rising to the bcbs 239 challenge a practitioner’s view...
TRANSCRIPT
Rising to the BCBS 239 Challenge
BCBS 239 presents banks and other financial
institutions with a significant challenge and a
unique opportunity. There are many pitfalls which
will need to be avoided for firms to create lasting
value.
A practitioner’s view by
Barney Walker,
Head of Banking
Practice, Kinaesis.
Barney Walker
Head of Banking Practice
Kinaesis.com
There’s no doubt that the Basel Committee on Banking
Supervision’s “Principles for Effective Risk Data
Aggregation and Risk Reporting” (BCBS 239) represents a
huge step forward in risk management practices for the
industry. However, implementation of the principles by
January 2016 presents banks with a major technology,
governance and operational challenge.
In order to comply with the principles, firms need to sort
out areas of traditional weakness – enterprise level data
quality, governance, warehousing, aggregation and
reporting processes. Enterprise data sourcing, quality and
governance are topics that have been too often ignored or
sidelined as the difficult child that we don’t quite know how
to handle. Significant catch up is needed in both technology
and in adopting an effective data management operating
model. Conversely data aggregation and reporting has often
been lavished with generous investment budgets. However,
these projects have high failure rates (partly due to failure
to solve the data challenges mentioned above). Gartner
research (1) estimates that 70% to 80% of business
intelligence projects fail to meet their business objectives.
So a perfect storm is forming: the need to correct the sins of
the past; in an area of high historic project failure; against a
fixed regulatory timeline. Banks need to act with urgency
and precision. And it’s also not just major banks that need
to get their ducks in a row. The Financial Stability Board
(FSB) (2) has made clear that these improvements will need
to be adopted by all systemically important financial
institutions (SIFIs).
However, it’s not all doom and gloom. Digging into the
principles they predominantly talk, in very clear terms, of
system and process qualities: accuracy and integrity;
completeness; timeliness; adaptability; comprehensiveness;
clarity and usefulness. Simply put, they are the excellent top
level requirements for an effective enterprise MIS system.
Any successful investment in this area will provide
significant leverage and will add lasting enterprise value.
“Strong risk management capabilities are an integral part of
the franchise value of a bank. Effective implementation of
the Principles should increase the value of the bank. ” (3)
This paper explains BCBS 239 in more detail and makes
recommendations for how firms can accelerate adoption
and deliver a high performance data management
infrastructure.
BCBS 239 – a recap
The BCBS 239 principles cover four closely related topics (a
one page BCBS 239 “primer” with a full list of the principles
is included at the end of this paper):
1. Overarching governance and infrastructure – Firms need
to put in place strong governance and ownership for their
data aggregation and risk reporting framework. An effective
operating model needs to be implemented covering people,
policies, process, organisation and infrastructure. The
infrastructure must support all reporting requirements for
normal and stress or crisis situations.
2. Risk data aggregation capabilities – Robust, high
performance systems are needed to ensure risk reports are
accurate, timely and complete. The platform also needs to
be flexible and adaptable. It needs to meet the evolving
internal reporting needs of the firm and external reporting
requirements of supervisory bodies. Enterprise data
dictionaries need to be documented. Comprehensive
controls around data sourcing and quality must be put in
place, including reconciliation to all sources and single
sourcing of each type of risk where feasible.
3. Risk reporting practices – This set of principles, very
closely intertwined with data aggregation capabilities,
focuses on making the risk reporting and management
process effective and practical. As the BCBS 239 document
puts it "data alone does not guarantee that the board and
senior management will receive appropriate information to
make effective decisions about risk." The scope covers
reporting and management of all significant risk areas, with
each risk area needing to be broken down into all significant
components. Risk reports also need to cover any significant
related measures, for example regulatory and economic
capital. And it's not just about current and historic reporting.
Forward looking assessments of likely trajectory of capital
and risk profile need to be part of the solution. The reporting
must be useful, clear, comprehensive, timely, produced at
an appropriate frequency and supported by an effective
operating model.
4. Supervisory review, tools and cooperation - The principles
will be backed by regular supervisory review, in addition to
the independent review structure that firms are expected to
establish. Where implementation is found to be deficient,
supervisory bodies will set remedial actions, including capital
add-ons, as both a mitigant and an incentive under pillar 2.
