The lack of any prescribed reporting framework, workflow, or any other prescribed action is perhaps the most striking difference between BCBS 239 and any other set of rules published by the Bank of International Settlement, the Financial Stability board or IOSCO—or indeed any other regulator.
It is based on two concepts and has a number of stated objectives, but achieving those objectives is left to the implementation of fourteen principles.
BCBS 239 aims to create a new common data template for G-SIFIs to address bi-lateral exposures, exposures to countries/business sectors/instruments, any issues behind data integrity, completeness and accuracy and principles for risk data aggregation and risk reporting.
In the context of BCBS 239, risk data aggregation means defining, gathering and processing risk data according to the financial institution’s risk reporting requirements; this will enable the bank to measure its performance against its risk tolerance or risk appetite.
Meeting the principles of BCBS 239 will enhance the infrastructure for reporting key information. This should reduce the probability and severity of losses resulting from risk management weakness, improve the speed at which information is available to support any decision-making process, and improve the organization quality of strategic planning and the ability to manage the risk of new products and services.
Looking at the principles listed below, it is also quite clear that the ultimate aim of the principles is to improve the decision-making process throughout the banking organization and to facilitate a comprehensive assessment of risk exposure at a global consolidated level across legal entities.
BCBS 239 sets a number of principles to be followed by financial institutions and by regulators. It is not prescriptive as to how compliance with these principles should be achieved; it does not discuss the format of reports or any standard implementation rules.
The principles can be divided into three groups: Governance, Data, and Awareness.
Principle 1 – Governance – A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee.
In many jurisdictions, a bank of some systemic importance, either global or domestic, will have a risk appetite statement and a risk management policy (i.e. the policy outlined in an Internal Capital Adequacy Assessment Process – ICAAP – Document). A verification of the risk appetite statements against all risk monitoring reports and a check that the aggregation of data supports the risk policy should provide the evidence that this principle is being met.
Principle 2 – Data architecture and IT infrastructure – A bank should design, build, and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other principles.
Principle 3 – Accuracy and Integrity – A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimize the probability of error.
Principle 4 – Completeness – A bank should be able to capture and aggregate all material and risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region, and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations, and emerging risks.
Principle 5 – Timeliness – A bank should be able to generate aggregate and up-to-date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness, and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. The precise timing will also depend on the bank-specific frequency requirements for risk management reporting in both normal and stress/crisis situations, set based on the characteristics and overall risk profile of the bank.
Principle 6 – Adaptability – A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc-risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs, and requests to meet supervisory queries.
Principle 7 – Accuracy – Risk Management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.
Principle 8 – Comprehensiveness – Risk management reports should cover all material risk areas within the organization. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients.
Principle 9 – Clarity and Usefulness – Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include meaningful information tailored to the needs of the recipients.
The principles listed above basically describe the status of the data architecture and the basic Cr.U.D (Create, Update, and Delete) processes that support it. A data audit and a relevant gap analysis will outline any issues.
Principle 10 – Frequency – The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision-making across the bank. The frequency of reports should be increased during times of stress/crisis.
Principle 11 – Distribution – Risk management reports should be distributed to the relevant parties while ensuring confidentiality is maintained.
Principle 12 – Review – Supervisors should periodically review and evaluate a bank’s compliance with the eleven principles above.
Meeting those principles implies a regular distribution of risk management reporting throughout the organization and making sure that data aggregation, risk reporting and any other risk management tool is kept relevant and current.
1.3.4 Action on Regulators
Principle 13 – Remedial actions and supervisory measures – Supervisors should have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices. Supervisors should have the ability to use a range of tools, including Pillar 2, a Supervisory Review Process which is an overall assessment of risks that include quantitative and qualitative factors (Financial Stability Institute).
Principle 14 – Home/host cooperation – Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the supervision and review of the Principles, and the implementation of any remedial action if necessary.
Financial supervisory bodies should be able to require efficient and timely remedial action in the case of any deficiency in risk data aggregation capabilities and risk reporting practice.
The text of the principles quote the text used in “Principles for effective risk data aggregation and risk reporting” published by the Basel Committee at the Bank for International Settlement in January 2013.
2.0 What You Can do to Meet Those Principles
BCBS 239 is not prescriptive. It states a number of principles you have to meet with the aim of improving risk aggregation and risk monitoring.
You need to prove that you follow the principles stated above. A way of achieving this is to perform regular reviews of your data architecture and your risk monitoring principles. This could be exemplified with two types of actions:
- Verify your risk appetite statements
- Audit your data architecture and IT infrastructure
2.1 Verifying Your Risk Appetite Statement
A corporate risk appetite statement describes the level of risk a company is prepared to accept and how it expects to monitor it. The data architecture should support an aggregation model that allows risk to be monitored according to the logic specified in the statement. Not only should the monitoring processes and reports be available, but the data aggregation necessary to achieve the desired level of monitoring should also be possible.
2.2 Audit Data and IT Infrastructure
Principles 2-9 are about the quality of the data structure. This can only be verified by doing data audits to check the relevant parameters; for example, accuracy, integrity, completeness, etc.
The IT infrastructure should also be audited to ensure that it meets the requirement stated in principle 2, any requirements specified in the ICAAP and any other Risk Management model followed by the organization.
A gap analysis of both reviews should identify any remedial action.