Financial Services BCBS 239: LEARNING FROM PRIME MOVERS AUTHORS Mark James, Partner Strategic IT & Operations Paul Mee, Partner Strategic IT & Operations Pankaj Khanna, Principal Finance & Risk and Strategic IT & Operations Since the Basel Committee published the BCBS 239 Principles for Effective Risk Data Aggregation and Risk Reporting (RDARR) in 2013, banks everywhere have encountered major potholes on the road to compliance. Progress updates by the Institute of International Finance (IIF), the Bank for International Settlements (BIS), and others continue to raise questions about what leading banks can realistically hope to achieve. According to recent reviews: •• Fewer than half of the global systemically important banks (G-SIBs) say they are likely to be compliant by the 2016 deadline, keeping in mind that “compliance” refers to broad, non-prescriptive principles and is open to interpretation. •• The scope of risk reports varies widely among banks, ranging from 12 or fewer reports for some banks to more than 100 for others, once again highlighting the role of interpretation. •• Banks are struggling to understand the concrete business impact associated with BCBS 239; nearly 70 per cent of domestic systemically important banks (D-SIBs) and half of G-SIBs have not quantified the benefits. •• The investment spend by G-SIBs on RDARR is very significant, averaging US$230 MM per bank. These investment costs are likely to increase. •• Compliance dominates the IT and Operations change agenda and associated budgets. Additionally, expertise is significantly stretched as banks struggle to deploy risk, finance and IT professionals for the challenge at hand. Money aside, banks lack sufficient risk, finance, and IT professionals for the job. Data subject matter experts are also in short supply. Some G-SIBs have dozens and even hundreds of open positions. External pessimism is mirrored internally. The latest self-assessments have also deteriorated markedly since the initial submissions: The Basel Committee has made the self-assessment more thorough and precise, and banks have learned more about regulatory expectations and the size of their gaps—and the complexity, cost, and effort needed to close them. Now is the time for banks to review the direction and pace of their BCBS 239 compliance efforts. If program changes need to be made, executives should be aware and act while time remains. This paper explains the issues, and shares the experience of compliance first movers. Many lessons merit consideration as deadlines loom across the sector. SLOWDOWN PROGNOSIS There are many reasons why the road to compliance is slow and costly. Talent is scarce, and compliance places increased demand—and a premium—on the small group of busy experts. Programs often lack clear definition around strategic design choices and muddle tactical fixes with sustainable long-term solutions. Coordination and trade-offs across related initiatives in risk, finance, treasury, IT, front office, audit, compliance, and operations are hard to achieve. 2 Enhancing process and IT capabilities is tough enough, but meeting RDARR objectives requires more. It demands definition, clarity, and instilling enterprise-wide culture around data ownership, operational, and risk-management processes and eventually, business process change. For many organizations, the need for a change in culture itself becomes a major program risk. Senior management communications are often met with resistance from competing business and political agendas, and bottom-up initiatives are slow to take hold. In some institutions, these factors create a vicious circle. When progress seems stalled and short-term improvements are hard to see, supporters become discouraged. The result is waning buy-in from the board, senior management, and multiple stakeholders. Against this unpromising background, deadlines remain. G-SIBs must satisfy regulators soon; qualifying D-SIBs and others typically have a longer runway. Varying demands and degrees of prescriptiveness by different regulators cloud the picture further. The prudent approach in most cases—pending regulatory discussion—should be for banks to focus on the most appropriate design and implementation decisions. Although a key question is “what is required to get a passing grade at the deadline?,” banks should also ask: “What is the achievable plan for compliance and improvement in the medium to longer term?” In the process of meeting the first deadline, banks often neglect underlying data and reporting issues that will continue to cause pain and will demand future investment and rework. As one banking executive remarked wistfully, “We know we’ll be opening up the patient again after the compliance deadline.” The risk is not only of banks missing the target, but also a more fundamental one of pursuing the wrong target without fully realizing it and of not exploring the consequences. MOVING SMARTLY The experience of first movers is instructive for all banks, whether newly embarked or already on the bumpy road to compliance. The following questions will help those executives who are responsible for delivering RDARR to gauge whether the organization is on track: 1. Are our objectives realistic, feasible, and achievable, given the nature of the dependencies? 2. Can we draw a straight line from our efforts to the required compliance outcomes? 3. Will the program resolve our most pressing structural data aggregation and reporting issues? 4. Is the investment in the program structured to balance short-term and longer-term priorities? 5. Are we staying on top of our numerous and evolving regulatory expectations? 