ABOUT THE AUTHORS

Mark James is a Partner and Head of the Strategic IT & Operations practice for the Asia Pacific region, based in Singapore mark.james@oliverwyman.com

Paul Mee is a Partner and Head of the Strategic IT & Operations practice for the UK/EMEA region, based in London paul.mee@oliverwyman.com

Pankaj Khanna is a Principal in Finance & Risk and Strategic IT & Operations, based in London pankaj.khanna@oliverwyman.com

Patrick Ryan is a Principal in the Strategic IT & Operations practice, based in Singapore patrick.ryan@oliverwyman.com

cover governance and capabilities related to risk data

management, the way data is aggregated, the way

it is reported and the role of supervisors in ensuring

adherence. While ostensibly focused on risk data,

the principles are ultimately about enabling timely,

consistent and informed decision-making across the

bank. We anticipate that the implications across bank

operations will be broad and deep, as illustrated in

Exhibit 1. In the first instance, these principles apply

to Global Systemically Important Banks (G-SIBs), who

need to adhere by the end of 2015 and are expected to

undertake self-assessments and produce remediation

plans later this year. Domestic SIBs (D-SIBs) are

expected to be exposed to similar requirements in

due course. The BCBS document calls for adherence

within three years of a bank being designated a G-SIB

or D-SIB. More generally, we expect that these BCBS

principles will provide a minimum standard for

national supervisors, many of whom have already

made statements calling for better data quality.

For many banks current risk data aggregation and

risk reporting arrangements fall far short of the BCBS

principles. Short term, manual “work-arounds” are

unlikely to appease regulators let alone upgrade

capabilities; and pressure to make improvements quickly

has magnified. The extent, intensity and pace of change

called for will therefore be significant. Those banks

unable to adhere to the principles within the deadline

will be subject to consequences imposed by their

regulators. Those banks failing to adapt and advance

are likely to also suffer competitive disadvantages, as

rivals benefit from the improved decision-making that

comes from using heightened intelligence derived from

better, faster, fit-for-purpose data. In this Oliver Wyman

report we proffer a three-point plan to go beyond basic

adherence to the principles and architect a strategic

capability that will represent a step-change in a given

bank’s decision-making and performance. While

certainly a demanding task, we believe it requires a

prominent place on the enterprise agenda2.

2 See the recent Oliver Wyman “State of the Financial Services Industry, 2013” report where we discuss the importance of information for the industry, http://www.oliverwyman.com/state-of-financial-services-2013.htm.

Copyright © 2013 Oliver Wyman 4

1. SELF-ASSESS

We advocate a two-step approach to assessing readiness

to meet the BCBS principles. First, examine your ability

to satisfy each principle at a high level across the risk

management operating model (i.e. policies, processes

and systems), considering your current key data

aggregation and reporting challenges. Then delve into

specific risk management processes in order to detail

the size and scope of gaps.

Consider principle 1:

• Governance – A bank’s risk data aggregation

capabilities and risk reporting practices should be subject

to strong governance consistent with other principles

and guidance established by the Basel Committee.

Who should assume accountability for improving risk data

management, aggregation and reporting capabilities?

Rarely is there an obvious answer. Risk data by its nature

is a shared asset. Transaction data originates in front

office systems and customer databases are maintained

by front or middle office with data input from a variety

of sources. Similarly, risk data outputs are used outside

the risk department. Key data elements often need to

reconcile and report alongside inputs from finance and

treasury departments. Risk-based pricing is controlled in

part by the front office. Risk metrics are reported and used

throughout the bank, including business heads, finance

and treasury. We advised a G-SIB on this very problem as

they completed a preliminary self-assessment against the

BCBS principles, as illustrated in case study 1.

Now consider principles 3 and 4:

• Accuracy and integrity – A bank should be able to

generate accurate and reliable risk data to meet normal

and stress/crisis reporting accuracy requirements. Data

should be aggregated on a largely automated basis so

as to minimise the probability of errors.

• Completeness – A bank should be able to capture and

aggregate all material risk data across the banking

group. Data should be available by business line, legal

entity, asset type, industry, region and other groupings

that permit identifying and reporting risk exposures,

concentrations and emerging risks.

