AHMAD EL RADI METAC BANKING SUPERVISION ADVISOR BEIRUT, LEBANON JUNE 2-4, 2015 Risk Data Aggregation

AHMAD EL RADIMETAC BANKING SUPERVISION ADVISOR

BEIRUT, LEBANONJUNE 2-4 , 2015

Risk Data Aggregation

2

Risk Data Aggregation One of the most significant lessons learned from the

global financial crisis that began in 2007 was that banks’ information technology (IT) and data collection were inadequate to support the broad management of financial risks.

Many banks lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately at the bank group level, across business lines and between legal entities.

This had severe consequences on the banks themselves and on the stability of the financial system as a whole.

3


Basel Committee on Banking Supervision issued in January 2013 a set of principles to strengthen banks’ risk data aggregation and consolidation and internal risk reporting practices.

Implementing these principles is expected to enhance risk management and decision-making processes at bank’s group level.

4

Risk Data Aggregation Risk data aggregation is an important process

in consolidated and cross-border supervision.

This necessitates defining, gathering and processing risk data of a parent bank and its subsidiaries and affiliates, and having access on all information and data for controlling banking group risks.

5

Risk Data Aggregation Risk data collection and aggregation requires clear

policy and procedures that banking group should follow in order to have overview on the group’s risks. Adopting these policy and procedures will:

enhance the flow of reporting key information, particularly that used by the board and senior management to identify, monitor and manage risks;

Improve the decision-making process throughout the banking group;

6

Risk Data Aggregation Enhance the management of information

across legal entities, while facilitating a comprehensive assessment of risk exposures at a consolidated level;

Reduce the probability and severity of losses resulting from risk management weaknesses;

7


Improve the speed at which information is available and hence, decisions can be made on timely basis; and

Improve the group’s quality of strategic planning and the ability to manage risks on a consolidated level.

8

Risk Data Aggregation A bank should have in place:

a strong governance framework, risk data architecture and IT infrastructure.

In particular, a bank’s board should oversee senior management’s ownership of implementing risk data aggregation and risk reporting procedures to meet the bank’s strategy.

9


Banks should develop forward looking reporting system to provide early warnings of any potential breaches of risk limits on a stand alone as well as on a consolidated basis that may exceed the bank’s risk tolerance/appetite.

The risk reporting system should also allow banks to conduct a flexible and effective stress testing which is capable of providing forward-looking risk assessments.

Supervisors expect risk management reports to enable banks to anticipate problems and provide a forward looking assessment of risk.

10

Governance and Infrastructure A bank’s board and senior management

should review and approve the bank’s group risk data aggregation and risk reporting framework and ensure that adequate resources are deployed to ensure timely information and data flow.

11

Governance and Infrastructure A bank’s risk data aggregation and risk

reporting practices should be:

Fully documented and subject to high standards of validation.

Commensurate and appropriate for the bank's group risk profile.

12

Governance and Infrastructure A bank’s senior management should:

Be fully aware of and understand the limitations

that prevent full risk data aggregation, in terms of

coverage (e.g. risks not captured or subsidiaries

not included), or in legal terms (legal impediments

to data sharing across jurisdictions).

13

Governance and Infrastructure

Ensure that the bank’s IT plan includes ways to

improve risk data aggregation capabilities and risk

reporting practices and to remedy any

shortcomings.

IT plan should also identify data critical to risk

management and IT infrastructure, and support it

through the allocation of appropriate levels of

financial and human resources.

14

Governance and Infrastructure A bank’s board of directors is responsible for

determining its own risk reporting requirements and should be aware of limitations that prevent full risk data aggregation in the reports it receives.

15

Risk Data Aggregation Capabilities

A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimize the probability of errors.

16


Risk data should be reconciled with bank’s sources, including accounting data where appropriate, to ensure that the risk data is accurate.

A bank’s risk personnel should have sufficient access to risk data to ensure they can appropriately aggregate, validate and reconcile the data to risk reports, and hence effectively manage the banking group’s risks.

17


There should be an appropriate balance between automated and manual systems. Where professional judgments are required, human intervention may be appropriate. For many other processes, a higher degree of automation is desirable to reduce the risk of errors.

18


Supervisors expect banks to document and

explain all of their risk data aggregation

processes whether automated or manual.

Documentation should include an explanation of

the appropriateness of any manual

workarounds, a description of their criticality to

the accuracy of risk data aggregation and

proposed actions to reduce their impact.

19


Supervisors expect banks to measure and

monitor the accuracy of data and to develop

appropriate escalation channels and action

plans to be in place to rectify poor data quality.

20


The bank should be able to capture and aggregate all material risk data across the banking group including those that are off-balance sheet.

Data should be available by business line, legal entity, asset type, industry, region and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations and emerging risks at a group’s wide level.

21


Supervisors expect banks to produce aggregated risk data that is complete and to measure and monitor the completeness of their risk data.

