Upload
ashlynn-stewart
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
AHMAD EL RADIMETAC BANKING SUPERVISION ADVISOR
BEIRUT, LEBANONJUNE 2-4 , 2015
Risk Data Aggregation
2
Risk Data Aggregation One of the most significant lessons learned from the
global financial crisis that began in 2007 was that banks’ information technology (IT) and data collection were inadequate to support the broad management of financial risks.
Many banks lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately at the bank group level, across business lines and between legal entities.
This had severe consequences on the banks themselves and on the stability of the financial system as a whole.
3
Risk Data Aggregation
Basel Committee on Banking Supervision issued in January 2013 a set of principles to strengthen banks’ risk data aggregation and consolidation and internal risk reporting practices.
Implementing these principles is expected to enhance risk management and decision-making processes at bank’s group level.
4
Risk Data Aggregation Risk data aggregation is an important process
in consolidated and cross-border supervision.
This necessitates defining, gathering and processing risk data of a parent bank and its subsidiaries and affiliates, and having access on all information and data for controlling banking group risks.
5
Risk Data Aggregation Risk data collection and aggregation requires clear
policy and procedures that banking group should follow in order to have overview on the group’s risks. Adopting these policy and procedures will:
enhance the flow of reporting key information, particularly that used by the board and senior management to identify, monitor and manage risks;
Improve the decision-making process throughout the banking group;
6
Risk Data Aggregation Enhance the management of information
across legal entities, while facilitating a comprehensive assessment of risk exposures at a consolidated level;
Reduce the probability and severity of losses resulting from risk management weaknesses;
7
Risk Data Aggregation
Improve the speed at which information is available and hence, decisions can be made on timely basis; and
Improve the group’s quality of strategic planning and the ability to manage risks on a consolidated level.
8
Risk Data Aggregation A bank should have in place:
a strong governance framework, risk data architecture and IT infrastructure.
In particular, a bank’s board should oversee senior management’s ownership of implementing risk data aggregation and risk reporting procedures to meet the bank’s strategy.
9
Risk Data Aggregation
Banks should develop forward looking reporting system to provide early warnings of any potential breaches of risk limits on a stand alone as well as on a consolidated basis that may exceed the bank’s risk tolerance/appetite.
The risk reporting system should also allow banks to conduct a flexible and effective stress testing which is capable of providing forward-looking risk assessments.
Supervisors expect risk management reports to enable banks to anticipate problems and provide a forward looking assessment of risk.
10
Governance and Infrastructure A bank’s board and senior management
should review and approve the bank’s group risk data aggregation and risk reporting framework and ensure that adequate resources are deployed to ensure timely information and data flow.
11
Governance and Infrastructure A bank’s risk data aggregation and risk
reporting practices should be:
Fully documented and subject to high standards of validation.
Commensurate and appropriate for the bank's group risk profile.
12
Governance and Infrastructure A bank’s senior management should:
Be fully aware of and understand the limitations
that prevent full risk data aggregation, in terms of
coverage (e.g. risks not captured or subsidiaries
not included), or in legal terms (legal impediments
to data sharing across jurisdictions).
13
Governance and Infrastructure
Ensure that the bank’s IT plan includes ways to
improve risk data aggregation capabilities and risk
reporting practices and to remedy any
shortcomings.
IT plan should also identify data critical to risk
management and IT infrastructure, and support it
through the allocation of appropriate levels of
financial and human resources.
14
Governance and Infrastructure A bank’s board of directors is responsible for
determining its own risk reporting requirements and should be aware of limitations that prevent full risk data aggregation in the reports it receives.
15
Risk Data Aggregation Capabilities
A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimize the probability of errors.
16
Risk Data Aggregation Capabilities
Risk data should be reconciled with bank’s sources, including accounting data where appropriate, to ensure that the risk data is accurate.
A bank’s risk personnel should have sufficient access to risk data to ensure they can appropriately aggregate, validate and reconcile the data to risk reports, and hence effectively manage the banking group’s risks.
17
Risk Data Aggregation Capabilities
There should be an appropriate balance between automated and manual systems. Where professional judgments are required, human intervention may be appropriate. For many other processes, a higher degree of automation is desirable to reduce the risk of errors.
18
Risk Data Aggregation Capabilities
Supervisors expect banks to document and
explain all of their risk data aggregation
processes whether automated or manual.
Documentation should include an explanation of
the appropriateness of any manual
workarounds, a description of their criticality to
the accuracy of risk data aggregation and
proposed actions to reduce their impact.
19
Risk Data Aggregation Capabilities
Supervisors expect banks to measure and
monitor the accuracy of data and to develop
appropriate escalation channels and action
plans to be in place to rectify poor data quality.
20
Risk Data Aggregation Capabilities
The bank should be able to capture and aggregate all material risk data across the banking group including those that are off-balance sheet.
Data should be available by business line, legal entity, asset type, industry, region and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations and emerging risks at a group’s wide level.
21
Risk Data Aggregation Capabilities
Supervisors expect banks to produce aggregated risk data that is complete and to measure and monitor the completeness of their risk data.
Where risk data is not entirely complete, the impact should not be critical to the bank’s ability to manage its risks effectively.
