Objectives

This chapter presents a set of principles to strengthen banks’ risk data aggregation capabilities and internal risk reporting practices (the Principles). The Principles are expected to support a bank’s efforts to:

Strong risk management capabilities are an integral part of the franchise value of a bank. Effective implementation of the Principles should increase the value of the bank. The Committee believes that the long-term benefits of improved risk data aggregation capabilities and risk reporting practices will outweigh the investment costs incurred by banks.

For bank supervisors, these Principles will complement other efforts to improve the intensity and effectiveness of bank supervision. For resolution authorities, improved risk data aggregation should enable smoother bank resolution, thereby reducing the potential recourse to taxpayers.

Scope and general provisions

These Principles apply to systemically important banks (SIBs) and apply at both the banking group and on a solo basis.

The Principles and supervisory expectations contained in SRP36 apply to a bank’s risk management data. This includes data that is critical to enabling the bank to manage the risks it faces. Risk data and reports should provide management with the ability to monitor and track risks relative to the bank’s risk tolerance/appetite.

These Principles also apply to all key internal risk management models, including but not limited to, Pillar 1 regulatory capital models (eg internal ratings-based approaches for credit risk and advanced measurement approaches for operational risk), Pillar 2 capital models and other key risk management models (eg value-at-risk).

The Principles apply to a bank’s group risk management processes. However, banks may also benefit from applying the Principles to other processes, such as financial and operational processes, as well as supervisory reporting.

All the Principles are also applicable to processes that have been outsourced to third parties.

The Principles cover four closely related topics:

Risk data aggregation capabilities and risk reporting practices are considered separately in this paper, but they are clearly inter-linked and cannot exist in isolation. High quality risk management reports rely on the existence of strong risk data aggregation capabilities, and sound infrastructure and governance ensures the information flow from one to the other.

Banks should meet all risk data aggregation and risk reporting principles simultaneously. However, trade-offs among Principles could be accepted in exceptional circumstances such as urgent/ad hoc requests of information on new or unknown areas of risk. There should be no trade-offs that materially impact risk management decisions. Decision-makers at banks, in particular the board and senior management, should be aware of these trade-offs and the limitations or shortcomings associated with them. Supervisors expect banks to have policies and processes in place regarding the application of trade-offs. Banks should be able to explain the impact of these trade-offs on their decision-making process through qualitative reports and, to the extent possible, quantitative measures.

A bank should have in place a strong governance framework, risk data architecture and information technology (IT) infrastructure. These are preconditions to ensure compliance with the other Principles included in this chapter. In particular, a bank’s board should oversee senior management’s ownership of implementing all the risk data aggregation and risk reporting principles and the strategy to meet them within a timeframe agreed with their supervisors.

The concept of materiality used in SRP36 means that data and reports can exceptionally exclude information only if it does not affect the decision-making process in a bank (ie decision-makers, in particular the board and senior management, would have been influenced by the omitted information or made a different judgment if the correct information had been known). In applying the materiality concept, banks will take into account considerations that go beyond the number or size of the exposures not included, such as the type of risks involved, or the evolving and dynamic nature of the banking business. Banks should also take into account the potential future impact of the information excluded on the decision-making process at their institutions. Supervisors expect banks to be able to explain the omissions of information as a result of applying the materiality concept.

Banks should develop forward looking reporting capabilities to provide early warnings of any potential breaches of risk limits that may exceed the bank’s risk tolerance/appetite. These risk reporting capabilities should also allow banks to conduct a flexible and effective stress testing which is capable of providing forward-looking risk assessments. Supervisors expect risk management reports to enable banks to anticipate problems and provide a forward looking assessment of risk.

Expert judgment may occasionally be applied to incomplete data to facilitate the aggregation process, as well as the interpretation of results within the risk reporting process. Reliance on expert judgment in place of complete and accurate data should occur only on an exception basis, and should not materially impact the bank’s compliance with the Principles. When expert judgment is applied, supervisors expect that the process be clearly documented and transparent so as to allow for an independent review of the process followed and the criteria used in the decision-making process.

Definitions

For the purpose of SRP36, the term “risk data aggregation” means defining, gathering and processing risk data according to the bank’s risk reporting requirements to enable the bank to measure its performance against its risk tolerance/appetite. This includes sorting, merging or breaking down sets of data.

In this chapter, the following terms should be interpreted as follows:

Summary of the Principles

The Principles for effective risk data aggregation and risk reporting are summarised as follows.

