The European Central Bank (ECB) has just published its “Guide on Effective Risk Data Aggregation and Risk Reporting” (RDARR). As the latest step in a journey to improve banks’ risk management through better data quality, the guide represents a shot across the bow of all large ECB-regulated banking institutions.
The ECB sets the tone and indicates its view on the criticality of this effort with its opening statement: “The ability of institutions to effectively manage and aggregate risk-related data is an essential precondition for sound decision-making and strong risk governance. This applies to any data used to steer and manage institutions, both strategically and operationally, as well as data used for risk, financial, and supervisory reporting.”
In issuing the guide, the ECB lays out clear direction for banks and highlights the areas it plans to focus on in forthcoming inspections. Yet this is hardly the first-time banks have been advised to improve RDARR. In this article, we trace the long RDARR journey from inception through a series of reviews/assessments and up to today, providing insight into the ECB’s mindset, an understanding of the current state of play, and the outlook on what’s next.
2013: BCBS Lays the Groundwork
The RDARR journey actually began in January 2013, with the Basel Committee on Banking Supervision’s (BCBS’s) publication of “Principles for Effective Risk Data Aggregation and Risk Reporting.” Often referred to as BCBS 239, this seminal paper was developed to mitigate key failings observed in the aftermath of the global financial crisis of 2007. The 14 principles of BCBS 239 are depicted in the graphic below.
14 Principles for Risk Data Aggregation and Risk Reporting |
|
Theme | Principle |
|
A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee. |
|
A bank should design, build, and maintain data architecture and IT infrastructure that fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other principles. |
|
A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimize the probability of errors. |
|
A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region, and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations, and emerging risks. |
|
A bank should be able to generate aggregate and up-to-date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness, and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. The precise timing will also depend on the bank-specific frequency requirements for risk management reporting, under both normal and stress/crisis situations, set based on the characteristics and overall risk profile of the bank. |
|
A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs, and requests to meet supervisory queries. |
|
Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated. |
|
Risk management reports should cover all material risk areas within the organization. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients |
|
Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include meaningful information tailored to the needs of the recipients |
|
The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision-making across the bank. The frequency of reports should be increased during times of stress/crisis. |
|
Risk management reports should be distributed to the relevant parties while ensuring confidentiality is maintained. |
|
Supervisors should periodically review and evaluate a bank’s compliance with the eleven principles above. |
|
Supervisors should have and use the appropriate tools and resources (including Pillar 2) to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices. |
|
Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the supervision and review of the principles, and the implementation of any remedial action if necessary. |
Source: BCBS |
In devising these principals, the primary motivation of ECB supervisors was to drive a material improvement in banks’ data management and IT infrastructure, to strengthen RDARR processes. The intention was to push toward a more controlled and robust environment that would be better able to support both current needs and any future shocks.
The original date for implementation was January 2016. Since then, there have been many reviews across the banking community to assess the level of compliance achieved. The results have not been good, with many reviews indicating that banks still had significant work to do and, in some instances, had even regressed.
2018: ECB’s Early Reviews Reveal Shortcomings
Shortly after the 2016 “go-live” date for compliance with the principles, the ECB undertook a thematic review across 25 of the larger banking institutions. The review specifically focused on institutions’ governance, data aggregation, and reporting capabilities, and how they aligned with the principles and expectations set out in BCBS 239. The review was complemented by various benchmarking activities and point-specific reviews.
Results reported in May 2018 highlighted shortcomings across the board, and none of the examined institutions were judged to have adequately met all the principles set out in BCBS 239.
The ECB highlighted weaknesses including:
- Lack of clarity on roles across business functions regarding data ownership and data quality
- Lack of coverage across legal entities within firms
- Poor implementation projects, leading to poor compliance
- Weak validation processes
- Lack of attention and commitment at the executive level
2019: ECB Issues its First Warning
The ECB addressed a letter to all significant credit institutions under its supervision in 2019, pressing them to make immediate improvements to better align with the 14 principles and to adopt best practice across their RDARR environments.
Despite the focus on this area, the ECB reiterated that the progress made by the institutions to this point had been “generally insufficient,” and adherence to the principles was still not widely achieved.
In the letter, the ECB pointed out that some more advanced banks were working toward an integrated reporting solution based on group-wide data governance to achieve a “single source of truth” for RDARR. The ECB stated that it considered this a “best practice” that it would add to its annual supervisory review and evaluation process (SREP) along with the BCBS 239 principles.
It’s worth pointing out here that regulators rarely feel the need to don “data architecture” hats to start defining solutions. The fact that they did so in this case reflects their level of frustration with the current situation.
At the same time, however, it is no surprise that many banks are struggling to develop a sustainable regime for full BCBS 239 compliance. Given the complex and fragmented infrastructure that banks have—usually partitioned by asset class and often by region—aggregating risk data that may be based on different market data curves, varying stresses, and non-uniform models is challenging in itself. This difficulty is compounded by the fact that the environment is constantly shifting due to business changes and regulatory initiatives such as the European Market Infrastructure Regulation (EMIR), Markets in Financial Instruments Directive (MiFID), and Fundamental Review of the Trading Book (FRTB).
