrated data taxonomy to ensure consistent classification of data concepts, logical and physical attributes.
  • Minimisation of manual processes and interventions
  • Implemented a data quality dashboard/scorecard containing different KPIs on data quality in individual risk reports. Accuracy is one of the key dimensions for these KPIs, which is measured and monitored on an ongoing basis.
  • Remediation plan to improve ad hoc risk reporting capabilities has been to establish strong governance arrangements for ad-hoc data requests,
  • Balance the granularity of risk reporting with the usefulness and clarity of risk reports for stakeholders.