Principles for Effective Risk Data Aggregation and Risk Reporting: A Framework for Systemically Important Banks

Introduction and Background

- One of the most significant lessons from the global financial crisis that began in 2007 was that banks' IT and data architectures were inadequate to support the broad management of financial risks.

- Many banks lacked the ability to aggregate risk exposures and identify risk concentrations quickly and accurately. This had severe consequences for the banks and the stability of the financial system as a whole.

- The Basel Committee issued supplemental Pillar 2 guidance to enhance banks' ability to identify and manage bank-wide risks. A key element is having appropriate management information systems (MIS).

- Improving banks' risk data aggregation capabilities will enhance risk management and decision-making processes. It will also improve their resolvability.

- Many in the industry recognize the benefits of improving risk data aggregation capabilities in terms of strengthening risk management, improving efficiency and strategic decision-making, and increasing profitability.

- Supervisors note that banks need to make further progress and there is a danger this work may receive slower-track treatment as the crisis fades, given it requires significant investments.

Objectives and Scope

- The Principles aim to strengthen banks' risk data aggregation capabilities and internal risk reporting practices, which will enhance risk management and decision-making.

- The Principles are initially focused on systemically important banks (SIBs), in particular global SIBs (G-SIBs). G-SIBs identified in 2011-12 must meet the principles by January 2016. Those designated in later annual updates get 3 years from their designation.

- National supervisors can apply the Principles to a wider range of banks as relevant for their jurisdictions.

- The Principles cover four closely related topics: 1) Overarching governance and infrastructure; 2) Risk data aggregation capabilities; 3) Risk reporting practices; 4) Supervisory review, tools and cooperation.

- Banks should meet all the Principles simultaneously, but trade-offs can be made in exceptional circumstances if they don't materially impact risk management.

- The Principles apply to a broad range of risk data, supporting a variety of key risk management processes, including capital adequacy, credit risk, market risk, liquidity risk, operational risk, interest rate risk, etc.

Overarching Governance and Infrastructure:

- Principle 1: A bank's risk data aggregation and reporting framework should be subject to strong governance consistent with existing Basel Committee principles for corporate governance and MIS.

- Responsibilities should be defined for the ownership and quality assurance of risk data and reports, including ensuring controls over data integrity, accuracy and completeness.

- Principle 2: Banks should have a strong data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and reporting practices under normal and stress/crisis situations.

- The architecture and infrastructure should allow for flexibility to meet arising data needs, align with the bank's business model complexity, and meet data confidentiality needs.

Risk Data Aggregation Capabilities:

- Principle 3: Banks should have the ability to generate accurate and reliable risk data to meet normal and stress/crisis reporting requirements.

- Requires strong controls over data, largely automated aggregation processes, and having a single authoritative source for each type of risk data.

- Principle 4: Banks should be able to capture and aggregate all material risk data across the group by business line, legal entity, asset type, industry, region, etc.

- This allows identification and reporting of risk exposures, concentrations and emerging risks.

- Principle 5: Risk data should be generated in a timely manner, while maintaining accuracy, integrity, completeness and adaptability.

- Precise timing depends on the nature of the risk, its volatility and criticality to the bank's risk profile. Faster timelines are needed for stress/crisis situations.

- Principle 6: Risk data capabilities should be adaptable and flexible to meet ad hoc requests and for events such as mergers, new products, or changes in the regulatory framework.

Risk Reporting Practices:

- Principle 7: Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be validated and reconciled with sources.

- Principle 8: Reports should be comprehensive, covering all material risks areas, and at a depth and scope consistent with the bank's size and complexity and recipient needs.

- Principle 9: Reporting should be clear and concise, easy to understand, yet comprehensive enough to facilitate informed decision-making. Requires an appropriate balance of quantitative and qualitative information.

- Principle 10: Reporting frequency should reflect the needs of the recipients, the nature of the risk, speed at which the risk can change, and the importance in contributing to sound risk management and decision-making.

- Principle 11: Risk reports should be distributed to the relevant parties while ensuring confidentiality. Procedures should allow for rapid collection, analysis and dissemination of reports.

Supervisory Review, Tools and Cooperation:

- Principle 12: Supervisors should periodically review and evaluate a bank's compliance with the Principles as part of their regular supervisory reviews or targeted reviews.

- Principle 13: Supervisors should have and use appropriate tools and resources to require effective and timely remedial action by banks to address risk data and reporting deficiencies.

- Supervisory measures can include increased supervision, requiring third-party reviews, capital add-ons under Pillar 2, limitations on risks/growth, etc.

- Principle 14: Supervisors should cooperate across jurisdictions on reviewing banks' compliance with the Principles and implementation of any remedial actions.

Implementation Timeline and Arrangements:

- National supervisors will start discussing implementation of the Principles with G-SIBs' senior management in early 2013 to ensure they develop strategies to meet them by 2016.

- Supervisory approaches will likely include requiring self-assessments by G-SIBs against the Principles in early 2013, aimed at closing gaps by 2016.

- The Basel Committee will monitor G-SIBs' progress through its Standards Implementation Group annually starting end-2013 and share results with the Financial Stability Board (FSB). This will include assessing the effectiveness of the Principles and if any enhancements are needed.

In conclusion, the Principles provide a comprehensive framework for banks to improve their risk data aggregation and reporting capabilities. This is critical for strengthening banks' risk management, particularly for systemically important institutions. Implementation will be phased through 2016, with strong supervisory expectations and monitoring globally. While requiring significant investment, the improvements will generate lasting benefits for banks' management of risks and profitability.