Barney Walker
Head of Banking Practice
Kinaesis.com
Aren’t these just basic good business practices?
The BCBS 239 principles form the foundations of how to
manage risk effectively in a large financial institution. In
addition to this need for a step change improvement in risk
management practices, profitability also remains a major
issue. Financial firms face huge challenges generating
adequate returns. With diminishing margins and increasing
capital needs there is a much greater requirement for
information that will drive profitable business activity and
efficient use of scarce resources. Measures such as return
on regulatory and economic capital, return on equity and
balance sheet usage are no longer just ethereal concepts
discussed periodically at board meetings and commented
on in annual reports. They are key metrics needed to run
and control businesses on a daily basis at all levels of
management.
It’s clear when studying the BCBS 239 principles that
successful implementation will provide the framework for
these broader management reporting needs. So yes –
these are just basic good business practices. However, it
doesn’t mean that implementing them is straightforward.
Especially if they are an after-thought.
Easier said than done
Although the BCBS 239 principles seem like common sense
and good business practice, it doesn’t diminish the
challenge of righting the data and information wrongs that
have built up over many years. Even those firms that
invested in enterprise data warehouses before the crisis,
found difficulty in extracting the joined up information that
they needed. There were quality and coverage problems.
Systems weren’t able to adapt to the vastly different
demands of managing a firm in a crisis situation. Reporting
took too long and it couldn’t be tailored fast enough. It
lacked the coverage needed and it was rife with data
quality problems and inconsistencies.
In Deloitte’s global risk management survey, eighth edition
(4), published in 2013, banks were asked to assess their
current risk management and infrastructure capabilities,
with some sobering results. Although 72% of banks rated
themselves as very effective at managing risk overall, serious
concerns persist over risk management systems, data and
infrastructure. Systems for managing operational and
enterprise risk were rated as very effective by only 38% and
32% of banks respectively. The results for risk data
capabilities were even worse. Only 31% rated data quality
capabilities very effective, 28% rated data governance very
effective, 21% rated data standards very effective and just
20% rated data management very effective. The survey
highlighted the banks’ most pressing concerns about their
risk management IT systems. Notably 40% of banks were
extremely or very concerned about quality and management
of risk data and 34% were extremely or very concerned
about the ability of their risk technology to adapt to
changing regulatory requirements.
The problem with this survey with respect to BCBS 239 is
that the principles are holistic. You cannot be considered to
have effective overall risk management without all of the
pieces, including data strategy and infrastructure, being
effective. To say a firm has very effective risk management
but deep concerns over data management and quality is an
oxymoron.
Another challenging aspect of the BCBS 239 principles is
that, although they provide an excellent framework, they are
very broad and do not present a set of specific measurable
requirements that firms must implement in order to comply.
These two factors should sound alarm bells for those with
implementation responsibility.
When you put the laundry list of requirements together the
scale of the challenge becomes clear. To summarise, the
solution must cover:
• Implementation of an effective operating model that
covers data quality, governance, reporting process
and risk management that supports effective
executive review and decision making.
• Covering all significant types of risk including credit
risk, market risk, liquidity risk and operational risk.
• With all risk areas broken down into their significant
factors.
• Plus all significant related measures included, for
example regulatory and economic capital.
• Presented together in a useful, clear, comprehensive
and timely manner.
• Produced at an appropriate frequency.
• Catering for normal and stress or crisis conditions.
• Backed by robust data quality controls including
reconciliation to all sources.
• Also backed by a comprehensive data dictionary
covering all key data, models, calculations and
approximations.
Add in the need to be adaptable and flexible enough to
cater quickly for emerging new risks and you have a
Barney Walker
Head of Banking Practice
Kinaesis.com
somewhat hair-raising combination of requirements. With
regulatory deadlines approaching there is a significant risk
that some requirements are de-prioritised or that solutions
fail to deliver anywhere near their potential value.
Reaching the bright light at the end of the tunnel
Major financial firms already have programs in place to
reach compliance with BCBS 239. The technology and
operating model challenges are solvable. They can be
overcome by ensuring the project team has the right expert
skills and experience. Past performance shows us that this is
not a domain for generalists – specialist skills and practical
experience of implementing high performance data and
reporting infrastructures are needed to succeed. Proven
methodologies, particularly in analysing data requirements
and solutions need to be followed.