3 REALISTIC AND ACHIEVABLE PROGRAM SCOPE Too many banks have discovered too late that they have bitten off more than they can chew. Recognizing that each bank’s business model, complexity, risk appetite, and operations differ, there is no single right answer. One bank could invest hundreds of millions on an all-inclusive transformative data-management and reporting technology solution. Another bank of comparable size could opt to focus on compliance and governance solutions and spend substantially less on technology. It depends entirely on the particular scope, design choices, and approach to achieving compliance that a bank adopts so long as the outcome is robust and sustainable. The decision on scope is a strategic one that involves numerous trade-offs. An easy, cheap, and pragmatic set of fixes may not solve underlying problems. Conversely, a more expansive, transformative and sophisticated solution may collapse under its own weight. Options that are likely to increase investment in the near term but yield long-term benefits include: •• Remediating data that not only affects risk but also intersects with finance and/or treasury •• Redesigning the risk IT architecture, or at least beginning the journey •• Moving to a leaner and more agile risk operating model •• Establishing official / authorized risk data staging and data provisioning arrangements •• Standardizing and / or re-engineering the reporting platform •• Rationalizing / simplifying data sourcing •• Addressing reference data issues, such as legal entity identifier (LEI) •• Remediating / cleansing historical data In considering these strategic design choices, banks need to understand what minimum compliance means. It may entail re-engineering the whole data/reporting infrastructure, or it may mean instituting rigorous and effective governance of existing processes to get the job done. The answer will differ from bank to bank and from jurisdiction to jurisdiction. The principal issue is a weighty one: Can the bank afford to postpone difficult and expensive infrastructure and process changes until after the compliance deadline? Or are the changes essential to becoming compliant? STRAIGHT LINE TO OUTCOMES The next test is equally weighty: Will the investments and the changes being implemented lead to BCBS 239 compliance? For example, will the new enhanced risk-data-sourcing system and operating model move the bank from BIS assessment level three to level four? Often, the answer is not as clear as it should be. Banks are coming up with their own ways to find out. Leading banks are using compliance critical path analysis and control frameworks to keep initiatives on track. They work backward from the final target, confirm where they need to be at each checkpoint, and identify the capabilities and changes necessary to meet those goals. For example, a U.S. 4 G-SIB developed a compliance mini-scorecard for RDARR implementation to track progress specifically by principle and action at-risk items accordingly. With a clearer view of their progress vis-a-vis the compliance target, banks can more easily spot and strip away noncore asks or nice-to-haves. RESOLVING THE MOST PRESSING DATA ISSUES Which risk data are to be remediated? Typically, banks start by defining the reports that are core to making risk decisions. Then they—with input from key risk decision makers—triage and prioritize the data elements required for these reports, in line with requirements (see Exhibit 1). At a minimum, these core reports should include the following: •• Reports to key internal stakeholders, including: −− −− −− −− Board and senior strategy, controlling and risk-management bodies at group and entity level Senior management and day-to-day risk decision makers Incident/crisis assessment and management teams Operational oversight and support teams including data, processes, and infrastructure •• Reports to all regulatory bodies, even if this was not the primary intention of RDARR •• Reports issued to other external stakeholders, both regularly and on an ad hoc basis In some cases, the list of data elements can balloon into the hundreds or even thousands. From this vast pool, the most important risk data elements must be rapidly identified and winnowed for criticality. Top priority must go to those that are truly essential to managing and mitigating risk—both when times are stressful and when it is business as usual. Exhibit 1: Identifying Data Elements for Remediation STEP Review and prioritize risk reports DESCRIPTION PREREQUISITES • Top-down collation of all key internal and • At minimum a full repository of all externally shared risk reports; inclusion of key operational risk reports, dashboards and models • Forced prioritization of long-list of reports, or subsets thereof, into buckets given materiality of metrics during business-asusual and stress/crisis periods • Extract all data fields from analytical models that support reporting and underlying analytics Identify underlying data-fields Compile prioritized list of data elements for remediation • Identify overlaps, diverging definitions, gaps, and granularity required reporting requirements and actual reports • Ideally, an already stream-lined risk model landscape • Board, senior management and subject matter expert (SME) input • Business and IT analyst assessment of reports against bank’s data taxonomy • SME, management, data operations and IT input • Agreed guidelines for maximum level of granularity for drill-down and level of data quality checks/control • Step-by-step alignment (or delineation where necessary) of data definitions, model and taxonomy • Forced allocation of identified data elements into prioritized remediation buckets • Focus on shared cross-functional reference • Clear prioritization of most critical data items/areas • Reference data model to cross-check against • Functional (Finance, Risk, Treasury, IT, etc.) SME involvement and other data elements 5 BALANCING NEAR-TERM AND LONG-TERM INVESTMENT Thus far, complying with BCBS 239 has involved more sticks than carrots. But banks should not overlook the carrots or their importance to stakeholders in compliance. As noted earlier, pinpointing RDARR’s benefits is often a deeply challenging exercise. However, without a clear picture of the upside of compliance, it is tempting to fix