Where risk data is not entirely complete, the impact should not be critical to the bank’s ability to manage its risks effectively.

Supervisors expect banks’ data to be materially complete, with any exceptions identified and explained.

22

Risk Data Aggregation Capabilities A bank should be able to generate aggregate

and up-to-date risk data in a timely manner while also meeting the accuracy and integrity, completeness and adaptability of this data.

The precise timing will also depend on the bank-specific frequency requirements for risk management reporting, under both normal and stress/crisis situations, based on the characteristics and overall risk profile of the bank.

23


Critical risks include but are not limited to:

(a) The aggregated credit exposure to a large corporate borrower;

(b) Counterparty credit risk exposures;

(c) Trading exposures, positions, operating limits, and market

concentrations by sector and region data;

(d) Liquidity risk indicators such as cash flows/settlements and

funding;

(e) All data to compute LCR and NSFR; and

(f) Operational risk indicators that are time-critical (e.g. systems

availability, unauthorized access).

24

Risk Data Aggregation Capabilities A bank should be able to generate aggregate

risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs and requests to meet supervisory queries.

25


Supervisors expect banks to be able to generate and split data based on requested scenarios or resulting from economic events.

For example, a bank should be able to

aggregate risk data quickly on country credit exposures at a specified date based on a list of countries, as well as on industry credit exposures based on a list of industry types across all business lines and geographic areas.

26

Risk Reporting Practices

To manage risk effectively, the right information needs to be presented to the right people at the right time.

Risk reports based on risk data should be accurate, clear and complete.

They should contain the correct information and be presented to the appropriate decision-makers in a time that allows for an appropriate response.

27


To effectively achieve their objectives, risk reports should comply with the following:

Risk management reports should be accurate and

precise to ensure a bank’s board and senior

management can rely with confidence on the

aggregated information to make critical decisions

about risk .

28

Risk Reporting Practices To ensure the accuracy of the reports, a bank

should maintain, at a minimum, the following:

(a) Defined requirements and processes to

reconcile reports to risk data;

(b) Integrated procedures for identifying, reporting

and explaining data errors or weaknesses in data

integrity.

29


Supervisors expect that a bank’s senior management is able to obtain data on timely basis for both regular and stress/crisis reporting, including critical position and exposure information.

Supervisors expect banks to consider accuracy requirements similar to accounting materiality. For example, if omission or misstatement could influence the risk decisions of users, this may be considered material.

30


Risk management reports should include

exposure and position information on

consolidated basis for all significant risk areas

(e.g. credit risk, market risk, liquidity risk,

operational risk) and all significant components

of those risk areas (e.g. single name, country

and industry sector for credit risk.

31


Reports should identify emerging risk concentrations, provide

information in the context of limits and risk appetite/tolerance

and propose recommendations for action where appropriate.

Risk reports should include the current status of measures

agreed by the board or senior management to reduce risk or

deal with specific risk situations. This includes providing the

ability to monitor data trends through forward-looking forecasts

and stress.

32

Risk Reporting Practices A consolidated risk report should include, but

not be limited to, the following information: o capital adequacy,o regulatory capital, o credit risk, o market risk,o operational risk,o liquidity risk, o stress testing results,o risk concentrations, o and funding positions and plans.

33

Risk Reporting Practices Supervisors expect that risk management

reports to the board and senior management provide a forward-looking assessment of risk and should not just rely on current and past data.

The reports should contain forecasts or scenarios for key market variables and the effects on the bank so as to inform the board and senior management of the likely trend of the bank’s capital and risk profile in the future.

34


Risk management reports should communicate

information on consolidated basis in a clear

and concise manner.

Reports should be easy to understand yet

comprehensive enough to facilitate informed

decision-making.

Reports should include meaningful information

tailored to the needs of the recipients.

35


Reports should include an appropriate balance between risk data, analysis and interpretation, and qualitative explanations.

The balance of qualitative versus quantitative information will vary at different levels within the bank and will also depend on the level of aggregation that is applied to the reports.

Higher levels in the bank, more aggregation is expected and therefore, a greater degree of qualitative interpretation will be necessary.

36


The bank’s board is responsible for determining its own risk reporting requirements and complying with its obligations to shareholders and other relevant stakeholders.

The board should ensure that it is asking for and receiving relevant information that will allow it to fulfill its governance mandate relating to the bank and the risks to which it is exposed. This will allow the board to ensure it is operating within its risk tolerance/appetite.

37


The board should alert senior management when risk reports do not meet its requirements and do not provide the right level and type of information to set and monitor adherence to the bank’s risk tolerance/appetite.

The board should indicate whether it is receiving the right balance of detail and quantitative versus qualitative information.

38


Senior management is also a key recipient of risk reports and it is responsible for determining its own risk reporting requirements.

Senior management should ensure that it is receiving relevant information that will allow it to fulfill its management mandate relative to the bank and the risks to which it is exposed.

