Basel risk data report finds “key weaknesses” in G-SIBs’ approach to data management
Self-assessments circulated by the Basel Committee on Banking Supervision and completed by global systemically important banks (G-SIBs) have revealed many weaknesses in their approach to risk data aggregation and risk reporting.The BCBS’s Working Group on SIB Supervision (WGSS)’s December report, “Progress in adopting the principles for effective risk data aggregation and risk reporting” said that most G-SIBs needed to make “significant” progress to comply with the principles by the January 1, 2016 deadline. In addition, the report said that most G-SIBs are “facing difficulties in establishing strong data aggregation governance, architecture and processes, which are the initial stage of implementation”.
“We’re moving towards a situation where 2016 will come and go and then there will be a report commissioned saying, ‘Yes, we’ve spent $20 million on making ourselves compliant, but we have a lot of reworking to do because we didn’t get a single standard identified and we have competing sets of best practice’,” Charles Radclyffe, chief executive of BIPB, a risk data and analytics consultancy, told Compliance Complete.
Indeed, G-SIBs’ muddled approach to improving risk data aggregation and risk reporting could be attributed in part to a lack of global standards from regulators. Without a lot more help and engagement from regulators, it will be difficult for banks to make the kind of progress the BCBS expects.
“This is a complex, fundamentally new and enormous effort. Unfortunately, it’s being treated in a vacuum in ineffective and inefficient ways by both regulators and firms. When you have real business-critical discussions about how risk is managed in one set of programmes being wrestled to the ground by the experts, it is extremely difficult to come up with a divorced set of technical requirements and then form an integrated programme. Furthermore, the tick-box approach being pursued by the regulators is doomed to failure as it fails to answer a number of basic questions [which] both sides need to resolve in order to be successful. This is big ask. It’s never been done before and, by the way, regulators can’t even do it themselves,” PJ Di Giammarino, chief executive of regulatory think tank JWG, said.
The self-assessment questionnaires were completed in 2013 by 30 G-SIBs who were asked to assess on a scale from four (best) to one (worst) their compliance to the BCBS’s 11Principles for effective risk data aggregation and risk reporting.
The average ratings for principles 1 to 11 ranged from 2.5 to 3.2. The average rating of all 11 principles was 2.8, which indicates that banks’ average reported compliance status stands between largely compliant and materially non-compliant.
The three principles with the lowest reported compliance were principle 2 (data architecture/IT infrastructure), principle 6 (adaptability) and principle 3 (accuracy/integrity); nearly half of banks reported material noncompliance on these principles.
“Indeed, many banks are facing difficulties in establishing strong data aggregation governance, architecture and processes, which are the initial stage of implementation. Instead, they resort to extensive manual workarounds which are likely to impair risk data aggregation and reporting,” the report said.
Risk data governance and architecture
When it comes to risk data governance banks still seem to be struggling to upgrade their technology and to get formal and documented risk data aggregation frameworks in place. That includes the formulation of data dictionaries to be used by all group entities, as well as comprehensive policies governing data quality control and other controls through the data lifecycle. Banks that have not established plans for independent validation of their data aggregation and reporting need to make concrete efforts towards these goals, the BCBS report said.
“I’m surprised that groundwork hasn’t been done already. Unless banks have standards and frameworks clearly defined, it doesn’t matter what kind of infrastructure they build or what technology is used, they’re going to create inconsistencies in the solutions that require reworking and rebuilding at a later stage,” Radclyffe said.
Risk data aggregation and reporting
With regard to the actual data and their collection, the report said that banks needed to make “significant efforts” to improve accuracy, completeness, timeliness and adaptability. That means that banks are still failing to get the complete and correct information, in the right format, to the right person at the right time.
“In what state must the data be? Or what lack of understanding does the organisation have around their data? Maybe some incorrect assumptions have been made around the scale of the challenge,” Radclyffe said.