In many cases focus and acceleration is needed, particularly
in the three areas described below.
Clear measurable and testable requirements – Without
defining quantified, testable requirements covering the full
scope of the program firms will have little chance of
successfully complying with the principles. Industry surveys
regularly point to poor requirements quality as the primary
cause of project failure, for example Meta Group research
found that 60% - 80% of project failures can be attributed
directly to poor requirements gathering, analysis and
management. Given that the BCBS 239 principles are high
level, unquantified and non-prescriptive (in terms of how
they should be implemented) this step is critical.
Data – Firms need to face up to the realities of their data. If
your data is broken you just need to fix it. It isn’t just a
technology fix. Firms need to understand their data fully,
documenting definitions and standards in an enterprise
data dictionary. A detailed understanding of data lineage,
ownership, temporality and data life-cycle is needed. This
definition should drive definition and implementation of an
operating model for managing quality and instituting
effective data governance. Data, methodologies and
calculation need to be harmonized through the silos of the
organisation. Definitions and populations of point in time
cuts of data need to be carefully documented and
controlled. This requires advanced data modeling expertise,
proven data management methodologies and practical
experience of solving enterprise reporting challenges.
Architecture – The BCBS 239 principles pose particular
challenges due to the scale and coverage of data, the timely
manner in which it’s needed and the need to be adaptable
and flexible. It is unlikely that one size fits all and that there is
a single technology solution for the majority of firms. The right
approach is to use a combination of best of breed
technologies in a layered approach that supports both the
functional and non-functional requirements. Between each of
these layers, a very careful and considered integration needs
to exist. Interactions and data flows need to be carefully
planned to ensure that the system delivers. Expertise in high
scale data management architectures, metadata
management, data analytics and reporting is needed to
navigate to the right solution.
Conclusions
The principles and their implementation need to be a top
priority and focus for banks. Gaps exist in areas such as data
strategy and infrastructure. Firms must put the right expertise
in place to close these gaps quickly. The BCBS 239 text is very
clear on ownership - the board and senior management are
responsible for putting the solution in place, understanding its
capabilities and limitations and continuing to maintain it.
Practices across different firms will be compared by
supervisory bodies - the implication being that benchmarks
will be set based on best in class implementation across the
industry. So failure to keep up with the Joneses will have a
cost. However, successful implementation will create
significant lasting value.
How Kinaesis can help customers with BCBS 239
At Kinaesis we combine expertise in high scale data
management architectures, metadata management and data
analytics with proven information architecture methodologies
and deep experience of risk data and finance. From
assessment of where our customers are against the Kinaesis
Enterprise Information Maturity (EIM) Model to delivery
based on the Kinaesis Best Practice Methodology we use out
of the box components and templates to accelerate
customer’s projects and ensure value delivery. Kinaesis offer
proven data services to accelerate delivery and to reduce the
risk and cost of your programme. This includes metadata
management (data governance, modelling and lineage), rich
data management (data life-cycle, state, temporal design) and
data insight (data visualisation, metrics and analytics).
To speak with one of our experts contact us on 020 7347
5666 or [email protected]
Barney Walker
Head of Banking Practice
Kinaesis.com
Biography
Barney is the Head of Banking Practice for Kinaesis and
brings over 20 years’ experience in risk, data, business and
technology, gained within the banking industry. Barney has
held senior positions at J.P. Morgan, including Head of Rates
and Public Finance Technology and Head of Proprietary
Trading Technology and Operations, and UBS where he was
co-head of Group Finance Technology. Barney has many
years of experience of working with trading businesses and
enterprise divisions to develop and deliver value. He has
extensive expertise in risk, data, accounting, regulations,
legal and compliance.
References
1. Gartner Inc. Predicts 2012: Business Intelligence Still
Subject to Nontechnical Challenges. gartner.com. [Online]
December, 2013.
2. Financial Stability Board (FSB). Intensity and Effectiveness
of SIFI Supervision - Progress report on implementing the
recommendations. http://www.financialstabilityboard.org
[Online] October, 2011.
3. Bank for International Settlements (BIS). Principles for
effective risk data aggregation and risk reporting BCBS 239.
http://www.bis.org [Online] January, 2013.
