Council Summary of RDA Principles

Basel Principles for Effective Risk Data Aggregation
Risk data aggregation means defining, gathering and processing risk data to enable SIFIs to measure
performance against internal risk tolerance criteria. This includes ability to sort, align, merge and
analyze multiple sets of data across the enterprise.
One of the lesson from 2007was that banks lacked the ability to aggregate risk exposures or
identify concentrations quickly and accurately at the group level, across business lines or
between legal entities (weak data aggregation capabilities).
Basel issued supplemental Pillar 2 guidance to enhance banks’ ability to identify and
manage bank-wide risk. Sound risk management requires management of data at the
business and bank-wide level. Data must be available to comply with FSB Key Attributes of
Effective Resolution Regimes for financial institutions
According to the Basel analysis, the industry is working on enhancing their data
management capabilities, but more progress is needed. The data risk reporting mandate
cannot/will not fade away. It doesn’t matter that that the investment in IT and data
infrastructure is expensive (or that there is a long-cycle for payback).
FSB international initiatives related to effective risk data aggregation include:
o Development of a set of supervisory expectations to ensure that data management
capabilities deliver data that is trusted to capture and aggregate risk
o Expectation that SIFIs will meet requirements by beginning of 2016
o Creation of a common template to capture key information (i.e. bilateral exposures
and exposures to countries, sectors and instruments)
o Implementation of LEI and its use for transaction and relationship reporting
SIFI’s are expected to implement these principles by 2016 and will start assessing their
implementation beginning in 2013 (via self-assessment) and sharing with the FSB by the end
of 2013.
Adoption of these principles are expected to result in enhanced infrastructure for: reporting
key risk-related information (particularly for data used by the BOD and executive
management); improving decision making across the enterprise; improving management of
information across legal entities; accessing global consolidated risk exposure; reducing the
probability of loss from weak risk appetite; improving the speed of data availability; improve
quality of strategic planning; and improving the ability to manage risk from new products.
Long term value of improving risk management capabilities, outweigh the initial investment
cost of enhancement. SIFI’s have no choice – this must be implemented. And while this
report is directed to SIFI’s but national supervisors may apply the principles to other
participants in the financial ecosystem as they think appropriate.
This report aligns with the “risk appetite framework” as defined by the Senior Banking
Supervisors Report (Observations on Developments in Risk Appetite Frameworks and IT
Infrastructure). The objectives of both reports work in alignment with each other.
This report is about risk management principles – but should also be applied to financial and
operational processes within the financial institution. These principles also apply to any
process that is outsourced to a 3rd party and are organized into four categories (governance,
risk data aggregation, risk reporting and supervisory review). These processes are described
separately but they are interconnected and need to be managed as part of an overall risk
appetite framework.
The Basel Committee will track progress toward compliance with these principles through
its Standards Implementation Group (SIG) from 2013. SIG is chaired by Charles Taylor,
Deputy Comptroller for Regulatory Policy at the Office of the Comptroller of the Currency
Principle One: Strong governance over risk data aggregation capabilities is required.
This includes the definition of service level standards for all risk data-related processes. The
Board and senior management are accountable for risk data oversight.
Risk data practices need to be fully documented and subject to independent validation to
review the appropriateness/effectiveness and quality of the governance. Independent
validation refers to an entity with specific data and reporting knowledge (working in
conjunction with the internal audit function)
Data oversight extends to new initiatives, acquisitions or divestitures, new product
development and large scale change activities (integration and data alignment)
Risk data limitations need to be articulated to the BOD with a plan for remediation
Principle Two: IT infrastructure and architecture need to support risk data aggregation
capabilities in both normal and during stress times
Risk data aggregation is to be considered as part of the BCP of the bank
The bank should establish integrated data taxonomies and architecture across the
enterprise (including information on the characteristics of metadata, the use of standard
identifiers, and standard naming conventions for data. This does not mean a single data
model – rather a mechanism for alignment, concordance and reconciliation.
Roles and responsibilities for data (stewards, owners) need to be implemented to ensure
data quality, implement control processes, align data with standard definitions and ensure
that data can be aggregated
Principle Three: Risk reports should be accurate in times of stress and (largely) automated to
minimize errors
Controls for risk data should be a rigorous as those for accounting data
A single authoritative source of risk data is ideal
The bank should maintain a standard “dictionary” of risk concepts and implement the
standard definitions across the enterprise
The risk data management process needs to be precisely defined and documented (banks
must demonstrate provenance over their risk data management processes)
Data accuracy must be measurable with traceability to root cause
Principle Four: Risk data must be complete and captured/aggregated across the enterprise
Risk data aggregation must be complete (including those instruments, business activities
and transactions that are off balance sheet)
The measurement of risk (methodologies, calculation processes) need to be transparent
and complete
Principle Five: Risk data must be timely (although timing can vary according to risk profile)
Timing is not prescriptive but will depend on the type of data and the type of risk
Specific call outs include: aggregated credit exposure to a large corporate borrower (via
watchlists), counterparty credit risk exposures (i.e. derivatives), trading exposure, positions,
operating limits, market concentrations, liquidity risk indicators (i.e. cash flow/settlement
and funding) and operational risk indicators
Principle Six: Risk data systems should be able to meet on-demand, ad hoc risk management
reporting requests (particularly during crisis situations)
Get ready for ad hoc, on-demand reporting (and specific scenario based analysis)
Tools and dashboards for risk data analytics are required
Flexibility based on new business development, external factors, bank profiles and changes
in the regulatory framework is required
Principle Seven: Risk data must be accurate and the firm must be able to reconcile/validate
Executive management must be able to rely on the output of the risk data reporting
system (trust and confidence in the data must be assured)
Accuracy includes defined requirements/processes, reasonableness checks, validation
rules, conventions for risk calculations, exception management, precision tolerance ranges
The litmus test for risk data is analogous to that for accounting materiality
Principle Eight: Risk data must be comprehensive and cover all material risk areas across the
All significant risk areas (i.e. credit, market, liquidity, operational) and risk objectives (i.e.
single name, country and sector exposure) need to be included in the risk reporting process
Risk concentration needs to be evaluated in terms of the risk appetite/tolerance of the firm
Completeness is based on the firms business models and risk profiles but the criteria for
determining completeness needs to be transparent
Proactive and forward-looking risk analysis is required
Principle Nine: Risk management reports need to be clear, concise and comprehensive
Risk data needs to be meaningful and actionable. Risk aggregation needs to be transparent
and traceable
Risk reporting requirements are not standardized but need to be precisely defined by the
individual financial institution. Risk reporting gaps needs to be tracked and reconciled
Senior management is accountable for risk reporting
Principle Ten: The frequency of risk reporting is determined by the financial institution and
adjusted based on circumstance
Risk reporting frequency varies based on type of risk and recipient
Quick reporting in times of crisis are required
Principle Eleven: Risk reports are to be distributed to all relevant stakeholders
Procedures to facilitate rapid collection, analysis and distribution are needed
Regulatory audits of risk data collection processes are likely
Principle Twelve: Banking Supervisors will periodically audit banks on the risk data principles
Compliance with the principles of risk data aggregation will be monitored
The supervisory audit process is not standard.
Principle Thirteen: Supervisors have authority to ensure remediation of risk data management
Compliance with risk data aggregation is mandatory
Supervisors have lots of tools to ensure compliance (i.e. supervision intensity, 3 rd party
audit, capital add-ons, limits on activity, pre-authorization requirements)
Principle Fourteen: Cross regulatory regimes cooperation will take place
Risk oversight is a global objective and many of the players are universal banks.
Cooperation among regulators is necessary