ExHIBIT 2: MANUAL PROCESSES OFTEN THE ROOT CAUSE OF POOR DATA QUALITy

15010050

NUMBER OF MANUAL ACTIVITIES PERFORMED

EXAMPLESKEY STATISTICS (MONTHLY)

Manualuploads

Manualadjustments

Hand-offs

Separatechecks

• Credit risk grade

• IFRS provisioning

• Customer segmentation

• Missing customer identification andmissing customer information

• Non-CSA Collateral

• Accounting should-be data (Prod. Ctrl IT)

• Separate table with manual LGD calculations for specific loans (Data Mart IT)

• Check data in DW to ensure successful manual GM data upload

• Check for consistency between data mart table and Basel input table

0

Copyright © 2013 Oliver Wyman 5

3. STRATEGy AND IMPLEMENTATION PLAN

Having assessed existing capabilities against the

principles, banks should move to concluding

preparations by developing a strategy to upgrade risk

data management, aggregation and reporting. The

strategy should address the issues and opportunities

identified, and include target state designs and

implementation plans for governance, processes, data

architecture, systems and reporting tools across all

stakeholder groups. As illustrated in case study 2, some

banks are considering an ambitious strategic response

to the BCBS principles.

Given the broad ambition in the BCBS principles,

banks will need to make assumptions when designing

their target state. For example, BCBS 239 calls for

“adaptability” and the ability to aggregate and report

data “during stress/crisis situations” without specifying

what constitutes a stress or crisis situation. Significant

market liquidity events such as that which followed the

Lehman Brothers bankruptcy would certainly apply.

Would recent natural disasters in New york (Superstorm

Sandy) and Thailand (floods) also qualify? Many banks

were unable to function at 100% during these events, nor

manage the resulting risks and business impact. Rather

than develop contingency plans for individual crises we

advise banks to develop “playbooks” that would apply

to a range of scenarios. Banks are also bound to face

issues that have bedevilled them in the past: for example

how to get risk, finance and treasury departments to see

eye to eye on management information and reporting,

or build common components across overlapping data

architectures and processes. Banks should therefore

“stress test” their strategies from a variety of angles

to ensure they are flexible and robust while balancing

the inherent trade-offs between investment costs and

value creation.

Banks can gain a clear competitive advantage by

improving risk data management, aggregation and

reporting capabilities and as a result decision-making

and business performance. Regulators are clearly

concerned that banks make decisions based upon

accurate, timely and comprehensive risk reporting;

especially in times of stress. Banks would benefit most

if they took a comprehensive and strategic approach in

adopting the principles rather than approach it as yet

another compliance exercise. After all, effective data

driven decision making can be life-saving at a time of

crisis, and essential in setting long term strategy and

managing the business day-to-day. In fact, we wonder

how data remained off the agenda for so long.

* * * * *

Copyright © 2013 Oliver Wyman 9

APPENDIx: THE 14 BCBS PRINCIPLES FOR EFFECTIvE RISK DATA AGGREGATION AND RISK REPORTING

OvERARCHING GOvERNANCE AND INFRASTRUCTURE

1. Governance • A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance consistent with other principles and guidance established by the Basel Committee.

2. Data architecture and IT infrastructure

• A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other principles.

RISK DATA AGGREGATION CAPABILITIES

3. Accuracy and Integrity • A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of errors.

4. Completeness • A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings that permit identifying and reporting risk exposures, concentrations and emerging risks.

5. Timliness • A bank should be able to generate aggregate and up to date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. This timeliness should meet bank-established frequency requirements for normal and stress/crisis risk management reporting.

6. Adaptability • A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during crisis situations, requests due to changing internal needs and requests to meet supervisory queries.

RISK REPORTING PRACTICES

7. Accuracy • Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.

8. Comprehensiveness • Risk management reports should cover all material risk areas within the organisation. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients.

9. Clarity • Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include an appropriate balance between risk data, analysis and interpretation, and qualitative explanations.

10. Frequency • The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective/efficient decision-making across the bank. The frequency of reports should be increased during times of crisis.

11. Distribution • Risk management reports should be distributed to the relevant parties and include meaningful information tailored to the needs of the recipients, while ensuring confidentiality is maintained.

SUPERvISORy REvIEW, TOOLS AND COOPERATION

12. Review • Supervisors should periodically review and evaluate a bank’s compliance with the eleven principles above.

13. Remedial actions and supervisory measures

• Supervisors should have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices. Supervisors should have the ability to use a range of tools, including Pillar 2.

14. Home/host cooperation

• Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the supervision and review of the principles, and the implementation of any remedial action if necessary.

Copyright © 2013 Oliver Wyman 11