39


Supervisors expect that risk reports will be clear and useful. Reports should reflect an appropriate balance between detailed data, qualitative discussion, explanation and recommended conclusions.

Supervisors expect a bank to confirm periodically that the information aggregated and reported is relevant and appropriate, in terms of both amount and quality, the governance and decision-making process.

40


The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution.

Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed, at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision-making across the bank.

The frequency of reports should be increased during times of stress/crisis.

41


A bank should routinely test its ability to produce accurate reports within established timeframes, particularly in stress/crisis situations.

Supervisors expect that in times of stress/crisis all relevant and critical credit, market and liquidity position/exposure reports are available on consolidated basis within a very short period of time to react effectively to evolving risks.

Some position/exposure information may be needed immediately (intraday) to allow for timely and effective reactions.

42

Risk Reporting Practices Risk management reports should be distributed

to the relevant parties while ensuring confidentiality is maintained.

Procedures should be in place to allow for rapid collection and analysis of risk data and timely dissemination of reports to all appropriate recipients.

Supervisors expect a bank to confirm periodically that the relevant recipients in the bank receive timely reports.

43

Supervisory Review and Tools Supervisors should:

Have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting.

Have the ability to use a range of tools, including Pillar 2 ICCAP and SREP.

Require effective and timely remedial action (s) by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices and internal controls(to be explained in ICAAP reports).

44

Supervisory Review and Tools Have a range of tools at their disposal to

address material deficiencies in a bank’s risk data aggregation and reporting capabilities.

Such tools may include, but are not limited to: requiring a bank to take remedial action; increasing the intensity of supervision; requiring an independent review by a third party,

such as external auditors; and the possible use of capital add-ons.

45

Supervisory Review and Tools

Be able to set limits on a bank’s risks or the growth in their activities where deficiencies in risk data aggregation and reporting are assessed as causing significant weaknesses in risk management capabilities.

46


When a supervisor requires a bank to take remedial action, the supervisor should set a timetable for completion of the action.

Supervisors should have escalation procedures in place to require more stringent or accelerated remedial action (s) in the event that a bank does not adequately address the identified deficiencies.

47


Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the collection of consolidated data related to the same banking group.

Effective cooperation and appropriate information sharing between the home and host supervisory authorities should contribute to the robustness of a bank’s risk management practices across a bank’s operations in multiple jurisdictions.

48


Cooperation can take the form of sharing of information within the constraints of applicable laws, as well as discussion between supervisors on a bilateral or multilateral basis (e.g. through colleges of supervisors), including, but not limited to, regular meetings. Communication by conference call and emails may be particularly useful in tracking required remedial actions.

49


Supervisors should discuss their experiences regarding the quality of risk data aggregation capabilities and risk reporting practices in different parts of the group.

This should include any impediments to risk data aggregation and risk reporting arising from cross-border issues and also whether risk data is distributed appropriately across the group. Such exchanges will enable supervisors to identify significant concerns at an early stage and to respond promptly and effectively.

50

Implementation of Risk Data Aggregation and Risk Reporting by SIBs

Many SIBs still rely on manual work in aggregating risk data, yet they:

Apply appropriate control; Establish data quality standard; Emphasize on high-impact risk data in the remedy

process of cross-border banks.

51


Strategies for implementing risk data aggregation and

reporting:

Developing IT infrastructure to aggregate a broader range of risk

data automatically and reduce reliance on manual workarounds;

Automating data quality controls and improving reporting

capabilities associated with group-wide stress testing;

Improving systems to monitor and enforce credit limits status

across risk types and products;

Reconciling data between risk and finance, using appropriate

governance structure;

52


Establishing data collection channels, processes and

procedures that encompass the development of

common classification and reference data so as to

facilitate data aggregation in times of stress/crisis;

Enhancing data aggregation capabilities to consolidate

data from branches and subsidiaries operating in other

jurisdictions and, more generally, developing

consolidated data stores for credit, market and

operational risks to expedite risk reporting and easier

reconciliation of risk data;

53


Implementing programs aimed at meeting Basel III

regulatory requirements; and

Providing appropriate access to sufficient staff

with expert knowledge of risk control functions

and data so they are able to process ad-hoc data

report requests.

54

Supervisory Responsibilities

Supervisors should set principles and

requirements for risk data aggregation and

reporting;

Discuss with SIBs in the first stage on how to

implement these principles and requirements

and agree on a time-frame to implement

them;

55

Supervisory Responsibilities

Ensure that the senior management and board of

directors are directly involved in assessing progress

in implementation and identifying any obstacles for

full implementation of risk data aggregation;

Continue to actively exchange information on how

they intend to facilitate compliance or the remedy

of non-compliance.

56

THANK YOU

Documents

AHMAD EL RADI METAC BANKING SUPERVISION ADVISOR BEIRUT, LEBANON JUNE 2-4, 2015 Risk Data Aggregation