BCBS 239 – Principles for effective risk data aggregation and reporting


Left to right:

  • Marcus Cree, Risk Specialist, GSS Enterprise Risk, Misys Financial Software
  • Kathryn Kerle, Head of Enterprise Risk Reporting, Risk Infrastructure, RBS
  • Richard Petti, Chief Executive Officer, Asset Control

Left to right - Marcus Cree Risk Specialist GSS Enterprise Risk Misys Financial Software Kathryn Kerle Head of Enterprise Risk Reporting Risk Infrastructure RBS Richard Petti Chief Executive Officer Asset Control

Published in January 2013, the Basel Committee on Banking Supervision document BCBS 239, Principles for Effective Risk Data Aggregation and Reporting, has its roots in the crisis, when supervisors found many banks were unable to quickly and effectively roll up their exposure to Lehman Brothers. Although the principles are well-founded, it is something of a departure for regulators to prescribe best practice in this area.

Risk: What exactly do the principles cover? Should they be seen as a prescriptive set of best practices?

Richard Petti, Asset Control: They are a set of guidelines, developed to help the industry help itself. This kind of regulation occurs in other industries, such as pharmaceutical and automotive, where the regulators look to learn from market participants and suggest things that work. This is a reaction to the postmortem of the financial crisis in 2008 from a risk data perspective – the regulator saw that some institutions had certain kinds of platforms and technology that helped them.

Marcus Cree, Misys Financial Software: What the principles boil down to is that you need to be able to report quickly – you must have single representations of data rather than multiple databases, which could lead to differences. The aim is to be able to aggregate on a number of known and unknown questions quickly at a high level, so an organisation can tie the risks it is taking to its risk appetite.

You might suddenly want to know what your exposure is to a certain obligor and the netting agreements and cascading hierarchies underneath it, and that might not yet have been reported on. So, data has to be structured and stored in such a way that asking that question is not a two-week exercise but, rather, a 10-minute or one-hour exercise. Organisations need to quickly ascertain their exposures and what they can do about them. You are not discovering the damage post-accident, which is what has happened too often in the past.

Kathryn Kerle, RBS: There is a lot of focus on data, but the reporting side is equally important, and that is where my focus has been. To improve reporting – and this is in line with the principles – we need to focus on the end-user, understand what their information needs are, and then get the organisation to deliver that. Too often, in the past, reporting has been about delivering a lot of data to decision-makers, who then cannot wade through it all. For example, Steve Jobs, when conceiving the iPhone, didn’t say, “okay, give me a bunch of transistors and let’s try to put them together.” He said, “This is what the user experience ought to be, this is how it should interact with the user – let’s deliver that.” There is a bit of reorientation associated with these principles.

Risk: Is there a lot of scrutiny from supervisors on compliance with the principles?

Kathryn Kerle: Certainly, our supervisor is following progress closely. But it is hard work because adherence to the spirit of the regulation, as opposed to simply the law, entails thinking about governance issues, operating models, data definitions and possibly the role of risk in running the organisation.

Risk: Is the industry prepared for this change?

Richard Petti: Most participants are aware that an awful lot of attention has to go into this between now and 2016. Some industry data suggests up to $30 billion is going to be spent on risk aggregation technology in 2015, which is a 17% increase on 2014. So, the overall share of risk technology spending in a typical banking budget is going up. The level of preparedness today has a way to go, but a lot of money and time will be spent on the problem, and we’ll see a rapid increase for the next 18 months.

Kathryn Kerle: The industry is being encouraged to meet the letter of the law in a timely fashion. Unfortunately, that means the much longer job of dealing with the issues I alluded to earlier is being pushed aside, because there is not enough time to deal with it. Will we tick some boxes? I’m sure we will. Will we have the organisation the principles would encourage us to have? I hope we will, but it is a big ask for any bank to do that for the deadline of January 1, 2016.

