about the authors - oliver wyman...to the bcbs principles. given the broad ambition in the bcbs...
TRANSCRIPT
ABOUT THE AUTHORS
Mark James is a Partner and Head of the Strategic IT & Operations practice for the Asia Pacific region, based in Singapore [email protected]
Paul Mee is a Partner and Head of the Strategic IT & Operations practice for the UK/EMEA region, based in London [email protected]
Pankaj Khanna is a Principal in Finance & Risk and Strategic IT & Operations, based in London [email protected]
Patrick Ryan is a Principal in the Strategic IT & Operations practice, based in Singapore [email protected]
cover governance and capabilities related to risk data
management, the way data is aggregated, the way
it is reported and the role of supervisors in ensuring
adherence. While ostensibly focused on risk data,
the principles are ultimately about enabling timely,
consistent and informed decision-making across the
bank. We anticipate that the implications across bank
operations will be broad and deep, as illustrated in
Exhibit 1. In the first instance, these principles apply
to Global Systemically Important Banks (G-SIBs), who
need to adhere by the end of 2015 and are expected to
undertake self-assessments and produce remediation
plans later this year. Domestic SIBs (D-SIBs) are
expected to be exposed to similar requirements in
due course. The BCBS document calls for adherence
within three years of a bank being designated a G-SIB
or D-SIB. More generally, we expect that these BCBS
principles will provide a minimum standard for
national supervisors, many of whom have already
made statements calling for better data quality.
For many banks current risk data aggregation and
risk reporting arrangements fall far short of the BCBS
principles. Short term, manual “work-arounds” are
unlikely to appease regulators let alone upgrade
capabilities; and pressure to make improvements quickly
has magnified. The extent, intensity and pace of change
called for will therefore be significant. Those banks
unable to adhere to the principles within the deadline
will be subject to consequences imposed by their
regulators. Those banks failing to adapt and advance
are likely to also suffer competitive disadvantages, as
rivals benefit from the improved decision-making that
comes from using heightened intelligence derived from
better, faster, fit-for-purpose data. In this Oliver Wyman
report we proffer a three-point plan to go beyond basic
adherence to the principles and architect a strategic
capability that will represent a step-change in a given
bank’s decision-making and performance. While
certainly a demanding task, we believe it requires a
prominent place on the enterprise agenda2.
2 See the recent Oliver Wyman “State of the Financial Services Industry, 2013” report where we discuss the importance of information for the industry, http://www.oliverwyman.com/state-of-financial-services-2013.htm.
Copyright © 2013 Oliver Wyman 4
1. SELF-ASSESS
We advocate a two-step approach to assessing readiness
to meet the BCBS principles. First, examine your ability
to satisfy each principle at a high level across the risk
management operating model (i.e. policies, processes
and systems), considering your current key data
aggregation and reporting challenges. Then delve into
specific risk management processes in order to detail
the size and scope of gaps.
Consider principle 1:
• Governance – A bank’s risk data aggregation
capabilities and risk reporting practices should be subject
to strong governance consistent with other principles
and guidance established by the Basel Committee.
Who should assume accountability for improving risk data
management, aggregation and reporting capabilities?
Rarely is there an obvious answer. Risk data by its nature
is a shared asset. Transaction data originates in front
office systems and customer databases are maintained
by front or middle office with data input from a variety
of sources. Similarly, risk data outputs are used outside
the risk department. Key data elements often need to
reconcile and report alongside inputs from finance and
treasury departments. Risk-based pricing is controlled in
part by the front office. Risk metrics are reported and used
throughout the bank, including business heads, finance
and treasury. We advised a G-SIB on this very problem as
they completed a preliminary self-assessment against the
BCBS principles, as illustrated in case study 1.
Now consider principles 3 and 4:
• Accuracy and integrity – A bank should be able to
generate accurate and reliable risk data to meet normal
and stress/crisis reporting accuracy requirements. Data
should be aggregated on a largely automated basis so
as to minimise the probability of errors.
• Completeness – A bank should be able to capture and
aggregate all material risk data across the banking
group. Data should be available by business line, legal
entity, asset type, industry, region and other groupings
that permit identifying and reporting risk exposures,
concentrations and emerging risks.
