Copyright 2013 Oliver Wyman 4

Transcription

1

2 ABOUT THE AUTHORs Mark James is a Partner and Head of the Strategic IT & Operations practice for the Asia Pacific region, based in Singapore mark.james@oliverwyman.com Paul Mee is a Partner and Head of the Strategic IT & Operations practice for the UK/EMEA region, based in London paul.mee@oliverwyman.com Pankaj Khanna is a Principal in Finance & Risk and Strategic IT & Operations, based in London pankaj.khanna@oliverwyman.com Patrick Ryan is a Principal in the Strategic IT & Operations practice, based in Singapore patrick.ryan@oliverwyman.com

3

4 cover governance and capabilities related to risk data management, the way data is aggregated, the way it is reported and the role of supervisors in ensuring adherence. While ostensibly focused on risk data, the principles are ultimately about enabling timely, consistent and informed decision-making across the bank. We anticipate that the implications across bank operations will be broad and deep, as illustrated in Exhibit 1. In the first instance, these principles apply to Global Systemically Important Banks (G-SIBs), who need to adhere by the end of 2015 and are expected to undertake self-assessments and produce remediation plans later this year. Domestic SIBs (D-SIBs) are expected to be exposed to similar requirements in due course. The BCBS document calls for adherence within three years of a bank being designated a G-SIB or D-SIB. More generally, we expect that these BCBS principles will provide a minimum standard for national supervisors, many of whom have already made statements calling for better data quality. For many banks current risk data aggregation and risk reporting arrangements fall far short of the BCBS principles. Short term, manual work-arounds are unlikely to appease regulators let alone upgrade capabilities; and pressure to make improvements quickly has magnified. The extent, intensity and pace of change called for will therefore be significant. Those banks unable to adhere to the principles within the deadline will be subject to consequences imposed by their regulators. Those banks failing to adapt and advance are likely to also suffer competitive disadvantages, as rivals benefit from the improved decision-making that comes from using heightened intelligence derived from better, faster, fit-for-purpose data. In this Oliver Wyman report we proffer a three-point plan to go beyond basic adherence to the principles and architect a strategic capability that will represent a step-change in a given bank s decision-making and performance. While certainly a demanding task, we believe it requires a prominent place on the enterprise agenda 2. 2 See the recent Oliver Wyman State of the Financial Services Industry, 2013 report where we discuss the importance of information for the industry, Copyright 2013 Oliver Wyman 4

5 1. SELF-ASSESS We advocate a two-step approach to assessing readiness to meet the BCBS principles. First, examine your ability to satisfy each principle at a high level across the risk management operating model (i.e. policies, processes and systems), considering your current key data aggregation and reporting challenges. Then delve into specific risk management processes in order to detail the size and scope of gaps. Consider principle 1: Governance A bank s risk data aggregation capabilities and risk reporting practices should be subject to strong governance consistent with other principles and guidance established by the Basel Committee. Who should assume accountability for improving risk data management, aggregation and reporting capabilities? Rarely is there an obvious answer. Risk data by its nature is a shared asset. Transaction data originates in front office systems and customer databases are maintained by front or middle office with data input from a variety of sources. Similarly, risk data outputs are used outside the risk department. Key data elements often need to reconcile and report alongside inputs from finance and treasury departments. Risk-based pricing is controlled in part by the front office. Risk metrics are reported and used throughout the bank, including business heads, finance and treasury. We advised a G-SIB on this very problem as they completed a preliminary self-assessment against the BCBS principles, as illustrated in case study 1. Now consider principles 3 and 4: Accuracy and integrity A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of errors. Completeness A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings that permit identifying and reporting risk exposures, concentrations and emerging risks. Exhibit 2: MANUAL PROCESSES OFTEN THE ROOT CAUSE OF POOR DATA QUALITY KEY STATISTICS (MONTHLY) Manual uploads Manual adjustments Hand-offs EXAMPLES Credit risk grade IFRS provisioning Customer segmentation Missing customer identification and missing customer information Non-CSA Collateral Accounting should-be data (Prod. Ctrl IT) Separate table with manual LGD calculations for specific loans (Data Mart IT) Separate checks NUMBER OF MANUAL ACTIVITIES PERFORMED 150 Check data in DW to ensure successful manual GM data upload Check for consistency between data mart table and Basel input table Copyright 2013 Oliver Wyman 5