I hope it will be possible to at least meet the letter of the law to an acceptable standard by the deadline, but to do so in a way that does not interfere with our ability to comply with the spirit of the law over a longer period. It could take five or 10 years to become the kind of organisation that is able to do this the way it needs to be done.

Marcus Cree: There is a real desire to put risk at the centre and to look at technology in a different way. You cannot just replace everything; that is not going to happen, it is too big a task. But we are being asked to do things in an order. It kicks off with the liquidity ratios coming through, then the counterparty exposures, then the principles in 2016.

Risk departments are keen to explore technology and to use this as an opportunity, remembering fundamentally what a financial institution does – it takes risks and arbitrages that risk for a return. We can now rebase what we do, so we are communicating the level of risk we are going to take. We can monitor that risk, and we can start using the best models we have across the organisation.

But, with the timeframes given and the order in which we are required to do things, there is a good chance we will miss that opportunity. Instead, we could end up ticking the boxes against some principles rather than fundamentally rebasing the way data is stored and used within the organisation, which is a shame, because the technology exists and it can be done.

Kathryn Kerle: The industry could ask itself what business it thinks it is in. One useful answer is that we are in the data and risk management business. This is an opportunity to make that happen. If we don’t have the data we need in order to know where we are from a risk management position, then we are not able to do what we are here to do.

We are in an age of digitalisation and there is a competitive imperative to be better at this. If we can embrace this set of principles and think about it strategically, it also can help us to be competitive in this digital environment. But the bugbear is the deadline, and how much we can do to comply with the letter of the law without distracting us from this central issue of getting risk at the heart of our business and getting our data where it needs to be.

Richard Petti: One of the things I see in BCBS 239 is the issue of how data is managed is being elevated. Traditionally, it was something done in the engine room by technology guys, and it was a given. Now, it is being raised as a high-level issue that needs to be understood, monitored and followed through on. Asset Control sees in these principles things we have been advocating for many years. So, for us, this regulation reads as a natural way for enterprise data management to happen.

There is nothing new in what the principles are saying, other than the point at which the organisation has become responsible for data. People that have already addressed data management throughout the enterprise at a strategic level and have had management involvement early on will find it easier to meet these 2016 challenges.

Risk: Is it just about the difficulty of meeting the deadline, or is it also about the way the principles themselves are iterated?

Richard Petti: Looking at the outcomes required, the journey each institution has to undertake will be different. A lot depends on what legacy technology people are starting from. I have never seen a technology roadmap that has been finished as projected – plans change, and there are always things left undone. Today, banks have another change of direction to deal with, and they have to carry this baggage of previous investment and technology with them.

How banks take what they have and use that to reach these outcomes is going to be different. The silver lining is that, with all the investment made over the past 15 years in trading and risk systems, there is an awful lot of data available today at institutions. A lot of it just sits there and is perhaps used in a department or a single business line, but there is power in a vision that brings all this together and makes it useful. This directive is not asking for new information. It is simply a presentation exercise.

Risk: If the data is already available, what challenges lie in presenting it?

Kathryn Kerle: I would not agree that it is just about presentation, especially since I’m on the presenting end. My observation would be that you get deep into the weeds of epistemology very quickly. Take the agitation about Russia at the moment, as an example. What is our exposure to Russia? There is almost nothing in that sentence that is clearly defined. So what do we mean by Russia? Would that be our exposure to any borrower that is physically domiciled in Russia? Would it be our exposure to any borrower that is either domiciled in or guaranteed by someone that is domiciled in Russia? Would that be our exposure to anybody that is either of those two things plus does a lot of business with Russia?

Would that be at the subsidiary level or aggregated up to the parent level? Would we be thinking about where the majority of the operations are or where its headquarters are located? The booking location, or something else?

And what do we mean by exposure? Would that be any committed, but undrawn, exposure? Would that be any reputational commitments? Is that expected or actual? Would that be intraday? Would that be next day? It just goes on. You can get many different answers to those questions, which gives you an idea of what is difficult about it from a data perspective.