ExHIBIT 2: MANUAL PROCESSES OFTEN THE ROOT CAUSE OF POOR DATA QUALITy
15010050
NUMBER OF MANUAL ACTIVITIES PERFORMED
EXAMPLESKEY STATISTICS (MONTHLY)
Manualuploads
Manualadjustments
Hand-offs
Separatechecks
• Credit risk grade
• IFRS provisioning
• Customer segmentation
• Missing customer identification andmissing customer information
• Non-CSA Collateral
• Accounting should-be data (Prod. Ctrl IT)
• Separate table with manual LGD calculations for specific loans (Data Mart IT)
• Check data in DW to ensure successful manual GM data upload
• Check for consistency between data mart table and Basel input table
0
Copyright © 2013 Oliver Wyman 5
3. STRATEGy AND IMPLEMENTATION PLAN
Having assessed existing capabilities against the
principles, banks should move to concluding
preparations by developing a strategy to upgrade risk
data management, aggregation and reporting. The
strategy should address the issues and opportunities
identified, and include target state designs and
implementation plans for governance, processes, data
architecture, systems and reporting tools across all
stakeholder groups. As illustrated in case study 2, some
banks are considering an ambitious strategic response
to the BCBS principles.
Given the broad ambition in the BCBS principles,
banks will need to make assumptions when designing
their target state. For example, BCBS 239 calls for
“adaptability” and the ability to aggregate and report
data “during stress/crisis situations” without specifying
what constitutes a stress or crisis situation. Significant
market liquidity events such as that which followed the
Lehman Brothers bankruptcy would certainly apply.
Would recent natural disasters in New york (Superstorm
Sandy) and Thailand (floods) also qualify? Many banks
were unable to function at 100% during these events, nor
manage the resulting risks and business impact. Rather
than develop contingency plans for individual crises we
advise banks to develop “playbooks” that would apply
to a range of scenarios. Banks are also bound to face
issues that have bedevilled them in the past: for example
how to get risk, finance and treasury departments to see
eye to eye on management information and reporting,
or build common components across overlapping data
architectures and processes. Banks should therefore
“stress test” their strategies from a variety of angles
to ensure they are flexible and robust while balancing
the inherent trade-offs between investment costs and
value creation.
Banks can gain a clear competitive advantage by
improving risk data management, aggregation and
reporting capabilities and as a result decision-making
and business performance. Regulators are clearly
concerned that banks make decisions based upon
accurate, timely and comprehensive risk reporting;
especially in times of stress. Banks would benefit most
if they took a comprehensive and strategic approach in
adopting the principles rather than approach it as yet
another compliance exercise. After all, effective data
driven decision making can be life-saving at a time of
crisis, and essential in setting long term strategy and
managing the business day-to-day. In fact, we wonder
how data remained off the agenda for so long.
* * * * *
Copyright © 2013 Oliver Wyman 9
APPENDIx: THE 14 BCBS PRINCIPLES FOR EFFECTIvE RISK DATA AGGREGATION AND RISK REPORTING
OvERARCHING GOvERNANCE AND INFRASTRUCTURE
1. Governance • A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance consistent with other principles and guidance established by the Basel Committee.
2. Data architecture and IT infrastructure
• A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other principles.
RISK DATA AGGREGATION CAPABILITIES
3. Accuracy and Integrity • A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of errors.
4. Completeness • A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings that permit identifying and reporting risk exposures, concentrations and emerging risks.
5. Timliness • A bank should be able to generate aggregate and up to date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. This timeliness should meet bank-established frequency requirements for normal and stress/crisis risk management reporting.
6. Adaptability • A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during crisis situations, requests due to changing internal needs and requests to meet supervisory queries.
RISK REPORTING PRACTICES
7. Accuracy • Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.
8. Comprehensiveness • Risk management reports should cover all material risk areas within the organisation. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients.
9. Clarity • Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include an appropriate balance between risk data, analysis and interpretation, and qualitative explanations.
10. Frequency • The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective/efficient decision-making across the bank. The frequency of reports should be increased during times of crisis.
11. Distribution • Risk management reports should be distributed to the relevant parties and include meaningful information tailored to the needs of the recipients, while ensuring confidentiality is maintained.
SUPERvISORy REvIEW, TOOLS AND COOPERATION
12. Review • Supervisors should periodically review and evaluate a bank’s compliance with the eleven principles above.
13. Remedial actions and supervisory measures
• Supervisors should have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices. Supervisors should have the ability to use a range of tools, including Pillar 2.
14. Home/host cooperation
• Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the supervision and review of the principles, and the implementation of any remedial action if necessary.
Copyright © 2013 Oliver Wyman 11