Mirror, mirror: how does your risk data look?
Following the release of the Basel Committee on Banking Supervision’s Principles for Effective Risk Data Aggregation, middle and back office professionals in major financial centres now find themselves with a number of difficult questions, that senior management must be able to answer and evidence. Many are faced with a collective action problem within their own firm as they try to form a view of where they stand.
In a nutshell, the introduction of these principles means that firms can no longer afford to cut corners. As of January 2013, firms are being pushed to assess how they collect, aggregate and report their data. Though this has always been done in the past, new requirements necessitate fundamental changes to be able to prove that both their current and future target operating models are understood, resourced, owned and governed properly.
So how ready are we to look into the risk data mirror and be satisfied with the result? Existing research shows that firms are at varied stages of preparedness. For instance, in a 2012 IIF survey, only 28% of firms surveyed said that data aggregation plans were complete within their firm. However, this was before the release of the BCBS’ Principles and so the number now looks to be even less.
We advocate a strong self-assessment now, to: figure out the size and cost of the problem, and secure budget; to keep up with risk management in the industry, and safeguard reputations; and to take advantage of the efficiencies that can be gained from good data management.
For this purpose, firms will need a checklist against which to validate their risk data aggregation capabilities.
Such a checklist should naturally be based upon the requirements themselves. However, this does not mean that the requirements are, in themselves, an adequate checklist. Many of the imperatives allow substantial room for interpretation. So when asked a vague question, such as ‘does your board promote the identification, assessment and management of risks to data quality?’ the tendency is to answer ‘yes, it does’.
But if the question the regulator is asking is ‘how do they do this?’ or ‘do they do it x times a year, or to y standard?’ then the answer is likely to be more hesitant. Hesitation is not good: it means that it is quite likely that the principle is ‘materially non-compliant’ and that significant actions are needed in order to achieve full compliance. Therefore, banks should first determine their own standards for compliance and then assess themselves more meaningfully against these.
There are many nuances in the principles and hence many grey areas. For example, in the governance space, banks are required to ‘consider’ risk data aggregation as part of any acquisition or divestiture. However, clearly ‘consideration’ is a broad scale, as are many other critical concepts, in terms of its breadth and depth of coverage.
Even within a more objective discipline like data architecture a similar interpretative challenge is encountered. The principles ask for the monitoring of the accuracy of risk data. This clearly requires some kind of metric capable of judging accuracy. However, again, this can be seen on a scale: from a bare-bones estimate up to a comprehensive measurement.
Part of the self-assessment will therefore involve determining what this scale is for each of the imperatives within the principles, and then placing the firm’s target operating model somewhere on that scale. In placing the marker, firms will have to consider many things, including the marginal cost/benefit of moving up the scale, what other firms are doing, and the method of interpretation.
Another key differentiator in the governance example above is in the proof of the action taken. Tacit understanding cannot be verified, whereas a meeting can. Here it is important to note that ‘proof’ does not simply mean ‘auditability’. But, as a result of the principles, both internal staff and regulators will also be checking up on firms’ risk data aggregation. Therefore, when answering ‘yes’ to a question on the checklist, the assessor’s first follow-up question should always be ‘how can I prove this?’
This proof also will obviously take different forms depending on the context. For instance, any changes made to the governance level will probably rely on documentary evidence. Here, again, firms will have to decide what ‘documentary evidence’ means to them and where their target operating model is on a scale of different depths of proof.
Sometimes, after a long period of indulgence, it can be difficult to look into the mirror and confirm that your fitness regime has slipped. Firms should take the opportunity they have now to stand before the self-assessment mirror and identify the key changes that need to be made, before the regulators come knocking.