Other questions arise too, which have to do with things such as governance. Who needs to know what and for what purpose? What kind of decision needs to be made at what level? Who supplies the data? Is it accurate? The number of questions you can ask about something as simple as our exposure to Russia is extensive.

Marcus Cree: I do not agree that all the data is there. Recent regulation changes assume the most up-to-date technology is being used right now, which means ultrafast engines. Misys provides this – we can put everything in and it would be very fast, with masses of storage. But the fact is most institutions already have databases. They have created ways in which they can circumvent the past constraints related to storage.

For example, instead of storing every cashflow, an institution might store just the result, which means the underlying data is not necessarily there. It cannot query peak cashflow if using a liquidity example from the US. It can only ask about cumulative cashflow because that what Europe asks for. Now, if that result is lost, the institute does not have that granularity to recreate it. If the firm reframes its risk appetite, it really has to look at it from a root and branch perspective. What does it want to see? What does it want to measure against?

If you have to re-implement the entire structure, it is not going to be successful. What you have to do is identify what works, how that can be linked to other things and then how to meet the principles. It becomes a way of identifying the fill-in technology. Not replacement technology, but augmenting what is already there to meet the regulation.

Risk: What does governance mean in this field, and is it a challenge?

Richard Petti: The issue of what high quality means under BCBS 239 is an interesting one – how to ensure the quality and the lineage of data. When you look at how data moves through systems in an institution, within individual applications there will be governance and understanding of what changes have been made. But there is no sense of the value chain or the logistics chain for that data.

If there is a system in the middle of a chain making a change, it is important from a governance perspective to understand whether that change is wanted. If it is wanted, it should be propagated, both upstream and downstream. If it is unwanted, it needs to be prevented. Looking at this quality issue across many applications is a big challenge. The starting point for any BCBS 239 policy is understanding where the data comes from, then asking “what does ‘high quality’ mean and how do I manage it?”

Reference data and prices is one of the trickiest areas in which to manage quality. Transaction data and model data are seen as the things to clamp on to, but a lot of volatility can come from how reference data and prices are managed, and how they are transmitted through the ecosystem up to an aggregated position. We are working with customers to help set a foundation on common inputs to all of these data models and transaction systems, which will then act as a base for adding reporting, aggregation and reporting elements under BCBS 239.

Risk: Do organisations now need to be more specific when querying their data?

Kathryn Kerle: I am now much more aware of the loaded nature of a seemingly innocent question. What do we mean by ‘country’? That is a question we’ve given a lot of thought to. We have done a lot of work to try to align the various definitions around ‘country’ that existed in the organisation.

Not all is perfect in terms of how we get everything lined up, but definitionally, at least, we’ve managed to achieve some consensus and are working towards having a generally consistent view, or at least to be aware of consciously choosing to take a different view. The point is to be aware of what your data means. So, when you are trying to interpret it, you are doing so with your eyes open.

We have spent a lot of time working on definitions of credit risk exposure and that has been a long exercise, but very useful in that we worked closely with the central credit team and credit risk experts across all of our business to look at each of the elements that make up credit risk exposure. Debt securities might be an example. What do we mean by debt security? How would we want to represent a credit exposure in connection with a debt security and to write it down and get general consensus on that? We are trying to get our systems to give us that information.

Risk: There is a big technology component to complying with the principles. Is this simply an IT project?

Kathryn Kerle: I have a great deal of respect for my colleagues in technology, but the risk function and bank management cannot just foist this off onto IT. If we believe data and risk management are really the heart of banking, why would we not want to have the business take ownership of what its data means? Would we not have the second line of defence risk take responsibility for what its data means, so that it can effectively review and challenge it?

If our central business is taking risk, the front line should own that, and own the information associated with it. Otherwise, they can’t know whether they are taking a risk or not. If the second line is in the business of offering review and challenge to the first line taking those risks then, again, we have to take ownership for the data that is required to do that. Otherwise, we cannot do our jobs. This has to be viewed as a strategic undertaking. It is an opportunity to put risk at the heart of managing the bank, not just giving it a seat at the table, but making it a partner, an equal with the front line.

