The Basel Committee on Banking Supervision's new regulation BCBS 239, requires G-SIBS (Globally Systemically Important Banks) to show compliance with its principles by January 2016.
This has many banks undertaking large programmes with uncertain outcomes, as the regulation is based on compliance with a set of principles, rather than hard metrics or precisely-defined benchmarks.
Whilst it avoids defined metrics to measure and strengthen a bank's risk data aggregation capabilities and internal risk reporting practices, BCBS 239 focuses on principles within four key topics:
- Governance and infrastructure
- Risk data aggregation capabilities
- Risk reporting
- Supervisory review
In common with all global investment banks, Alpha Insight's client was obliged to draw up and define its own approach to achieving and demonstrating compliance with these aims within the tight deadline laid down by the Basel Committee.
Faced with this significant task, the bank engaged Alpha Insight to help it meet all the new regulation's requirements in as thorough and pain-free manner as possible.
Risk Data Aggregation and Risk Reporting – Accuracy, Timeliness and Completeness
Alpha Insight set about building a BCBS 239 control framework which monitored, measured and visualised the bank's risk data aggregation and risk reporting capabilities, based on the regulation's principles of accuracy and integrity, completeness and timeliness.
Like many of its city competitors, the bank had an unwieldy, compartmentalised IT estate built in response to specific challenges and complicated by extensive outsourcing.
This presented a number of obstacles to fulfilling BCBS 239 requirements on risk data aggregation and reporting, as there was no effective end-to-end visibility of processes – a key prerequisite for monitoring and measuring compliance.
The small Alpha Insight team found that the understanding of the various risk management processes carried out by the organisation varied widely. While staff supervising market risk were well-informed, they were nonetheless presenting their data manually on spreadsheets. Operational risk staff, however, lacked the same overview and their reporting was ad hoc and not conducted coherently. In between these two, in terms of risk insight and reporting, was the treasury department.
Establishing critical steps
Alpha Insight's proposed approach was to analyse the business processes and IT architectures that underpinned the production of the bank's key risk metrics and risk reports. Once done, 'flow diagrams' would be created and control points defined as the basis of discussion with both IT and business sides of the bank.
'Flows' are summarised versions of business processes such as Value at Risk, looking only at the critical process steps and showing how they relate to the underlying technology. Control points are measurement points or KPIs within the flow, that can be used to determine that it is operating within the expected tolerances and targets.
Once the accuracy of the flow diagrams and control points was agreed with the bank's business and IT experts, Alpha Insight used its monitoring and compliance expertise to establish how the flow and each control point could be monitored through the underpinning IT systems. Thresholds were established for each control point to indicate whether the flow was operating within the required tolerances. Alerts were created to notify the appropriate parties (IT and/or business operations) when exceptions or breaches occurred.
The bank agreed to perform an initial two-month pilot project focusing chiefly on the BCBS 239 principle related to timeliness of risk data and risk reporting for one of the treasury department's daily risk reports.
Alpha Insight established the flow and agreed the set of control points relevant to establishing the 'timeliness' of the risk data and reports. Both the flow and the control points were then placed in the Alpha Insight iControl data repository and a set of 'monitoring points' and thresholds were defined to monitor and measure whether the flow was operating within the tolerances defined by the bank.
To monitor the control points, Alpha Insight leveraged the bank's existing investment in IT monitoring tools, in this case ITRS' Geneos product. Storing the flow, control points and thresholds in the Alpha Insight solution (iControl) enabled the bank to manage, configure and calibrate (e.g. change threshold values, re-certify, add, delete or modify) the control points going forward.
A real-time, interactive dashboard was also produced by Alpha Insight, visualising the flow and its interaction with IT systems. In the event that any of the control point thresholds were breached (through a late input file-arrival, for example) the breach would be reflected on the dashboard by highlighting the part of the flow, or system within the flow, that was impacted, with a RAG (Red, Amber, Green) status. Such a breach event would also be stored in iControl and an optional alert will be sent to relevant teams.
Success leads to expansion
The successful pilot led to a larger programme to cover the full range of the bank's BCBS 239 risk metrics and risk reports. Working with the bank's business and IT teams, Alpha Insight defined the flows, control points and monitoring solutions in support of the risk data aggregation and risk reporting principles of timeliness, accuracy and completeness.
However, Alpha Insight experts discovered that many of the bank's risk controls were performed manually, outside their IT systems. In order to ensure that these controls were incorporated within the Control Framework, Alpha Insight added functionality to iControl to allow manual data entry, allowing staff to enter information related to manual controls for processing, evaluation and subsequent reporting.
Altogether, approximately 1,700 control points across 40 risk metrics and reports have been defined to determine BCBS 239 compliance. The thresholds defined for each one have been set in line with the risk appetite and tolerances defined by the bank's board, which is ultimately accountable for meeting the Basel Committee's regulatory requirements.
A truly flexible solution
Given the varying frequencies required (daily, weekly, fortnightly, monthly, etc.) the bank decided it only required real-time dashboards and alerting for risk metrics and reports that were reported daily. For other metric frequencies the bank wanted the control points measured in real time, but with reporting and visualisation made available the following business day in their own visualisation tool of choice. To facilitate this Alpha Insight provided an API that would enable the bank's visualisation tool to be fed the control point results, events and RAG statuses once per day, with the option of viewing these events and statuses in real time via iControl.
Other requirements that were included during the project included:
- The ability to aggregate control points by classification (such as accuracy, timeliness, completeness), by risk metric or by division (e.g. market risk);
- The ability to add comments to or override a RAG status under specific conditions
- The ability to indicate if a control point measure or observation is missing
- The ability to indicate whether a metric has been calculated using old data.
Having successfully designed and implemented a governance solution within the deadlines set by the bank, it was fine-tuned in preparation for the January 2016 BCBS 239 deadline.
The bank now has greater confidence that it will meet Risk Data Aggregation and Risk Reporting Control Framework requirements of the regulation, having for the first time, a central repository for all its BCBS 239 risk controls, which have each been defined and assigned owners.
From having an opaque IT estate which it partially understood in relation to its operations and risk management, it now has a true understanding of what is crucial to the business within its systems and how they function.
Not only can the bank fulfil the regulators' requirements, it can also be confident of demonstrating precisely and convincingly how this is achieved, which is a key aspect of compliance.
"It was challenging to handle so many risk metrics and controls and to meet changing requirements within a timescale that cannot be moved," said Marlon Arthur, Client Relationship Manager, Alpha Insight.
"However, we pride ourselves on being flexible and getting things done. There will be further tweaks, but the bank is now able to face the BCBS 239 deadline with confidence, being able to show how it has implemented the principles that inform a regulation that will shape banking for the foreseeable future."