By Ken Hartlage, Head of Corporate Development at Information Mosaic

“One of the most significant lessons learned from the global financial crisis that began in 2007 was that banks’ information technology (IT) and data architectures were inadequate to support the broad management of financial risks.”

So begins the “Principles for effective risk data aggregation and risk reporting”, by the Basel Committee on Bank Supervision (BCBS).  It goes on to aver that during the crisis many banks were incapable of aggregating risk exposures quickly and accurately, and that shortcoming in turn had consequences for the banks themselves and the financial system as a whole.

If that sobering introduction isn’t a wakeup call, the attendant language to the BCBS’ eleven Principles that follows should be.  Covering the full gamut of factors such as risk data accuracy, comprehensiveness, usefulness, frequency and governance, the Principles set out in a short twenty-one pages what banks are expected to do when collecting and reporting risk data.  So far, so good. However, what’s unsettling is just how elementary it all is; chock full of statements as if out of a primer on risk management:

“To manage risk effectively, the right information needs to be presented to the right people at the right time. Risk reports based on risk data should be accurate, clear and complete. They should contain the correct content and be presented to the appropriate decision-makers in a time that allows for an appropriate response.”

One is left to wonder that if such obvious points need making, just how bad is the current situation?  Well, the BCBS leaving little time for speculation:  they’ve instructed national banking supervisors to start discussing implementation of the Principles with global systemically important banks (G-SIBS) in 2013 with a goal to have significant gaps closed by 2016.

Nearly concurrent with the BCBS’ Principles, the Financial Stability Board (FSB) published its “Thematic Review on Risk Governance”. Like the BCBS paper the review was born out of the financial crisis and the subsequent findings, which in the FSB’s own words, “painted a fairly bleak picture of risk governance frameworks at financial institutions.”  It points out that many board members had little or no financial experience; limited understanding of the business complexity the company was engaged in; and that directors were all too deferential to senior management.  The Review summarises the situation:

“Moreover, most firms lacked a formal process to independently assess the propriety of their risk governance frameworks.  Without the appropriate checks and balances provided by the board the risk management function, and independent assessment functions, a culture of excessive risk-taking and leverage was allowed to permeate in these weakly governed firms.”

In its recommendations the FSB states that banks should establish a best practices risk governance framework that ensures the creation and independence of a board level risk committee; appoints a CRO who is accountable to that committee; and provides for the requisite risk management resources to do the job. The FSB does not leave it simply at that, however, but also tackles the stickier questions around risk culture and appetite.  The FSB states that banks need to set limits to the types and degrees of risk they are prepared to undertake and, furthermore, to ensure the entire company understands and abides by those limits in the execution of its business.  To make certain FSB member states and standards settings bodies are all singing from the same risk hymn sheet, as it were, recommendations for a common risk framework and nomenclature are to be set by the end of 2013, while recommendations for formally assessing risk culture are to be completed by September 2013.

Taken together, the BCBS’s Principles for Effective Risk Data Aggregation and Reporting and the FSB’s Thematic Review on Risk Governance, form a veritable pincer move on bank risk management.  The first addresses the key shortcomings around the collection and reporting of risk data, and the second ensures the right organizational structure is in place to monitor that information and, if needed, take appropriate action independent of external influences.

Yet what remains perplexing is why any bank would need such prompting to address these concerns, when profit retention would appear to be a much stronger motive.  As noted in the first installment of this occasional series, the 65 members of the Operational Risk Exchange (ORX) Association reported operational risk losses of €25,110M in 2011, and a total loss value of over €81,000M since 2006. If this is an issue amongst ORX members, presumably amongst the most forward thinking firms when it comes to operational risk management, what is the cumulative impact across the rest of the industry? Surely bank executive management is taking notice?  Then again, maybe the FSB and BCBS have answered that question for us:  Yes they are, but not enough.

* Read Part 1