The Importance of Aggregating Risk Data for Enterprise Risk Management in the Banking Industry
The various financial instabilities that have occurred during the last few years have shown risk aggregation as one of the weakest links in many an institution’s technology and risk architecture. This weakness hinders the efficient and effective risk-based decision making that could help institutions improve their responses to both internal and external calamities. As a result of this, there has been a clarion call for financial institutions, especially banks, to be able to aggregate risks across different spectrums. This means the measurement, monitoring, and supervision at individual risk levels such as market risk for the trading book, credit risk for the trading, and banking books across business lines and possibly legal entities depending on its structure as well as the enterprise level. In order to determine the total enterprise risk for a financial institution, all risks must be aggregated and analyzed.
To best understand how the limitations in data availability across the enterprise frustrates the holistic risk management of firms, you only need to look at the recent subprime mortgage crisis, which morphed into the liquidity crisis, and then the economic crisis, which in turn led to a wider contagion that was experienced post 2008 which is still felt today in some areas. Ultimately, banks did not have access to the data needed to enable the robust management of risk across the enterprise. Once a holistic view of key risk data has been achieved, banks can deliver material improvements in operational efficiency both at the local level as well as at the enterprise level.
Banks are now required to aggregate their risk forecasts across the entire organization for the purposes of enterprise risk management and capital planning. The components that are aggregated may include various balance sheet portfolios, retail banking, commercial lending, capital markets, investment banking, and asset management. For the purpose of enterprise risk management, the aggregation methodology for risk data and reporting has to follow a disciplined set of principles set by the Basel Committee on Banking Supervision called “Principles for Effective Risk Data Aggregation and Risk Reporting” (January 2013), which is also referred to as BCBS 239. The January 2015 progress report on BCBS 239 shows that nearly half of banks reported material non-compliance on the following three Principles; data architecture/IT infrastructure (Principle 2), adaptability (Principle 6) and accuracy/integrity (Principle 3).
Implementation of the Basel principles should ideally take place along with the implementation of other regulations addressing reporting, data, and IT infrastructure. The banks are facing multiple regulations besides the Basel Risk Reporting Rules mentioned above; there are Recovery and Resolution Plans (RRP), Foreign Account Tax Compliance Act (FATCA) and Enhanced Prudential Standards (EPS)for foreign banks operating in the U.S. There are also other regulations that touch on reporting such as the Interagency Supervisory Guidance on Counterparty Credit Risk Management and on Leveraged Lending added to the mix; banks are also making choices regarding future business model changes as a result of the new market landscape and other regulatory pressures such as those on leveraged lending.
Many banks typically have a top-down perspective on Enterprise Risk Management (ERM) which underestimates the importance of data and compromises the bigger picture requirements of a sound ERM framework, including the long-term strategic advantages of a solid data foundation. ERM is about the timely scrutiny and proactive management of risks across lines of business. Risk assessment might be of the extent to which concentrations are being built up; or whether industry or geography limits are being eroded too fast; or if pricing is too low (for profitability) or too high (for competitive positioning). For an ERM framework to be considered a success, it needs to deliver enhanced information and timelier decision-making capabilities. Sound ERM practices include the ability to monitor, in near real-time, the combined impact of lending decisions being made by originators in a branch network, or the aggregate effect of trading decisions being made on the trading floor, every day.
Capturing the correct data at the point of origination is absolutely critical to ensuring that the right people discuss, monitor, and manage the risks appropriate for consideration at each level of the organization. Case in point, business management will have the opportunity to assess whether new deals are meeting the hurdle rates for different risk profiles, while executive management can review whether the business strategy for a particular segment or area is meeting its targeted risk-adjusted returns. This way the ultimate goal to ensure that unusual, unintended, or unacceptable risks are isolated and proactively managed can be met.
“For an ERM framework to be considered a success, it needs to deliver enhanced information and timelier decision-making capabilities”
Ensuring data is properly aggregated not only on an enterprise basis but at a customer level can also change how that customer is treated and its importance to the office or branch that services its accounts. I have seen instances that while the overall risk may not have changed due to the aggregation of the group of inter-related entities, the revenue or profitability picture did. Without this knowledge, the servicing office may not have paid the proper level of attention to the customer and would have lost more revenue than initially thought.
There is no one vendor solution that I am aware of that can resolve all the data aggregation issues and for most firms, building out something in-house causes resource constraints for IT staff and business / risk subject matter experts that would need to be overcome. Whatever route you may take, one cannot stress the importance enough of building a strong enterprise risk management infrastructure to support your needs. Not doing proper risk aggregations may result in regulatory actions against your institution which in turn makes it a reputational risk issue.