Introduction

• Effective risk analysis requires sufficient and high-quality data. This makes data a major asset in today’s world, and it should be treated as such.
• Risk analyses can be made using the

• 1. Internal data of an organization – For example, transaction data within a financial institution or the specific costs of raw materials for a manufacturing company.
  2. Data coming from outside the organization – Financial institutions need data on past inflation rates, changes in money supply, major interest rates, exchange rates, and so on. Some external data can be collected from public sources, whereas other types of data may have to be purchased from vendors.

The main concern is whether data is kept in an organized way so that it can be used for analysis. Tools for analyzing this data can include machine learning (ML) and artificial intelligence (AI).

• A special committee of the Basel Committee on Banking Supervision (BCBS) examined bank data collection, data storage, and data analysis practices. It concluded that data quality in the banking industry was inadequate to aggregate and report risk exposures across business lines, legal entities and at the bank group level.
• In recognition of these inadequacies, the BCBS published a set of 14 principles to guide banks as they overhauled their risk data aggregation and reporting capabilities (BCBS 239). The BCBS defines risk data aggregation as the “process of defining, gathering, and processing risk data according to a firm’s risk reporting requirements to enable the bank to measure its performance against its risk tolerance/appetite.”

Benefits of Effective Risk Data Aggregation and Reporting

• The benefits of effective risk data aggregation and reporting include the following –
  1. Risk managers will have less uncertainty regarding the accuracy, integrity, completeness, timeliness, and adaptability of the data they use.
  2. Tactical and strategic decision-making processes will be enhanced. This reduces the chance of losses and improves risk-adjusted returns.
  3. Banks would be able to leverage the relevant risk information. Decision-makers will have more confidence in the quality of the underlying data and management will be able to make sound risk decisions.
  4. Rigorous model validation also plays a critical role in risk management. Model developers need to demonstrate that the data they use are suitable as well as consistent with both the theory behind the model and the chosen methodology.
  5. Important connections among different dimensions of an organization’s business will be more transparent.
  6. Managers will have a comprehensive view of risk exposures which helps them to anticipate problems before they occur.
  7. Banks will have an increased ability to get back to a better condition during stressed times. For example, a bank may negotiate better credit deals or identify a suitable merger partner.
  8. For global systemically important banks (G-SIBs), having access to aggregate risk data helps the resolution during times of stress.
  9. With better quality data, the risk department will be able to make judgments leading to increased efficiency and profitability.

Data in Model Risk

• Data acquisition plays an important role in model risk. Financial institutions rely on models to guide their day-to-day operations and to analyze their risk exposures. As a result, even the smallest of model errors can have dire consequences.
• Model risk can be decomposed into four components:
  1. input risk
  2. estimation risk
  3. valuation risk
  4. hedging risk
• Data acquisition is especially pertinent when considering input risk. Models depend on the quality of data because it is used to create statistical estimators of their parameters. As the adage goes: “garbage-in, garbage-out”.

Governance (Principle 1)

• A firm’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee. If risk data are the blood of a financial enterprise, then data integration constitutes its circulatory system. A bank with a limited ability to integrate data will have difficulties in satisfying the Basel principles.
• Independent validation is necessary to ensure risk data aggregation and risk reporting (RDARR) capabilities “are functioning as intended and are appropriate for the firm’s risk profile.”
• Policies should be implemented setting out “a clear delineation of roles, incentive schemes, and responsibilities for risk data management (including dedicated staff responsible for defining risk data expectations).”
• The board should, in addition to reviewing and approving a bank’s RDARR, ensure that the appropriate resources are available. RDARR policies should be reviewed, and revised if necessary, after major acquisitions or changes in strategy.
• A bank’s risk data aggregation capabilities and risk reporting practices should be
  1. fully documented and subject to high standards of validation.
  2. unaffected by the bank’s group structure, including its legal organization and geographical presence.
• In case of an acquisition,
  1. The bank should evaluate the risk data aggregation and reporting capabilities of the target firm when deciding whether to make the acquisition.
  2. A time frame should be established to integrate the risk data aggregation and reporting processes of the two firms.
• Senior management should support risk data aggregation and reporting processes with financial and human resources. Senior management should be aware of the limitations that are a hurdle to full risk data aggregation in terms of coverage, technicality as well as legality.
• The board should identify, assess and manage data quality risks. Service level standards should be considered.