2023: BCBS Issues a Weak Progress Report
In November 2023, BCBS published “Progress in Adopting the Principles for Effective Risk Data Aggregation and Risk Reporting,” an update on 31 global systemically important banks’ (G-SIBs’) adoption of the 14 BCBS 239 principles. Of the 31 banks assessed, only two were considered fully compliant, and not a single one of the 14 principles was fully implemented by all firms.
The BCBS noted that significant work was still outstanding in many areas in order to properly adopt the principles and, as a consequence, the issues highlighted in previous reports still applied. The committee recommended that supervisory authorities consider more intensive measures to assess banks and exert greater pressure on firms to improve compliance.
Key challenges highlighted with regard to adoption included:
- The pace of adoption has been slow.
- The complexity and consequent timelines for adopting large-scale data architecture and IT infrastructure change remain major concerns.
- The global pandemic caused banks to refocus on more immediate risk management activities for a significant period, and delays/reversals have not yet been mitigated.
- One of the more significant challenges is the development of robust practices that will enable sustained adherence to principles amid ongoing change.
The BCBS’s 2023 paper highlighted a set of high-level recommendations for banks, including:
- Board-level prioritization of the overall management process for RDARR
- Steps to immediately address weaknesses
- Development of periodic processes to assess compliance with the 14 principles to ensure sustainability
2024: ECB Guide Points the Way Forward
As mentioned above, the ECB’s May 2024 “Guide on Effective Risk Data Aggregation and Risk Reporting” provides a roadmap, supplementing existing guidance on achieving compliance with the 14 principles and highlighting areas of focus for upcoming supervisory inspections.
The ECB has provided seven primary areas for improvement, including some obvious overlap with the recent BCBS recommendations:
- Clear ownership and responsibilities at the very senior management level
- Clear definition of the scope of the RDARR process to ensure capture of all the necessary data and associated processes
- Effective group-wide data governance processes
- A firm-wide data architecture
- Standardized data quality approaches and policies across the full RDARR scope
- Periodicity of risk reporting to be set appropriately to enable timely decision-making
- Properly funded and prioritized implementations, delivered in an effective manner to build compliance
The ECB has sent a clear message that scrutiny in this area will increase. For the immediate future, banks will be under pressure to demonstrate their ability to adhere to the 14 principles and other best practices—and to do so sustainably.
Treliant’s Observations in the Field
We see banking institutions continue to struggle with the breadth and scope of BCBS 239. Many firms initially adopted a process of implementing the principles “to the letter,” and yet not fully in the spirit that was intended. This initially led to very brittle implementations, where solutions and documentation went stale very quickly as the banking environment continued to evolve over time.
Data architectures have often been changed without the extension of necessary controls and governance to new areas that were moving into scope. Ownership and responsibility have been delegated downward, with a subsequent reduction in organizational priority. Management of situations such as Covid and the war in Ukraine have diverted budget and focus. Cost pressures have limited available resources. All these factors, plus many others, have contributed to a degradation of firms’ ability to comply with the 14 principles.
On a more positive note, tooling has improved in recent years, and banks’ focus on data and data management is also increasing. However, the introduction of artificial intelligence (AI) and related regulatory changes represent yet another in a series of material challenges that have forced banks to revisit their processes and solutions again and again. Given the dynamic nature of today’s banking environment, RDARR solutions will only take effect and endure if the principles are fully embedded into the way banks manage their businesses.
Conclusion
Since the inception of the BCBS’s 14 principles for RDARR in January 2013, banks have struggled to achieve adherence. The complexity of the business environment, governance models, regulatory changes, and macroeconomic events have all played a part in slowing progress. In order to improve compliance and ensure sustainability, banks should consider establishing BCBS 239 compliance as a core pillar of the fabric of their institutions. Embedding the principles intrinsically into their risk management will enable compliance to be achieved across all principles, in a sustainable manner.
How Treliant Can Help
Treliant is a financial services consulting firm with a strong focus on data, regulation, and digital transformation. Here’s how Treliant can assist banks with RDARR:
- Data solutions: Our data expertise helps you respond to regulatory changes, deliver regulatory reports, and comply with prudential and privacy regulations. We also help you maximize the return on your data investments by enhancing your cloud migration path with effective data governance for enhanced reporting and analysis.
- Digital transformation: Treliant offers technology enablement to ensure rapid and sustained improvement within your organization.
- Regulatory guidance: Our firm can provide guidance and support to banks on the interpretation and implementation of regulatory changes. This includes helping banks understand the requirements of the regulations, as well as providing practical advice on how to meet those requirements in a cost-effective and efficient manner.
- Risk management: Treliant can help banks identify and manage the risks associated with large-scale changes, including operational, reputational, and financial risks.
Overall, Treliant can help banks effectively comply with regulatory change and manage the associated risks. By leveraging Treliant’s expertise and resources, banks can better understand and meet their obligations, while also protecting their businesses and reputations.