4. Deloitte . Global risk management survey, eigth edition.
http://www.deloitte.com [Online] July, 2013.
About Kinaesis
Kinaesis are leading independent practitioners in the delivery
of high performance data architectures, enterprise information
management and on-demand risk analytics solutions for
Financial Services. We help our customers tap into huge
volumes of complex data, unlock its value and bring agile
decision making and real-time insight, into key business
processes. We are specialists in complex, high-volume, global
environments, servicing the extreme analytics and reporting
needs of many thousands of end users, based on terabytes of
data and billions of rows per day.
.
BCBS 239 - a primer.
Background
BCBS 239 is a set of regulations from the Basel Committee on Banking Supervision. Entitled “Principles for Effective Risk Data
Aggregation and Risk Reporting” it is aimed at addressing weaknesses in Banks’ ability to identify and manage bank-wide risks. The
financial crisis that began in 2007 exposed catastrophic weaknesses in banks’ ability to aggregate risk exposures in an accurate and
timely manner. The resultant impact on risk management decision-making “had severe consequences to the banks and to the stability
of the financial system as a whole.” (3) The principles were released in January 2013, with a deadline for implementation by global
systematically important banks (G-SIBs) of January 1, 2016. The principles are not only applicable to G-SIBs, the Financial Stability
Board (FSB) has clearly stated its intention that a time line is set for other firms, particularly systematically important financial
institutions (SIFIs), to meet these standards (2).
The Principles (3)
The principles cover four closely related topics. The principles are listed within the four topics below:
Overarching governance and infrastructure - Strong governance, risk data architecture and IT infrastructure.
1. Governance – A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance
arrangements consistent with other principles and guidance established by the Basel Committee.
2. Data architecture and IT infrastructure – A bank should design, build and maintain data architecture and IT infrastructure
which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during
times of stress or crisis, while still meeting the other Principles.
Risk data aggregation capabilities - Strong risk data aggregation capabilities and accurate reflection of risks.
3. Accuracy and Integrity – A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis
reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of
errors.
4. Completeness – A bank should be able to capture and aggregate all material risk data across the banking group. Data should
be available by business line, legal entity, asset type, industry, region and other groupings, as relevant for the risk in question,
that permit identifying and reporting risk exposures, concentrations and emerging risks.
5. Timeliness – A bank should be able to generate aggregate and up-to-date risk data in a timely manner while also meeting the
principles relating to accuracy and integrity, completeness and adaptability. The precise timing will depend upon the nature
and potential volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. The precise
timing will also depend on the bank-specific frequency requirements for risk management reporting, under both normal and
stress/crisis situations, set based on the characteristics and overall risk profile of the bank.
6. Adaptability – A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk
management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs
and requests to meet supervisory queries.
Risk reporting practices – An effective operating model.
7. Accuracy - Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact
manner. Reports should be reconciled and validated.
8. Comprehensiveness - Risk management reports should cover all material risk areas within the organisation. The depth and
scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as
the requirements of the recipients.
9. Clarity and usefulness - Risk management reports should communicate information in a clear and concise manner. Reports
should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include an
appropriate balance between risk data, analysis and interpretation, and qualitative explanations. Reports should include
meaningful information tailored to the needs of the recipients.
10. Frequency - The board and senior management (or other recipients as appropriate) should set the frequency of risk
management report production and distribution. Frequency requirements should reflect the needs of the recipients, the
nature of the risk reported, and the speed at which the risk can change, as well as the importance of reports in contributing to
sound risk management and effective and efficient decision-making across the bank. The frequency of reports should be
increased during times of stress/crisis.
11. Distribution - Risk management reports should be distributed to the relevant parties and while ensuring confidentiality is
maintained.
Supervisory review, tools and cooperation – Strong supervisory oversight.
12. Review - Supervisors should periodically review and evaluate a bank’s compliance with the eleven Principles above.
13. Remedial actions and supervisory measures - Supervisors should have and use the appropriate tools and resources to require
effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk
reporting practices. Supervisors should have the ability to use a range of tools, including Pillar 2.
14. Home/host cooperation - Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the
supervision and review of the Principles, and the implementation of any remedial action if necessary.