reports, data types, and the many and varied IT system items on a fragmented and isolated basis— dispersing sand grains of expenditure without any sense of what their collective effect may be. In fact, banks can quantify likely capital and cost savings, as well as increased revenues from enhanced customer offerings—with clear caveats and assumptions. On the qualitative side, banks may become more efficient and agile (see Exhibit 2 below). Regardless of the type of benefit anticipated, a believable benefits case needs to be grounded in reality and linked to the compliance schedule. With this perspective, a bank can weigh investment choices that go beyond compliance alone. For example, a major Canadian bank decided to deploy digital reporting, adding several million dollars to RDARR program costs. The bank is planning to eliminate or minimize paper reports, simplify processes, and increase efficiency while delivering more sophisticated and flexible risk management information. Exhibit 2: Quantitative and Qualitative Benefits RISK & FINANCE DATA SYSTEMS ARCHITECTURE REDESIGN AND INFRASTRUCTURE UPGRADE: COMPARISON OF TOTAL INVESTMENT BUDGET VS. QUANTITATIVE AND QUALITATIVE BENEFITS FOR MID-SIZE, MULTI-NATIONAL UNIVERSAL BANK 350 300 1. Improved regulatory compliance and engagement 150–300 USD MM 2. Enhanced business decision-making Capital savings from RWA reduction 3. Improved client management and servicing 250 4. Agile pricing and strategic risk hedging 5. Protect and improve bank’s reputation 200 150 Up to 100 USD MM 100 Up to 50 50 10 – 15 10 – 15 25 – 30 0 TOTAL 4-5 YEARS BUDGET FOR RISK AND FINANCE DATA/SYSTEMS REVAMP 6 + 6. Rapid product development / modification 7. Significantly increased flexibility and reduced cost for implementing future internal and regulatory requirements 8. Reduction of diverted management and organizational attention and resource cost 9. Reduced manual intervention / remediation, greater job enrichment, skills leverage and satisfaction 10. Efficient stress/crisis management support 1yr case QUANTITATIVE BENEFITS QUALITATIVE BENEFITS Cost savings from prevention of fines and costs of ad-hoc / ‘just in time’ compliance Cost savings from significantly reduced reconciliation efforts Cost savings from reduced recurring provisional fixes CHANGING REGULATORY EXPECTATIONS What does it mean to be compliant? The answer varies. G-SIBS and other early movers have had an advantage. Many were able to negotiate at a time when the regulatory process was still in its infancy. With the passage of time, the positions of regulators have hardened, regional regulators have raised the bar, and banks have less wiggle room. In our view, regulations are likely to coalesce around the highest bar in the medium term. To have a voice in the regulatory evolution, the more successful players engage with both regulators and other banks, participating in official international forums and local collective banking associations. In addition to engagement, banks that have clear accountabilities and a comprehensive action plan (with regard to compliance deadlines and beyond) usually enjoy smoother and more productive regulatory dialogues. A typical supervisor wants to know that an executive is in control of the program and is following an achievable path to success. This means paying attention to governance, the most critical principle. It also means that the associated organizational arrangements, responsibilities, and accountabilities must be in place and be operational, in the case of both the RDARR program and the business-as-usual model for risk data management and risk reporting. INCREASING CONFIDENCE AND PACE The questions posed in this paper derive from the experience of first movers in compliance. Banks that can answer them in the affirmative should feel a welcome degree of confidence and assurance. If, however, the answers are negative or uncertain, now is the time to pause and review. Consider undertaking a form of health-check regarding the direction, preparation, and pace of the bank’s efforts. If a bank’s BCBS 239 compliance program needs to be adjusted or even rerouted, it is best that executives know this while they have the time and the ability to align investment decisions and resources. 7 Oliver Wyman is a global leader in management consulting that combines deep industry knowledge with specialised expertise in strategy, operations, risk management, and organisation transformation. For more information please contact the marketing department by email at [email protected] or by phone at one of the following locations: EMEA +44 20 7333 8333 AMERICAS +1 212 541 8100 ASIA PACIFIC +65 6510 9700 www.oliverwyman.com Copyright © 2015 Oliver Wyman All rights reserved. This report may not be reproduced or redistributed, in whole or in part, without the written permission of Oliver Wyman and Oliver Wyman accepts no liability whatsoever for the actions of third parties in this respect. The information and opinions in this report were prepared by Oliver Wyman. This report is not investment advice and should not be relied on for such advice or as a substitute for consultation with professional accountants, tax, legal or financial advisors. Oliver Wyman has made every effort to use reliable, up-to-date and comprehensive information and analysis, but all information is provided without warranty of any kind, express or implied. Oliver Wyman disclaims any responsibility to update the information or conclusions in this report. Oliver Wyman accepts no liability for any loss arising from any action taken or refrained from as a result of information contained in this report or any reports or sources of information referred to herein, or for any consequential, special or similar damages even if advised of the possibility of such damages. The report is not an offer to buy or sell securities or a solicitation of an offer to buy or sell securities. This report may not be sold without the written consent of Oliver Wyman.