Reporting systems implementation is not new. Business intelligence and business reporting systems have been around for decades. At the moment, however, there seems to be an unwillingness to embrace innovation to solve these complex risk data aggregation and reporting challenges. Innovative technologies exist and are evolving to meet the challenge; Radclyffe said that even though the volume of data and the scale of the problem around data was changing year-on-year, data technology was certainly keeping pace.
“What we do see is an unwillingness to embrace innovation. If a client is buying a five-year-old system or applying 20-year-old methodologies to solve a data problem then they’re just going to keep falling further behind,” Radclyffe said.
Many banks gave themselves high marks for risk reporting compliance, but rated themselves materially non-compliant on one or more of the aggregation principles. This inconsistency led the BCBS to question the reliability and usefulness of risk reports. How could banks generate meaningful and useful risk reports if they did not have the correct data aggregation framework and governance procedures? The report said that this inconsistency could be attributed to banks’ over-reliance on manual processes for risk data aggregation and reporting.
“Indeed, many banks are facing difficulties in establishing strong data aggregation governance, architecture and processes, which are the initial stage of implementation. Instead, they resort to extensive manual workarounds. The key takeaway is that manual aggregation/reconciliation, even if it somehow results in acceptable risk reports, cannot substitute for strong aggregation capabilities, and over-reliance on such manual workarounds impairs banks’ risk data aggregation and reporting,” the report said.
“This manual intervention is misinterpreted as technology not completely solving the problem, and therefore we have to employ thinking people to bridge the gap. You’re actually employing thinking people to do a robotic task because you haven’t thought about your technology enough. That’s the truth of it,” Radclyffe said.
It is not only weak technology that is to blame for banks resorting to manual workarounds, however. It also stems from a lack of data governance.
“When I look at the answers I don’t see that they’re not automated; this isn’t a technology problem. What I see is [that] they don’t have the processes and the governance under control. The point is that rewiring organisations, policies, processes and jobs is a very deep-rooted and expensive fix. Taking spreadsheet controls away from people at the desk level, defining enterprise dictionaries and putting road blocks in front of market opportunities cuts against the grain of market culture,” Di Giammarino said.
Although most respondents to the self-assessment questionnaire stated that they were working towards full compliance by 2016, 33 percent said that they expected to be fully compliant with at least one principle. In some cases, the BCBS report said, banks appeared to be overly optimistic about their expected compliance dates. Indeed, based on the self-assessment questionnaire results it is difficult to get an accurate picture of banks’ actual state of compliance or non-compliance with the principles. That is because of the limitations of the self-assessment process, and because the results were not audited.
“These self-assessment scope limitations raise concerns that the ratings chosen by the banks may not accurately reflect their compliance status, covering all material group entities, all levels of management and all types of material risk,” the report said.
“If you’re serious about ensuring compliance then you need to audit [the survey results]. It wouldn’t have to be comprehensive, but regulators could do some sampling which said, ‘this bank believes it 2.8 on the scale and our assessment shows it’s woefully below that’,” Radclyffe said.
The WGSS has set out a number of steps which it and national regulators need to take to ensure that G-SIBs achieve full compliance with the 11 principles by the deadline. It has recommended that all supervisory authorities should consider enhancing their efforts to integrate the principles within their own supervisory programmes; test banks’ capabilities to aggregate and produce reports in stress or crisis situations; conduct thematic reviews; and develop supervisory plans or tools for 2014 and 2015.
The WGSS itself is contemplating conducting another self-assessment survey in a reduced form, and a thematic review of the requirements with the lowest scores, as well as stress tests to require banks to complete a risk data aggregation template within a limited timeframe. It remains to be seen, however, whether heightened pressure from regulators will help G-SIBs to complete what could be one the biggest IT projects with which they have ever had to deal.
“The regulatory approach in this regard is flawed. Regulators have to wake up to the vacuum they’ve created in the risk data arena and ratchet up the levels of engagement by three- or four-fold ,or suffer the consequences when the politicians can’t get the answers they need,” Di Giammarino said.