Risk data aggregation and risk reporting (BCBS 239) – Board and senior management responsibilities

Post #2 in my series on Data aggregation and reporting principles (BCBS 239) – applied common sense

I was saddened to hear of the death on July 16th of Steven Covey, author of The Seven Habits of Highly Effective PeopleI have found the 7 habits very useful in my work as a data consultant.

Two of the habits apply directly to this blog post.

  • Habit 1: Be Proactive
  • Habit 2: Begin with the End in Mind

I imagine the authors of BCBS 239, “Principles for effective risk data aggregation and reporting principles” are also familiar with the 7 habits, since the principles appear to be based on them.

Habit 1: Be Proactive

Regulatory supervisors expect the board and senior management to “be proactive” in taking responsibility for risk data aggregation and risk reporting.  The following quotes from the document illustrate my point:

Section I. “Overarching governance and infrastructure”

Paragraph 20: “… In particular, a bank’s board and senior management should take ownership of implementing all the risk data aggregation and risk reporting principles and have a strategy to meet them within a timeframe agreed with their supervisors… by 2016 at the latest.”

Paragraph 21. “A bank’s board and senior management should promote the identification, assessment and management of data quality risks as part of its overall risk management framework…. A bank’s board and senior management should review and approve the bank’s group risk data aggregation and risk reporting and ensure that adequate resources are deployed.”

Habit 2: Begin with the End in Mind

I advise my clients to “Begin with the end in mind” – by defining clear, measurable and testable requirements.

The authors of the Basel principles appear to agree.  The board and senior management are the people who must assess the risks faced by the financial institution, therefore they are the people who must specify the information they want in the risk reports. Don’t take my word for it – the following quotes from the document illustrate my point:

Principle 9: Clarity

Paragraph 53. “As one of the key recipients of risk management reports, the bank’s board is responsible for determining its own risk reporting requirements.

Paragraph 55: “Senior management is one of the key recipients of risk reports and is also responsible for determining its own risk reporting requirements.”

What is the impact of the above? 

Regulators will expect to see evidence of documented risk reporting requirements, signed off by the board and senior management.

Where are yours?

Know your data

You must know your data.

Do you know what’s in your data box of chocolates?

You must know where it is, what it should contain and what it actually contains.

When your data does not contain what it should, you must have a process for correcting it.

CEOs, CFOs and CROs often take the above as “given”.  They make business critical decisions using information derived from data within their organisation.  After all, its applied common sense.

For the insurance industry, Solvency II requires evidence that you are applying common sense.

If you operate in the EU market or process the personal data of EU data subjects, you must comply with the EU General Data Protection Regulation (GDPR) or face severe fines. To comply, you must “know your (personal) data” and how you manage it.

In my experience, data is like a box of chocolates “You never know what you’re gonna get.”

Do you know your data?

Process for assessing status of common Enterprise-Wide Data Governance Issues

If you work with data in large enterprises, you will be aware that the data, and the ability of the business to access that data is seldom as “good” as it should be.  But just how “good” or “bad” is it?

This post outlines a process for assessing the status of common Enterprise-Wide Data Governance  issues within your enterprise, or that of a client.  I use it as the basis for my “Data Governance Health Check”.

These issues can impact your ability to deliver the underlying data required for meaningful CRM, Business Intelligence, etc.. More seriously, they can impact your ability to satisfy regulatory compliance demands (e.g. GDPR, BCBS 239, Solvency II, Anti Money Laundering, BASEL II etc.) in a timely cost effective manner.

Do issues like these affect your enterprise?  If not, how have you resolved or prevented them?  Please share your experience by posting a comment.

Common Enterprise-wide data governance issues:

1. Quality of informational data is not as high as desired


2. Quality of data entered by front-end staff is not as high as desired


3. No culture of Data as an ‘asset’ or ‘resource’


4. No clear ownership of data


5. Business Management don’t understand what “Data Quality” means


6. No Enterprise Wide Data Quality Measurement of Data Content


7. No SLAs defined for the required quality level of critical data


8. Accessibility of data is poor


9. Data Migration and ETL projects are Metadata driven


10. No Master repository of Business Rules


11. No ownership of Cross Business Unit Business Rules


12. No Enterprise Wide Data Dictionary


13. Islands of Data

14. No Enterprise Wide Data Model

Explanation of the scale and the process for using it:

There are 6 levels on the scale, starting at level 1, and increasing to level 6.  The higher the score, the better prepared the organisation is to deal with the issue.  The worst case scenario is actually a score of ZERO, which means that management in the enterprise is not even aware that the issue exists.  To assess the actual status of an issue, ask for documentary evidence to illustrate that the Enterprise  has actually reached that level:

Figure 1: Status of a (data governance) issue.

1. Aware Senior Management is aware that the issue exists.e.g. Data Quality is not measured, or measured in ad-hoc manner.#Evidence: Captured in Issues Log or Requirements document.
2. Understands Senior Management fully understands the issue; the impact of not addressing it; options available to address it, complete with the pros and cons of each option.e.g. Issue paper explains the impact of no Data Quality Metrics on downstream data dependent projects etc.Evidence: Issue Paper, Rationale paper or Point of View paper(s).
3. Policy defined Senior Management has a clearly stated policy/strategy identifying the selected option.e.g. Data Quality Measurement must be performed by each Business Unit, using a standard Enterprise Wide Data Quality Measurement process….Evidence: Policy document / Design Principles/ Communications/ education material
4. Process defined The organistaion has a clearly defined process detailing exactly how the policy / strategy will be implemented, which common services / utilities must be used, and exactly how to use them.E.g. The standard Enterprise Wide Data Quality Measurement process will use ‘off the shelf tool X’, to produce a standard set of Data Quality metrics….Each BU must train N staff in the use of the tool.  Training will take place……Evidence: End To End Process documentation / Education and Training material.
5. Infrastructure in place Infrastructure (systems / common services / utilities) needed to implement the process is in place.E.g. ‘off the shelf tool X’ has been licenced and installed Enterprise Wide.  Staff have been trained …Pilots have been run…Evidence: Programme Infrastructure document / Utility user manuals.
6. Governance in place Governance is in place to ensure that the defined policy is implemented in accordance with the defined process.E.g.  The stakeholders are…The Data Steering Enterprise includes the CIO and ….The reporting process is….. The following controls are in place….Evidence: Programme Governance document / Education / completed sign-offs

Your experience:
How do you assess Data Governance within your organisation, or that of a client? Please share your experience by posting a comment – Thank you – Ken.