ONE of the main features of the financial crisis was that it revealed the inadequacy of banks’ risk-data systems and processes. This had serious impacts both on managements’ ability to understand and manage risk and on regulators’ attempts to maintain liquidity and limit contagion.
Regulators are now seeking to instill more responsible and effective practice. Banks need to review and improve their risk infrastructure. But there are benefits to be obtained which should outweigh the costs.
Over the years, management systems in bank—and other financial services companies—have had to cope with increasing regulatory requirements, new corporate structures, new products and operating models. As with other infrastructure, systems for the collection, aggregation and analysis of risk data have typically developed in an incremental fashion, with different modules, incompatible data and a range of ad hoc processes.
In many cases, these systems have become so unwieldy and unstable that they fail in their core purpose. Relevant data is missing or inadequately analyzed, often resulting in the formation of “reconciliation industries” within the organization as data is passed between a multitude of systems across inconsistent integration mechanisms.
The extent to which these reconciliation industries have evolved within organizations is often underestimated and rarely quantified in terms of productivity loss.
Risk data is being provided too late to influence trading and operations that should depend on it.
Responsible management and supervision are both compromised, while operating costs are inflated unnecessarily. As a result, regulators are now focusing not only on the results and outcomes of risk figures, but also on the machinery and processes behind them.
In 2009 the Basel Committee on Banking Supervision issued supplemental Pillar 2 (supervisory review process) guidance designed to enhance the banks’ ability to identify and manage bank-wide risks; 1) In 2013 the committee published a set of principles to strengthen risk-data aggregation capabilities and internal risk reporting practices, along with guidance on their implementation.
2) The principles, which provide qualitative and quantitative measures, cover four key areas.
The importance of boards and senior management exercising strong governance over a bank’s risk-data aggregation capabilities, risk reporting practices and information-technology capabilities.
- The accuracy, integrity, completeness, timeliness and adaptability of aggregated risk data.
- The accuracy, comprehensiveness, clarity, usefulness, frequency and distribution of risk management reports, including to the board and senior management.
- The need for supervisors to review and evaluate a bank’s compliance with the first three sets of principles listed above, to take remedial action as necessary and to cooperate across home and host supervisors.
Key issues
Where banks have undertaken systematic analysis and testing of their current processes, the results have often been illuminating.
In certain cases, it has revealed that compiling a comprehensive group-wide set of risk figures has been taking up to 60 days.
The larger and more complex a bank, the more likely it is that risk-data is incomplete, inadequate or out-of-date, particularly on an aggregated and global level.
Banks may have all of the information, but it’s often inefficiently stored, inconsistently formatted, poorly integrated and difficult to interrogate. Senior management should be aware of the risk of “flying blind,” especially in extreme events, and of taking and implementing decisions in the absence of reliable risk metrics.
It is critical, therefore, that financial services firms review the strength and effectiveness of their risk-data architecture and systems. There are four key issues that need to be addressed.
Improvements and benefits
This review of common problems naturally also suggests the scope for improvement and the value that can be obtained from effective risk-data aggregation, storage and analysis.
The ability to consolidate and synchronize all relevant risk-data can lay the foundation for a more overarching and consistent analysis, enabling better business management, better risk management and optimized operating models.
Leading banks appreciate the potential benefits and are working to strengthen the contribution of effective risk management to business judgment and corporate strategy. Systems for transmitting and reporting risk data need to be built into any improved data aggregation framework since its value is dependent on the ease and timeliness with which senior management can take the results into account.
The same argument applies to communication with regulators, who will value rapid and accurate regular reporting, as well as a speedy response to ad hoc requirements.
Achieving the benefits requires moves toward greater standardization, common data models, integrated systems and, in some circumstances, consolidated data warehouses.
These initiatives need to be defined and implemented in ways that balance costs and potential benefits. But since the results should include increased confidence, reduced potential for loss, efficiency gains and increased profits, significant effort and expenditure can often be worthwhile.
Conclusion
Risk-data aggregation and reporting are too important to be left to the risk function or—more seriously—information-technology professionals. Regulators are demanding better performance, but equally, senior executives and boards will derive significant benefits from improving their risk infrastructure and processes. However, this is not a simple or straightforward challenge.
Success requires fundamental changes in the way core functions operate, with significant potential consequences for organization and processes. Inevitably, this can be expensive. However, effective renovation of the risk IT infrastructure is a strategic investment that not only satisfies regulatory demands, but also leads to competitive advantage.
Responsible governance, therefore, requires that these issues are given appropriate strategic attention at the highest levels.
The article is written by Sascha Chandler of KPMG in Australia, Marco Lenhardt and André Lattemann of KPMG in Germany, and Brian Hart of KPMG in the US.
Manabat & Co., a Philippine partnership and a member-firm of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
For more information on KPMG in the Philippines, you may visit www.kpmg.com.ph.