Principle 1 – Governance

A bank’s board and senior management should promote the identification, assessment and management of data-quality risks as part of its overall risk-management framework. The framework should include agreed service-level standards for both outsourced and in-house risk data-related processes, and a firm’s policies on data confidentiality, integrity and availability, as well as risk-management policies.

A bank’s board and senior management should review and approve the bank’s group risk data aggregation and risk reporting framework and ensure that adequate resources are deployed.

A bank’s risk data aggregation capabilities and risk reporting practices should be:

A bank’s senior management should be fully aware of and understand the limitations that prevent full risk data aggregation, in terms of coverage (eg risks not captured or subsidiaries not included), in technical terms (eg model performance indicators or degree of reliance on manual processes) or in legal terms (legal impediments to data sharing across jurisdictions). Senior management should ensure that the bank’s IT strategy includes ways to improve risk data aggregation capabilities and risk reporting practices and to remedy any shortcomings against the Principles taking into account the evolving needs of the business. Senior management should also identify data critical to risk data aggregation and IT infrastructure initiatives through its strategic IT planning process, and support these initiatives through the allocation of appropriate levels of financial and human resources.

A bank’s board is responsible for determining its own risk reporting requirements and should be aware of limitations that prevent full risk data aggregation in the reports it receives. The board should also be aware of the bank’s implementation of, and ongoing compliance with the Principles.

Principle 2 – data architecture and IT infrastructure

Risk data aggregation capabilities and risk reporting practices should be given direct consideration as part of a bank’s business continuity planning processes and be subject to a business impact analysis.

A bank should establish integrated5 data taxonomies and architecture across the banking group, which includes information on the characteristics of the data (metadata), as well as use of single identifiers and/or unified naming conventions for data including legal entities, counterparties, customers and accounts.

Roles and responsibilities should be established as they relate to the ownership and quality of risk data and information for both the business and IT functions. The owners (business and IT functions), in partnership with risk managers, should ensure there are adequate controls throughout the lifecycle of the data and for all aspects of the technology infrastructure. The role of the business owner includes ensuring data is correctly entered by the relevant front office unit, kept current and aligned with the data definitions, and also ensuring that risk data aggregation capabilities and risk reporting practices are consistent with firms’ policies.

Principle 3 – accuracy and integrity

A bank should aggregate risk data in a way that is accurate and reliable.

As a precondition, a bank should have a “dictionary” of the concepts used, such that data is defined consistently across an organisation.

There should be an appropriate balance between automated and manual systems. Where professional judgements are required, human intervention may be appropriate. For many other processes, a higher degree of automation is desirable to reduce the risk of errors.

Supervisors expect banks to document and explain all of their risk data aggregation processes whether automated or manual (judgment-based or otherwise). Documentation should include an explanation of the appropriateness of any manual workarounds, a description of their criticality to the accuracy of risk data aggregation and proposed actions to reduce the impact.

Supervisors expect banks to measure and monitor the accuracy of data and to develop appropriate escalation channels and action plans to be in place to rectify poor data quality.

Principle 4 – completeness

A bank’s risk data aggregation capabilities should include all material risk exposures, including those that are off-balance sheet.

A banking organisation is not required to express all forms of risk in a common metric or basis, but risk data aggregation capabilities should be the same regardless of the choice of risk aggregation systems implemented. However, each system should make clear the specific approach used to aggregate exposures for any given risk measure, in order to allow the board and senior management to assess the results properly.

Supervisors expect banks to produce aggregated risk data that is complete and to measure and monitor the completeness of their risk data. Where risk data is not entirely complete, the impact should not be critical to the bank’s ability to manage its risks effectively. Supervisors expect banks’ data to be materially complete, with any exceptions identified and explained.

Principle 5 – timeliness

A bank’s risk data aggregation capabilities should ensure that it is able to produce aggregate risk information on a timely basis to meet all risk management reporting requirements.

The Basel Committee acknowledges that different types of data will be required at different speeds, depending on the type of risk, and that certain risk data may be needed faster in a stress/crisis situation. Banks need to build their risk systems to be capable of producing aggregated risk data rapidly during times of stress/crisis for all critical risks.

Critical risks include but are not limited to:

Supervisors will review that the bank specific frequency requirements, for both normal and stress/crisis situations, generate aggregate and up-to-date risk data in a timely manner.

Principle 6 – adaptability

A bank’s risk data aggregation capabilities should be flexible and adaptable to meet ad hoc data requests, as needed, and to assess emerging risks. Adaptability will enable banks to conduct better risk management, including forecasting information, as well as to support stress testing and scenario analyses.