Data Architecture and IT Infrastructure (Principle 2)

• A bank should design, build, and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles.
• Firms should establish integrated risk data classifications and architectures.
• There is no uniform blueprint but in general, the optimal approach should ensure that all people and systems within the banking group are working with the same data, the same models, and the same assumptions.
• Roles should be clearly specified, including the responsibilities for ensuring “adequate controls throughout the lifecycle of the data and for all aspects of the technology infrastructure.” Risk managers and IT specialists should have the responsibility to ensure that the data is relevant, entered correctly, and properly integrated with data taxonomies.
• Risk data aggregation and reporting practices should be made a crucial part of the bank’s planning processes.
• The four primary types of data models include:
  1. Semantic data models address the agreed-upon meaning of elements in the model.
  2. Conceptual data models confirm human understanding of the system and its objectives.
  3. Logical data models describe data in as much detail as possible, and are not concerned with implementation.
  4. Physical data models translate the data requirements and properties expressed in the logical model into a specific implementation on an IT hardware/software vendor system platform.
• In summary, banks with effective (i.e., fully or largely compliant) data architecture and IT infrastructure have consolidated their “data categorization approaches and structures as well as integrated data taxonomies.”

Characteristics of Strong Risk Data Aggregation Capability

• The following are four primary characteristics of strong risk data aggregation capabilities –
  1. Accuracy and Integrity (Covered by Principle 3)
  2. Completeness (Covered by Principle 4)
  3. Timeliness (Covered by Principle 5)
  4. Adaptability (Covered by Principle 6)

Accuracy and Integrity (Principle 3)

• A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis to minimize the probability of errors.
• Firms need to monitor their data on an ongoing basis to ensure its accuracy and integrity.
• Risk data should be complete, reconciled with sources, and include all material risk disclosures at a granular level.
• Classifications and categorizations are necessary to present complete and manageable information to executive management. If classifications are too broad, however, information loss and data distortion can occur.

Completeness (Principle 4)

• A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region, and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations, and emerging risks.
• Aggregation of both on-balance sheet risks and off-balance sheet risks should be done.
• If the data is not complete, the reasons should be explained for bank supervisors.
• Even though it is not mandatory to express all forms of risk using a common metric, risk data aggregation capabilities should be the same irrespective of the risk aggregation systems implemented.

Timeliness (Principle 5)

• A bank should be able to generate aggregated and up-to-date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness, and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as how critical it is to the overall risk profile of the bank. The precise timing will also depend on the bank-specific frequency requirements for risk management reporting, under both normal and stress/crisis situations, set based on the characteristics and overall risk profile of the bank.
• The degree of timeliness required depends on the risk area being monitored. For example, data used to measure risk on the trading floor will need to generate risk information on a timelier basis when compared to risk information on a corporate loan.
• Information systems dedicated to trading rooms must accommodate a wide variety of specific and potentially complex financial instruments. These risks need to be evaluated quickly and frequently for the purposes of managing a trading book or a portfolio

Adaptability (Principle 6)

• A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs, and requests to meet supervisory queries.
• Risk data aggregation practices need to be adaptable. An example of adaptability would be the ability to integrate a hypothetical stress scenario with other parts of the portfolio to produce an aggregated enterprise risk measure.
• Adaptability would also include the capability to incorporate changes in an upcoming regulatory framework (e.g., an update to Basel capital regulatory rules) and the ability to combine that with historical data to produce an overall risk measure.

Characteristics of Effective Risk Reporting Practices

• The following are the five characteristics of effective risk reporting practices –
  1. Accuracy (Covered by Principle 7)
  2. Comprehensiveness (Covered by Principle 8)
  3. Clarity and usefulness (Covered by Principle 9)
  4. Frequency (Covered by Principle 10)
  5. Distribution and Confidentiality (Covered by Principle 11)

Accuracy (Principle 7)

• Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.
• The BCBS notes that “risk management reports should be accurate and precise to ensure a bank’s board and senior management can rely with confidence on the aggregated information to make critical decisions about risk.”
• For instance, the ability to use models to aggregate risk depends upon having those models be fully vetted to ensure that the results are accurate within a given level of specificity. Banks should also establish accuracy and precision requirements for their risk reports that reflect the criticality of decisions made using risk information.