6

7

8

9 3. STRATEGY AND IMPLEMENTATION PLAN Having assessed existing capabilities against the principles, banks should move to concluding preparations by developing a strategy to upgrade risk data management, aggregation and reporting. The strategy should address the issues and opportunities identified, and include target state designs and implementation plans for governance, processes, data architecture, systems and reporting tools across all stakeholder groups. As illustrated in case study 2, some banks are considering an ambitious strategic response to the BCBS principles. Given the broad ambition in the BCBS principles, banks will need to make assumptions when designing their target state. For example, BCBS 239 calls for adaptability and the ability to aggregate and report data during stress/crisis situations without specifying what constitutes a stress or crisis situation. Significant market liquidity events such as that which followed the Lehman Brothers bankruptcy would certainly apply. Would recent natural disasters in New York (Superstorm Sandy) and Thailand (floods) also qualify? Many banks were unable to function at 100% during these events, nor manage the resulting risks and business impact. Rather than develop contingency plans for individual crises we advise banks to develop playbooks that would apply to a range of scenarios. Banks are also bound to face issues that have bedevilled them in the past: for example how to get risk, finance and treasury departments to see eye to eye on management information and reporting, or build common components across overlapping data architectures and processes. Banks should therefore stress test their strategies from a variety of angles to ensure they are flexible and robust while balancing the inherent trade-offs between investment costs and value creation. * * * * * Banks can gain a clear competitive advantage by improving risk data management, aggregation and reporting capabilities and as a result decision-making and business performance. Regulators are clearly concerned that banks make decisions based upon accurate, timely and comprehensive risk reporting; especially in times of stress. Banks would benefit most if they took a comprehensive and strategic approach in adopting the principles rather than approach it as yet another compliance exercise. After all, effective data driven decision making can be life-saving at a time of crisis, and essential in setting long term strategy and managing the business day-to-day. In fact, we wonder how data remained off the agenda for so long. Copyright 2013 Oliver Wyman 9

10

11 Appendix: The 14 BCBS principles for effective risk data aggregation and risk reporting Overarching governance and infrastructure 1. Governance A bank s risk data aggregation capabilities and risk reporting practices should be subject to strong governance consistent with other principles and guidance established by the Basel Committee. 2. Data architecture and IT infrastructure A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other principles. Risk data aggregation capabilities 3. Accuracy and Integrity A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of errors. 4. Completeness A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings that permit identifying and reporting risk exposures, concentrations and emerging risks. 5. Timliness A bank should be able to generate aggregate and up to date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. This timeliness should meet bank-established frequency requirements for normal and stress/crisis risk management reporting. 6. Adaptability A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during crisis situations, requests due to changing internal needs and requests to meet supervisory queries. Risk reporting practices 7. Accuracy Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated. 8. Comprehensiveness Risk management reports should cover all material risk areas within the organisation. The depth and scope of these reports should be consistent with the size and complexity of the bank s operations and risk profile, as well as the requirements of the recipients. 9. Clarity Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include an appropriate balance between risk data, analysis and interpretation, and qualitative explanations. 10. Frequency The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective/efficient decision-making across the bank. The frequency of reports should be increased during times of crisis. 11. Distribution Risk management reports should be distributed to the relevant parties and include meaningful information tailored to the needs of the recipients, while ensuring confidentiality is maintained. Supervisory review, tools and cooperation 12. Review Supervisors should periodically review and evaluate a bank s compliance with the eleven principles above. 13. Remedial actions and supervisory measures 14. Home/host cooperation Supervisors should have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices. Supervisors should have the ability to use a range of tools, including Pillar 2. Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the supervision and review of the principles, and the implementation of any remedial action if necessary. Copyright 2013 Oliver Wyman 11

12