Adaptability includes:

Supervisors expect banks to be able to generate subsets of data based on requested scenarios or resulting from economic events. For example, a bank should be able to aggregate risk data quickly on country credit exposures6 as of a specified date based on a list of countries, as well as industry credit exposures as of a specified date based on a list of industry types across all business lines and geographic areas.

Principle 7 – accuracy

Risk management reports should be accurate and precise to ensure a bank’s board and senior management can rely with confidence on the aggregated information to make critical decisions about risk.

To ensure the accuracy of the reports, a bank should maintain, at a minimum, the following:

Approximations are an integral part of risk reporting and risk management. Results from models, scenario analyses, and stress testing are examples of approximations that provide critical information for managing risk. While the expectations for approximations may be different than for other types of risk reporting, banks should follow the reporting principles in SRP36 and establish expectations for the reliability of approximations (accuracy, timeliness etc) to ensure that management can rely with confidence on the information to make critical decisions about risk. This includes principles regarding data used to drive these approximations.

Supervisors expect that a bank’s senior management should establish accuracy and precision requirements for both regular and stress/crisis reporting, including critical position and exposure information. These requirements should reflect the criticality of decisions that will be based on this information.

Supervisors expect banks to consider accuracy requirements analogous to accounting materiality. For example, if omission or misstatement could influence the risk decisions of users, this may be considered material. A bank should be able to support the rationale for accuracy requirements. Supervisors expect a bank to consider precision requirements based on validation, testing or reconciliation processes and results.

Principle 8 – comprehensiveness

Risk management reports should include exposure and position information for all significant risk areas (eg credit risk, market risk, liquidity risk, operational risk) and all significant components of those risk areas (eg single name, country and industry sector for credit risk). Risk management reports should also cover risk-related measures (eg regulatory and economic capital).

Reports should identify emerging risk concentrations, provide information in the context of limits and risk appetite/tolerance and propose recommendations for action where appropriate. Risk reports should include the current status of measures agreed by the board or senior management to reduce risk or deal with specific risk situations. This includes providing the ability to monitor emerging trends through forward-looking forecasts and stress tests.

Supervisors expect banks to determine risk reporting requirements that best suit their own business models and risk profiles. Supervisors will need to be satisfied with the choices a bank makes in terms of risk coverage, analysis and interpretation, scalability and comparability across group institutions. For example, an aggregated risk report should include, but not be limited to, the following information: capital adequacy, regulatory capital, capital and liquidity ratio projections, credit risk, market risk, operational risk, liquidity risk, stress testing results, inter- and intra-risk concentrations, and funding positions and plans.

Supervisors expect that risk management reports to the board and senior management provide a forward-looking assessment of risk and should not just rely on current and past data. The reports should contain forecasts or scenarios for key market variables and the effects on the bank so as to inform the board and senior management of the likely trajectory of the bank’s capital and risk profile in the future.

Principle 9 – clarity and usefulness

A bank’s risk reports should contribute to sound risk management and decision-making by their relevant recipients, including, in particular, the board and senior management. Risk reports should ensure that information is meaningful and tailored to the needs of the recipients.

Reports should include an appropriate balance between risk data, analysis and interpretation, and qualitative explanations. The balance of qualitative versus quantitative information will vary at different levels within the organisation and will also depend on the level of aggregation that is applied to the reports. Higher up in the organisation, more aggregation is expected and therefore a greater degree of qualitative interpretation will be necessary.

Reporting policies and procedures should recognise the differing information needs of the board, senior management, and the other levels of the organisation (for example risk committees).

As one of the key recipients of risk management reports, the bank’s board is responsible for determining its own risk reporting requirements and complying with its obligations to shareholders and other relevant stakeholders. The board should ensure that it is asking for and receiving relevant information that will allow it to fulfil its governance mandate relating to the bank and the risks to which it is exposed. This will allow the board to ensure it is operating within its risk tolerance/appetite.

The board should alert senior management when risk reports do not meet its requirements and do not provide the right level and type of information to set and monitor adherence to the bank’s risk tolerance/appetite. The board should indicate whether it is receiving the right balance of detail and quantitative versus qualitative information.

Senior management is also a key recipient of risk reports and it is responsible for determining its own risk reporting requirements. Senior management should ensure that it is receiving relevant information that will allow it to fulfil its management mandate relative to the bank and the risks to which it is exposed.