Supervisors expect banks’ data to be materially complete, with any exceptions identified and explained.
22
Risk Data Aggregation Capabilities A bank should be able to generate aggregate
and up-to-date risk data in a timely manner while also meeting the accuracy and integrity, completeness and adaptability of this data.
The precise timing will also depend on the bank-specific frequency requirements for risk management reporting, under both normal and stress/crisis situations, based on the characteristics and overall risk profile of the bank.
23
Risk Data Aggregation Capabilities
Critical risks include but are not limited to:
(a) The aggregated credit exposure to a large corporate borrower;
(b) Counterparty credit risk exposures;
(c) Trading exposures, positions, operating limits, and market
concentrations by sector and region data;
(d) Liquidity risk indicators such as cash flows/settlements and
funding;
(e) All data to compute LCR and NSFR; and
(f) Operational risk indicators that are time-critical (e.g. systems
availability, unauthorized access).
24
Risk Data Aggregation Capabilities A bank should be able to generate aggregate
risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs and requests to meet supervisory queries.
25
Risk Data Aggregation Capabilities
Supervisors expect banks to be able to generate and split data based on requested scenarios or resulting from economic events.
For example, a bank should be able to
aggregate risk data quickly on country credit exposures at a specified date based on a list of countries, as well as on industry credit exposures based on a list of industry types across all business lines and geographic areas.
26
Risk Reporting Practices
To manage risk effectively, the right information needs to be presented to the right people at the right time.
Risk reports based on risk data should be accurate, clear and complete.
They should contain the correct information and be presented to the appropriate decision-makers in a time that allows for an appropriate response.
27
Risk Reporting Practices
To effectively achieve their objectives, risk reports should comply with the following:
Risk management reports should be accurate and
precise to ensure a bank’s board and senior
management can rely with confidence on the
aggregated information to make critical decisions
about risk .
28
Risk Reporting Practices To ensure the accuracy of the reports, a bank
should maintain, at a minimum, the following:
(a) Defined requirements and processes to
reconcile reports to risk data;
(b) Integrated procedures for identifying, reporting
and explaining data errors or weaknesses in data
integrity.
29
Risk Reporting Practices
Supervisors expect that a bank’s senior management is able to obtain data on timely basis for both regular and stress/crisis reporting, including critical position and exposure information.
Supervisors expect banks to consider accuracy requirements similar to accounting materiality. For example, if omission or misstatement could influence the risk decisions of users, this may be considered material.
30
Risk Reporting Practices
Risk management reports should include
exposure and position information on
consolidated basis for all significant risk areas
(e.g. credit risk, market risk, liquidity risk,
operational risk) and all significant components
of those risk areas (e.g. single name, country
and industry sector for credit risk.
31
Risk Reporting Practices
Reports should identify emerging risk concentrations, provide
information in the context of limits and risk appetite/tolerance
and propose recommendations for action where appropriate.
Risk reports should include the current status of measures
agreed by the board or senior management to reduce risk or
deal with specific risk situations. This includes providing the
ability to monitor data trends through forward-looking forecasts
and stress.
32
Risk Reporting Practices A consolidated risk report should include, but
not be limited to, the following information: o capital adequacy,o regulatory capital, o credit risk, o market risk,o operational risk,o liquidity risk, o stress testing results,o risk concentrations, o and funding positions and plans.
33
Risk Reporting Practices Supervisors expect that risk management
reports to the board and senior management provide a forward-looking assessment of risk and should not just rely on current and past data.
The reports should contain forecasts or scenarios for key market variables and the effects on the bank so as to inform the board and senior management of the likely trend of the bank’s capital and risk profile in the future.
34
Risk Reporting Practices
Risk management reports should communicate
information on consolidated basis in a clear
and concise manner.
Reports should be easy to understand yet
comprehensive enough to facilitate informed
decision-making.
Reports should include meaningful information
tailored to the needs of the recipients.
35
Risk Reporting Practices
Reports should include an appropriate balance between risk data, analysis and interpretation, and qualitative explanations.
The balance of qualitative versus quantitative information will vary at different levels within the bank and will also depend on the level of aggregation that is applied to the reports.
Higher levels in the bank, more aggregation is expected and therefore, a greater degree of qualitative interpretation will be necessary.
36
Risk Reporting Practices
The bank’s board is responsible for determining its own risk reporting requirements and complying with its obligations to shareholders and other relevant stakeholders.
The board should ensure that it is asking for and receiving relevant information that will allow it to fulfill its governance mandate relating to the bank and the risks to which it is exposed. This will allow the board to ensure it is operating within its risk tolerance/appetite.
37
Risk Reporting Practices
The board should alert senior management when risk reports do not meet its requirements and do not provide the right level and type of information to set and monitor adherence to the bank’s risk tolerance/appetite.
The board should indicate whether it is receiving the right balance of detail and quantitative versus qualitative information.
38
Risk Reporting Practices
Senior management is also a key recipient of risk reports and it is responsible for determining its own risk reporting requirements.
Senior management should ensure that it is receiving relevant information that will allow it to fulfill its management mandate relative to the bank and the risks to which it is exposed.
