Implementing Dynamic Risk Management for Banks
Recently, the Basel Committee on Banking Supervision (BCBS) issued its second progress report on banks’ adoption of the committee’s Principles for Effective Risk Data Aggregation and Risk Reporting.1 The principles and requirements apply specifically to the list of the 31 Global Systemically Important Banks (G-SIBs) as identified by the Financial Stability Board (FSB) in 2011.
Nearly half — 14 — of those 31 banks reported that they will be unable to fully comply with the principles by the 2016 deadline, a number that is up from 2013 (when 10 G-SIBs reported the same). Some G-SIBs are reportedly struggling to establish strong data aggregation governance, architecture and processes. Meanwhile, issues such as project delays, project complexity and “scope creep” emerged once the full impact of the regulation was understood. The BCBS is clearly concerned that a large number of firms will find it difficult to fully comply by 2016, given the work that remains to be done. Furthermore, the rules could potentially be extended to Domestic Systemically Important Banks (D-SIBs) in the future — so in due course, these requirements could apply to most banks.
To be thoroughly prepared, banks should consider implementing a more dynamic risk management approach and set of capabilities. A wise approach would include the following steps:
1. ESTABLISH A CLEAR, MEASURABLE AND ACTIONABLE RISK STRATEGY
First, determine an appropriate risk strategy and profile (i.e., the risks faced as a result of business activities) before setting risk objectives and appetite (i.e., tolerances, buffers and limits). Typically, a risk profile needs to be sufficiently detailed and categorized by type of risk to enable aggregation across business lines or legal entities.
Banks should also determine a set of meaningful quantitative and qualitative metrics, all of which need to be simply and clearly reflected in risk appetite statements. All those definitions will only be of use if they can be measured accurately, monitored constantly and communicated periodically to the relevant stakeholders.
In short, a risk strategy should be defined by the overall business strategy, as well as being clear, tangible, accurate, measurable, reportable and, most importantly, actionable.
2. EMBED RISK MANAGEMENT WITHIN NORMAL DECISIONMAKING PROCESSES
Just as a business strategy depends on being adopted and executed by people in the firm, a risk strategy needs to play a role in every part of the business.
To achieve this, a bank should have a strong governance framework to ensure that the risk appetite and capacity to face risk management challenges is communicated effectively throughout the firm. More importantly, it should also support an environment where spotting and mitigating risks is fostered and encouraged by reward schemes at every managerial level.
The idea is that risk- and reward-based decision-making be embedded when defining processes, activities and controls, an approach that should be welcomed and recognized throughout the business.
3. INTEGRATE AND REFLECT RISK PLANNING IN IT ARCHITECTURE AND INFRASTRUCTURE PROGRAMS
Many banks fail to recognize that systems and data are not synonymous and therefore need to be considered separately. In other words, the success of one enterprise-wide or horizontal approach to IT systems is severely limited if a bank’s data resides in vertical or lateral silos.
Although it’s important to not eliminate data management silos, it is worth considering directing efforts to manage infrastructure programs in an integrated manner, as part of a single management information (MI) and IT change program.
For risk management and implementing the BCBS principles, it’s no different. Banks should create the ability to look across their siloed and dispersed systems and identify common sources, processes and data. Integrating capabilities can also present opportunities for banks to consolidate previously separate processes, limit the number of point solutions, improve effectiveness and efficiency, and finally, improve data governance and quality.
4. DATA AGGREGATION
Ideally, a bank should maintain and enhance a strong risk data aggregation approach to ensure the accuracy, completeness and timeliness of its risk management reports.
However, by implementing rules aimed solely at compliance, banks often make it extremely difficult for employees to do their day-to-day jobs. Inevitably, this leads employees to work around the system in order to do their jobs effectively — an action that can lead to a major compliance risk in its own right.
To avoid this situation, a bank needs to consider risk data aggregation as an enabler rather than as a hindrance. In other words, from a compliance standpoint, banks need to take into account how people work — not just the byproduct of that work — when considering the principles to aggregate data governance and accountability.
5. COMMODIFICATION OF RISK REPORTING
A bank should ensure that the appropriate risk management reports are delivered to the right decision makers in a timely manner.
As part of their compliance efforts, banks could take a serious look at all their front-middle-back-office reporting requirements and services. In the process, they can also identify those legacy processes that add little or no competitive advantage. Commoditized, these processes and reporting capabilities can either be outsourced to third-party providers or to emerging utility providers specializing in regulatory reporting. At the very least, such processes can be standardized and addressed through third-party software solutions to raise efficiency and minimize internal costs.
Overall, most new regulations require consolidated data. On the face of it, that’s simply a new and growing cost: But banks can actually benefit from having aggregated and consolidated data by using it to create value and gain competitive advantage. Moreover, smart banks can do more than merely comply. By implementing dynamic risk management, and by aggregating systems, data and reporting, banks can meet compliance rules at lower cost while laying the foundation for new services that will satisfy customers, add revenue and boost competitiveness.
HOW CSC WILL HELP YOU
CSC continues to help many banks, including SIBs (Systemically Important Banks), to implement and manage risk data aggregation, along with supporting analysis, infrastructure integration, data management and reporting capabilities.
With its deep industry experience and technology-agnostic approach to delivering solutions, CSC can help banks get the maximum benefit from risk management and regulatory compliance challenges and initiatives.