A bank should develop an inventory and classification of risk data items which includes a reference to the concepts used to elaborate the reports.

Supervisors expect that reports will be clear and useful. Reports should reflect an appropriate balance between detailed data, qualitative discussion, explanation and recommended conclusions. Interpretation and explanations of the data, including observed trends, should be clear.

Supervisors expect a bank to confirm periodically with recipients that the information aggregated and reported is relevant and appropriate, in terms of both amount and quality, to the governance and decision-making process.

Principle 10 – frequency

The frequency of risk reports will vary according to the type of risk, purpose and recipients. A bank should assess periodically the purpose of each report and set requirements for how quickly the reports need to be produced in both normal and stress/crisis situations. A bank should routinely test its ability to produce accurate reports within established timeframes, particularly in stress/crisis situations.

Supervisors expect that in times of stress/crisis all relevant and critical credit, market and liquidity position/exposure reports are available within a very short period of time to react effectively to evolving risks. Some position/exposure information may be needed immediately (intraday) to allow for timely and effective reactions.

Principle 11 – distribution

Procedures should be in place to allow for rapid collection and analysis of risk data and timely dissemination of reports to all appropriate recipients. This should be balanced with the need to ensure confidentiality as appropriate.

Supervisors expect a bank to confirm periodically that the relevant recipients receive timely reports.

Principle 12 – supervisory review

Supervisors should review a bank’s compliance with the Principles in the preceding sections. Reviews should be incorporated into the regular programme of supervisory reviews and may be supplemented by thematic reviews covering multiple banks with respect to a single or selected issue. Supervisors may test a bank’s compliance with the Principles through occasional requests for information to be provided on selected risk issues (for example, exposures to certain risk factors) within short deadlines, thereby testing the capacity of a bank to aggregate risk data rapidly and produce risk reports. Supervisors should have access to the appropriate reports to be able to perform this review.

Supervisors should draw on reviews conducted by the internal or external auditors to inform their assessments of compliance with the Principles. Supervisors may require work to be carried out by a bank’s internal audit functions or by experts independent from the bank. Supervisors must have access to all appropriate documents such as internal validation and audit reports, and should be able to meet with and discuss risk data aggregation capabilities with the external auditors or independent experts from the bank, when appropriate.

Supervisors should test a bank’s capabilities to aggregate data and produce reports in both stress/crisis and steady-state environments, including sudden sharp increases in business volumes.

Principle 13 – remedial actions and supervisory measures

Supervisors should require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices and internal controls.

Supervisors should have a range of tools at their disposal to address material deficiencies in a bank’s risk data aggregation and reporting capabilities. Such tools may include, but are not limited to, requiring a bank to take remedial action; increasing the intensity of supervision; requiring an independent review by a third party, such as external auditors; and the possible use of capital add-ons as both a risk mitigant and incentive under Pillar 2.

Supervisors should be able to set limits on a bank’s risks or the growth in their activities where deficiencies in risk data aggregation and reporting are assessed as causing significant weaknesses in risk management capabilities.

For new business initiatives, supervisors may require that banks’ implementation plans ensure that robust risk data aggregation is possible before allowing a new business venture or acquisition to proceed.

When a supervisor requires a bank to take remedial action, the supervisor should set a timetable for completion of the action. Supervisors should have escalation procedures in place to require more stringent or accelerated remedial action in the event that a bank does not adequately address the deficiencies identified, or in the case that supervisors deem further action is warranted.

Principle 14 – home/host cooperation

Effective cooperation and appropriate information sharing between the home and host supervisory authorities should contribute to the robustness of a bank’s risk management practices across a bank’s operations in multiple jurisdictions. Wherever possible, supervisors should avoid performing redundant and uncoordinated reviews related to risk data aggregation and risk reporting.

Cooperation can take the form of sharing of information within the constraints of applicable laws, as well as discussion between supervisors on a bilateral or multilateral basis (eg through colleges of supervisors), including, but not limited to, regular meetings. Communication by conference call and email may be particularly useful in tracking required remedial actions. Cooperation through colleges should be in line with the Basel Committee’s Principles for effective supervisory colleges.7

Supervisors should discuss their experiences regarding the quality of risk data aggregation capabilities and risk reporting practices in different parts of the group. This should include any impediments to risk data aggregation and risk reporting arising from cross-border issues and also whether risk data is distributed appropriately across the group. Such exchanges will enable supervisors to identify significant concerns at an early stage and to respond promptly and effectively.