Risk data aggregation and risk reporting (BCBS 239) – Board and senior management responsibilities

Post #2 in my series on Data aggregation and reporting principles (BCBS 239) – applied common sense

I was saddened to hear of the death on July 16th of Steven Covey, author of The Seven Habits of Highly Effective PeopleI have found the 7 habits very useful in my work as a data consultant.

Two of the habits apply directly to this blog post.

  • Habit 1: Be Proactive
  • Habit 2: Begin with the End in Mind

I imagine the authors of BCBS 239, “Principles for effective risk data aggregation and reporting principles” are also familiar with the 7 habits, since the principles appear to be based on them.

Habit 1: Be Proactive

Regulatory supervisors expect the board and senior management to “be proactive” in taking responsibility for risk data aggregation and risk reporting.  The following quotes from the document illustrate my point:

Section I. “Overarching governance and infrastructure”

Paragraph 20: “… In particular, a bank’s board and senior management should take ownership of implementing all the risk data aggregation and risk reporting principles and have a strategy to meet them within a timeframe agreed with their supervisors… by 2016 at the latest.”

Paragraph 21. “A bank’s board and senior management should promote the identification, assessment and management of data quality risks as part of its overall risk management framework…. A bank’s board and senior management should review and approve the bank’s group risk data aggregation and risk reporting and ensure that adequate resources are deployed.”

Habit 2: Begin with the End in Mind

I advise my clients to “Begin with the end in mind” – by defining clear, measurable and testable requirements.

The authors of the Basel principles appear to agree.  The board and senior management are the people who must assess the risks faced by the financial institution, therefore they are the people who must specify the information they want in the risk reports. Don’t take my word for it – the following quotes from the document illustrate my point:

Principle 9: Clarity

Paragraph 53. “As one of the key recipients of risk management reports, the bank’s board is responsible for determining its own risk reporting requirements.

Paragraph 55: “Senior management is one of the key recipients of risk reports and is also responsible for determining its own risk reporting requirements.”

What is the impact of the above? 

Regulators will expect to see evidence of documented risk reporting requirements, signed off by the board and senior management.

Where are yours?

Business is all about data

Technologies may come and go.  At the end of the day, business is all about data.

Take the banking industry:
Hundreds of years ago, banks had Customers, with Accounts, on which Transactions were recorded. Bankers knew their customers personally, and all details were recorded by hand in ledgers, using quills made from feathers. Over time, quills were replaced by fountain pens, and later by biros, to record customer, account and transaction details.

Fast forward to today:
Banks still have Customers, with Accounts, on which Transactions are recorded, only many, many more of them.   Financial Regulators require banks to “know your customer”, but it is physically impossibe for bankers to know their customers personally. Customers can now perform transactions via multiple channels, at the bank branch counter, over the internet, over the phone, using mobile devices.

Customer Relationship Management (CRM):
To provide their customers with the best service, banks have implemented “Customer Relationship Management” or CRM systems. CRM systems analyse data to identify situations when the bank may wish to contact the customer to offer additional services, or otherwise improve the service the bank provides to the customer.

Money Laundering, Fraud, Terrorist Financing:
Banks today face ever increasing risks of Money Laundering, Terrorist Financing and Fraud.  Regulators require banks to implement best practice Anti Money Laundering (AML) and Anti Terrorist Financing solutions.

Best practice solutions:
What is the common thread amongst the best practice AML solutions?  How do Anti Money Laundering solutions enable a bank to “Know your customer”?  How do Anti Money Laundering solutions identify Accounts that require investigation? How do Anti Money Laundering solutions identify “Suspicious Transactions” amongst the millions of transactions the bank processes daily?

The answer:
By analysing the data.  However, the data analysis must be targetted.  The analysis must seek out defined activity patterns, and then alert trained staff to the possibility of wrongdoing.   More sophisticed AML systems can identify transaction activity that is unusual for a given customer type, by performing “Peer Group Analysis”.   For “Peer Group Analysis” to work, a bank must be able to reliably distinguish between different customer types.   Distinguishing between different customer types is often more challenging than one would think…