No need to re-hash what happened in the 2008 financial crisis – we know all too well and Sorkin’s epitaph to failure should have been the all-time cure for any risk manager suffering from insomnia.
The European Central Bank also wrote its own (equally significant but less popular) Report on the Thematic Review on effective risk data aggregation and risk reporting in May 2018. Some 12 years after the financial crisis of 2008, it would seem that banking has still failed to heed the lessons of 2008 and implement the recommended principles of BCBS_239.
BCBS_239 (vital, if unglamourous) was conceived to enable the financial sector to identify and mitigate risks that might threaten not only individual institutions but also the entire financial edifice – as the perfect storm did in 2008. As that resulted in the ECB being caught ‘short’ in 2008, you can understand why their language is unusually excoriating for a pillar of the establishment:
“Thus far, none of those significant institutions – some of which are classified as global systemically important banks – have fully implemented the BCBS_239 principles. Weaknesses stem mainly from a lack of clarity regarding responsibility and accountability for data quality. It is often difficult to understand what the roles and responsibilities of business, control and IT functions are, and how those roles are allocated and exercised. Consequently, further efforts will be needed in this area in the coming years in order to enhance the effectiveness of risk data aggregation and risk reporting… “
“One key lesson from the financial crisis was the need for more information on risk in order to make sound business decisions. IT, data architecture and related business processes were not sufficient to support the broad management of financial risks. Many credit institutions lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately at group level, across business lines and legal entities, as a result of inadequate risk information and weak risk data aggregation practices. As a result, those credit institutions’ ability to take timely decisions was seriously impaired, with wide-ranging consequences for the credit institutions themselves and the financial sector as a whole. “
European Central Bank: Report on the Thematic Review on effective risk data aggregation and risk reporting 2018; pages 1-2.
- First, many institutions are still reliant on manual processes. They don’t have full digital visibility of all the process data which prevents them from using, automating or analysing it. Nor do they understand the data since describing it will mean further manual effort (and cost) to achieve insight. Adding insult to injury, the manual processes themselves are inadequate. Such institutions are running blind since the bias of partial understanding upsets the nature of business. The ECB, who clearly see this danger, state (and this is just one of many salient points) in relation to BCBS_239 Principle 1:
“Manual processes were not fully identified, properly documented and independently reviewed, and the level of automation remained unsatisfactory even for key and complex tasks.”
European Central Bank: Report on the Thematic Review on effective risk data aggregation and risk reporting 2018; page 8.
- Second, financial data is buried in legacy databases, groaning at the seams, where it is unusable for risk of the financial corsets giving out under fresh strain.
- Third, the inability to aggregate data means that the executive oversight needed to spot patterns from on high (which BI has been doing for decades) means that risks are hidden – remember sub prime mortgages?
- Fourth, data quality is, as we have said previously, the corporate cinderella – and a problem area that no executive likes having to admit to – or pay for.
- Five, lack of digitalisation means incomplete and poor data and metadata with non-interoperable, uninterrogatable puddles of data scattered throughout the enterprise, leading in turn to a blind eye when it comes to risk, and a slow blind eye at that. (Banks using Kdb+ may well have overcome speed issues, vital for making decisions that are timely and founded on accurate information. Speed matters.
- Six, architecture also matters. Building IT ecosystems of this kind, where data is transferred across jurisdictional boundaries, regulations and entities; bounded by tight governance, user privilege and regulation; has massive security and privacy implications; and where a ‘golden record’ has to be curated in the face of multi-lateral input – means some serious rethinking about what these new systems in the digital age should look like. Unfortunately, few institutions have made this a priority, and those that have seem to be handicapped by the lack of vision at Board level, where few of the ‘great and good’ seem to grasp either technology or the urgency of the situation, and seem blissfully unaware of their own personal accountability.
- Seven, ‘man cannot live by data alone’ – there are also generalisable concepts that influence our processes and our use of technology . These are still hidebound by paper-based thinking and inadequately-curated data).
- Without the ability to think digital, financial institutions are incapable of leveraging automation, AI, machine learning, and a host of technologies that could actually substantially de-risk their operations if they only grasped the simple nettle of ‘it all begins with the data’.
The ECB’s Report contains some very helpful pointers toward architectural and system requirements:
“The involvement of a credit institution’s board (for guidance, oversight and the approval of policies) and its executive and senior management (for implementation and monitoring) in risk data aggregation and the risk reporting framework is, together with sound risk data architecture and appropriate IT infrastructure, a key precondition for ensuring compliance with other principles. Clear roles, incentive schemes and responsibilities are of key importance in the area of risk data management. It is crucial in this regard that integrated IT platforms are put in place, covering all material risk types and all material subsidiaries and building on unique (“golden”) sources of information. It is also important that data architecture supports audit trails and the implementation of controls. “
European Central Bank: Report on the Thematic Review on effective risk data aggregation and risk reporting 2018; page 5.
It is worrying that the ECB’s report has still not been taken to heart – confirmed by interview with the. It makes good points and is, unlike a lot of reports, actually helpful in progressing both the sector requirements and what is required of the IT. Three years on and it is still largely ignored – even overlooked by financial journalists not perhaps aware of its significance.