Comprehensiveness (Principle 8)

• Risk management reports should cover all material risk areas within the organization. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients.
• Risk reports need to be comprehensive and cover all risk types (credit risk, market risk, liquidity risk, operational risk). These risks include the Pillar 1 and Pillar 2 risks.
• Risk management reports should include exposure and position information for:
  1. important components of the above risk types (for example, name, country, and industry sector for credit risk)
  2. risk-related measures (for example, regulatory and economic capital)
  3. emerging risk concentrations

Clarity and Usefulness (Principle 9)

• Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include meaningful information tailored to the needs of the recipients.
• Risk reports need to be clear and useful as well as tailored to the needs of their users. The BCBS notes that “reports should include an appropriate balance between risk data, analysis and interpretation, and qualitative explanations.”
• These reports should be purposeful, in the sense that they should be tailored towards a specific audience (e.g., a trading unit or a lending unit). For example, risk reports for a board of directors should not be difficult to interpret at an aggregate level.

Frequency (Principle 10)

• The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision-making across the bank. The frequency of reports should be increased during times of stress/crisis.
• Risk reporting frequency is a function of the risk type and purpose of each risk report. During times of stress, report frequency may increase to keep pace with unusually fast-moving markets. Additionally, there may be situations where rapid risk analyses are required to facilitate decision-making. In short, all these situations should be planned for ahead of time (to the extent such preparation is possible).
• However, there may be unavoidable limits on reporting frequency. For example, in cases where forward-looking stochastic cash flow simulations are used, the volume of data produced can be significantly larger than that of the input data. Having too much output data can negatively impact a firm’s ability to perform the necessary quality checks.

Distribution (Principle 11)

• Risk management reports should be distributed to the relevant parties while ensuring that confidentiality is maintained.
• It is important to create an agreed-upon set of report distribution lists, with an eye toward making sure that reports are provided to all relevant decision-makers.
• A distribution list also needs to recognize the degree of confidentiality of the information contained within specific sections of the overall report.

Roles of Supervisors

• Bank supervisors are responsible not only for monitoring and encouraging implementation of the Principles, but also reviewing and evaluating compliance with the Principles. They have the following roles according to the BCBS –
  1. Review (Covered by Principle 12)
  2. Remedial actions and supervisory measures (Covered by Principle 13)
  3. Home/host cooperation (Covered by Principle 14)

Review (Principle 12)

• Supervisors should periodically review and evaluate a bank’s compliance with the eleven Principles given earlier.
• Supervisors must have access to all risk reports, and if required, occasional reports on specific risks issues should be available to them. They must have access to internal validation and audit reports, and should meet with the external auditors or independent experts from the bank to discuss risk data aggregation capabilities.
• Supervisors should test a bank’s risk data aggregation and reporting capabilities in both normal and stressed environments. This should also include scenarios where there is an unanticipated boost in business volumes.
• Supervisors should review and test compliance with the Principles on a regular basis. This may involve reviewing and testing across multiple banks with respect to specific risk issues, like exposures to risk factors, for example.

Remedial Actions and Supervisory Measures (Principle 13)

• Supervisors should have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting.
• Supervisors should use various tools to address material deficiencies like
  1. requiring remedial actions from a bank;
  2. requiring an independent review by an external expert;
  3. increasing the intensity of supervision; and
  4. the use of capital add-ons.
• Supervisors should set limits on a bank’s risks or on their activities where material deficiencies in risk data aggregation and reporting are present.
• Supervisors should ensure that implementation plans of robust risk data aggregation are possible before allowing any new business initiatives and/or acquisitions.
• Supervisors should make some predictions on the effectiveness of remedial actions and should revise actions if the known deficiencies are not appropriately addressed within the timeframe.

Home/Host Cooperation (Principle 14)

• Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the supervision and review of the Principles, and the implementation of any remedial action if necessary.
• Home and host supervisory authorities should cooperate and share relevant information across bank operations in different jurisdictions.
• Supervisors should share information within the limits of applicable laws.
• Supervisors should communicate remedial actions by regular meetings, conference calls, emails.
• Supervisors should share their experiences about the quality of risk data aggregation capabilities and risk reporting practices in different parts of the group across multiple jurisdictions.