Marcus Cree: This is a phenomenal opportunity, if you really want to use it. It is possible to position risk management as the conduit between the stated intentions in terms of the risks you want to take, and those actually being taken. So you have to start at the very top. Can my senior management discuss and explain the risks they want to take?

If they can articulate that, can the people that actually take the risks work within those parameters? Can they understand that as a concept? Take value-at-risk, for instance. Does it mean anything to a trader who is one of 1,000 people and has delta limits? At that point, you might say there is a problem. Metrics need to be agreed, we need to see whether the data is able to support analysis of that, and then we can assess what we need to augment it.

Measures are also implemented to stop the last crisis reoccurring, and the focus switches to those measures. Then you get completely blind-sided by what actually happens. That raises questions, but the granular data to answer them is not there, which is why an opportunity exists to look at it at a meta data level. To not worry about specific questions but, rather, to be able to ask any question. We could build flexible reporting and dashboards. We could have very quick aggregation. We could think about the fundamentals and then we can start asking questions.

Risk: Does the industry see the implementation of these principles as an opportunity to manage risk more effectively?

Richard Petti: It is a factor of time and money. No institution welcomes regulation with open arms, no matter how well-intentioned. The great danger here is of making this challenge into an expensive exercise, meaning management loses faith and loses interest. There is a foundation here to build an interesting roadmap for an enterprise risk system, which can be flexible and agile enough to deal with this set of regulatory requirements and others that will come. The challenge is timing it in such a way that there are enough successes and enough value coming out of it to ensure this doesn’t turn into a negative return on investment.

It is important that the value of this initiative is not over-expressed and oversold. It is a compliance exercise. You have to show that this is being done. But, with the right foundation technology, there is value to come after the regulatory checks and audits, and that is where the silver lining is.

Risk: Has compliance with the principles required a lot of investment

in technology?

Kathryn Kerle: It is challenging. Our bank is large, and it has grown through acquisition, which means it has a lot of legacy systems. This raises an issue: the number of initiatives related to reporting data that have emerged post-crisis, and the scarcity of people with the necessary knowledge of the systems or the regulation, or the necessary talent, to handle them.

It is the same few subject matter experts who know the ins and outs of each system and can possibly squeeze something out of it or add onto it to respond to one of these initiatives. For a large organisation that has grown through acquisition, with a complex architecture of many vintages, the number of data requirements relative to the number of people who can do anything to address them is a huge challenge.

Risk: To summarise, what are the greatest benefits of the principles for financial organisations?

Richard Petti: The one that regulators are hoping will be a benefit, and which ultimately will be, is a change in culture. A lot of the risk analysis done today is ex-post analysis. It occurs after the trading day, end of week, end of month. Sometimes the reaction in terms of a taking on risk, understanding it and analysing tolerance for it can be delayed.

If this information could be generated and distributed quickly and is available to all, the risk control function could become more immediate and more collaborative with the people taking on those risks. When suddenly an exposure emerges, the desk or the trader that is taking that on might be able to realise that much sooner.

If information is widely available, the risk work will have a democratising impact that will change working habits, and make banks more able to digest risk decisions in real time.

Kathryn Kerle: I agree. This is an opportunity to embed a risk culture in an organisation and to do it well. Thinking about risk needs to be something that is everybody’s business and, with the right tools, it can be.

Marcus Cree: Going through this process allows organisations to see exactly what they have already. Until it is asked for this level of transparency, an organisation might not be aware of how many taxonomies it has, how many models, how many data representations. This highlights an operational risk, which can be mitigated at the same time.

Done in the right way, compliance with the principles could lead to a sleeker, more aligned way of looking at risk. It also forces a fundamental question: “Can I ask a board member to express the risk we want to take and am I speaking in that language?” If you achieve that and nothing else, then that is an enormous step forward.

Download/read the forum proceedings in PDF format

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here