39
Risk Reporting Practices
Supervisors expect that risk reports will be clear and useful. Reports should reflect an appropriate balance between detailed data, qualitative discussion, explanation and recommended conclusions.
Supervisors expect a bank to confirm periodically that the information aggregated and reported is relevant and appropriate, in terms of both amount and quality, the governance and decision-making process.
40
Risk Reporting Practices
The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution.
Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed, at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision-making across the bank.
The frequency of reports should be increased during times of stress/crisis.
41
Risk Reporting Practices
A bank should routinely test its ability to produce accurate reports within established timeframes, particularly in stress/crisis situations.
Supervisors expect that in times of stress/crisis all relevant and critical credit, market and liquidity position/exposure reports are available on consolidated basis within a very short period of time to react effectively to evolving risks.
Some position/exposure information may be needed immediately (intraday) to allow for timely and effective reactions.
42
Risk Reporting Practices Risk management reports should be distributed
to the relevant parties while ensuring confidentiality is maintained.
Procedures should be in place to allow for rapid collection and analysis of risk data and timely dissemination of reports to all appropriate recipients.
Supervisors expect a bank to confirm periodically that the relevant recipients in the bank receive timely reports.
43
Supervisory Review and Tools Supervisors should:
Have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting.
Have the ability to use a range of tools, including Pillar 2 ICCAP and SREP.
Require effective and timely remedial action (s) by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices and internal controls(to be explained in ICAAP reports).
44
Supervisory Review and Tools Have a range of tools at their disposal to
address material deficiencies in a bank’s risk data aggregation and reporting capabilities.
Such tools may include, but are not limited to: requiring a bank to take remedial action; increasing the intensity of supervision; requiring an independent review by a third party,
such as external auditors; and the possible use of capital add-ons.
45
Supervisory Review and Tools
Be able to set limits on a bank’s risks or the growth in their activities where deficiencies in risk data aggregation and reporting are assessed as causing significant weaknesses in risk management capabilities.
46
Supervisory Review and Tools
When a supervisor requires a bank to take remedial action, the supervisor should set a timetable for completion of the action.
Supervisors should have escalation procedures in place to require more stringent or accelerated remedial action (s) in the event that a bank does not adequately address the identified deficiencies.
47
Supervisory Review and Tools
Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the collection of consolidated data related to the same banking group.
Effective cooperation and appropriate information sharing between the home and host supervisory authorities should contribute to the robustness of a bank’s risk management practices across a bank’s operations in multiple jurisdictions.
48
Supervisory Review and Tools
Cooperation can take the form of sharing of information within the constraints of applicable laws, as well as discussion between supervisors on a bilateral or multilateral basis (e.g. through colleges of supervisors), including, but not limited to, regular meetings. Communication by conference call and emails may be particularly useful in tracking required remedial actions.
49
Supervisory Review and Tools
Supervisors should discuss their experiences regarding the quality of risk data aggregation capabilities and risk reporting practices in different parts of the group.
This should include any impediments to risk data aggregation and risk reporting arising from cross-border issues and also whether risk data is distributed appropriately across the group. Such exchanges will enable supervisors to identify significant concerns at an early stage and to respond promptly and effectively.
50
Implementation of Risk Data Aggregation and Risk Reporting by SIBs
Many SIBs still rely on manual work in aggregating risk data, yet they:
Apply appropriate control; Establish data quality standard; Emphasize on high-impact risk data in the remedy
process of cross-border banks.
51
Implementation of Risk Data Aggregation and Risk Reporting by SIBs
Strategies for implementing risk data aggregation and
reporting:
Developing IT infrastructure to aggregate a broader range of risk
data automatically and reduce reliance on manual workarounds;
Automating data quality controls and improving reporting
capabilities associated with group-wide stress testing;
Improving systems to monitor and enforce credit limits status
across risk types and products;
Reconciling data between risk and finance, using appropriate
governance structure;
52
Implementation of Risk Data Aggregation and Risk Reporting by SIBs
Establishing data collection channels, processes and
procedures that encompass the development of
common classification and reference data so as to
facilitate data aggregation in times of stress/crisis;
Enhancing data aggregation capabilities to consolidate
data from branches and subsidiaries operating in other
jurisdictions and, more generally, developing
consolidated data stores for credit, market and
operational risks to expedite risk reporting and easier
reconciliation of risk data;
53
Implementation of Risk Data Aggregation and Risk Reporting by SIBs
Implementing programs aimed at meeting Basel III
regulatory requirements; and
Providing appropriate access to sufficient staff
with expert knowledge of risk control functions
and data so they are able to process ad-hoc data
report requests.
54
Supervisory Responsibilities
Supervisors should set principles and
requirements for risk data aggregation and
reporting;
Discuss with SIBs in the first stage on how to
implement these principles and requirements
and agree on a time-frame to implement
them;
55
Supervisory Responsibilities
Ensure that the senior management and board of
directors are directly involved in assessing progress
in implementation and identifying any obstacles for
full implementation of risk data aggregation;
Continue to actively exchange information on how
they intend to facilitate compliance or the remedy
of non-compliance.
56
THANK YOU