risk management presentation january 21 2013
TRANSCRIPT
-
7/28/2019 Risk Management Presentation January 21 2013
1/140
P a g e | 1
International Association of Risk and ComplianceProfessionals (IARCP)
1200 G Street NW Suite 800 Washington, DC 20005-6705 USATel: 202-449-9750www.risk-compliance-association.com
Top 10 risk and compliance management related news storiesand world events that (for better or for worse) shaped the
week's agenda, and what is nextDear Member,
If I tell you that this paper from the Basel
Committee starts with a poem, will youbelieve me?
It is true!I saw it and I immediately thoughtOh, its going to be a bad day.
In the past, I sometimes had to spend one hour per page to understandsome Basel ii / iii papers now that they need a poem to start, what isgoing to happen?
I know you ask what poem George?
Where is the wisdom we have lost in knowledge?Where is the knowledge we have lost in information?T. S. Eliot. The Rock (1934)
Now I am sure: T.S Eliot could become a risk management expert.
I always investigate every section, reference and past paper mentioned toany paper from the Basel committee (this is how I spend one hour per
page average), soI want to read all the poem, not only this part. I t may beimportant in order to understand the regulation! Otherwise, why wouldthey start with a poem?
I found the part of the poem that was written in the paper:
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
2/140
P a g e | 2
Where is the Life we have lost in living?Where is the wisdom we have lost in knowledge?Where is the knowledge we have lost in information?
Now I wonder why they ignored the first part Where is the Life we havelost in living?
Perhaps they know the answer trying to comply with Basel {1, 2, 3}
I called afriend, attorney and lobbyist in Washington DC and I asked himabout the poem well, he knew it very well, and he told me that the poemis about a life lived without religion; it is against communism andfascism, against totalitarian regimes. (My first thought: Did I mentionwhichpoem?)
Oh, perhaps I must call another friend, a university professor in Harvard,to have another opinion and to keep somewhere in the middle? No, it istoo much for a day, I will better read the poem.
The poem
The Eagle soars in the summit of H eaven,
The Hunter with his dogs pursues his circuit.
perpetual revolution of configured stars,
perpetual recurrence of determined seasons,
world of spring and autumn, birth and dying!
***
Where is the Life we have lost in living?
Where is the wisdom we have lost in knowledge?
Where is the knowledge we have lost in information?
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
3/140
P a g e | 3
***
I journeyed to London, to the timekept City,
Where the River flows, with foreign flotations.
There I was told: we have too many churches,
And too few chop-houses. There I was told:
Let the vicars retire. Men do not need the Church
In the place where they work, but where they spend theirSundays.
In the City, we need no bells:
Let them waken the suburbs.
I journeyed to the suburbs, and there I was told:
We toil for six days, on the seventh we must motor
To H indhead, or Maidenhead.
If the weather is foul we stay at home and read the papers.
In industrial districts, there I was told
Of economic laws.
In the pleasant countryside, there it seemed
That the country now is only fit for picnics.
And the Church does not seem to be wanted
In country or in suburbs; and in the town
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
4/140
P a g e | 4
Only for important weddings.
***
The world turns and the world changes,
But one thing does not change.
In all of my years, one thing does not change.
However you disguise it, this thing does not change:
The perpetual struggle of Good and Evil.
***
The desert is not remote in southern tropics,
The desert is not only around the corner,
The desert is squeezed in the tube-train next to you.
The desert is in the heart of your brother.
***
The voices of the Unemployed:
No man has hired us
With pocketed hands
And lowered faces
We stand about in open places
And shiver in unlit rooms.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
5/140
P a g e | 5
Only the wind moves
Over empty fields, untilled
Where the plough rests, at an angle
To the furrow. In this land
There shall be one cigarette to two men,
To two women one half pint of bitter
Ale. In this land
No man has hired us.
Our life is unwelcome, our death
Unmentioned in The Times.
***
What life have you if you have not life together?
There is no life that is not in community,
And no community not lived in praise of God.
***
And now you live dispersed on ribbon roads. And
no man knows or cares who is his neighbour
Unless his neighbour makes too much disturbance,
But all dash to and fro in motor cars,
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
6/140
P a g e | 6
Familiar with the roads and settled nowhere.
Nor does the family even move about together.
But every son would have his motor cycle,
And daughters ride away on casual pillions.
***
In the land of lobelias and tennis flannels The
rabbit shall burrow and the thorn revisit, The
nettle shall flourish on the gravel court,
And the wind shall say: Here were decent godless people:
Their only monument the asphalt road
And a thousand lost golf balls.
***
When the Stranger says: What is the meaning of this city?
Do you huddle close together because you love each other?
What will you answer?We all dwell together
To make money from each other? orThis is a community?
And the Stranger will depart and return to the desert.
my soul, be prepared for the coming of the Stranger,
Be prepared for him who knows how to ask questions. weariness of men who turn from God
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
7/140
P a g e | 7
To the grandeur of your mind and the glory of your action,
To arts and inventions and daring enterprises.
To schemes of human greatness thoroughly discredited.
Binding the earth and the water to your service,
Exploiting the seas and developing the mountains,
Dividing the stars into common and preferred.
Engaged in devising the perfect refrigerator,
Engaged in working out a rational morality,
Engaged in printing as many books as possible,
Plotting of happiness and flinging empty bottles,
Turning from your vacancy to fevered enthusiasm
For nation or race or what you call humanity;
Though you forget the way to the Temple,
There is one who remembers the way to your door:
Life you may evade, but Death you shall not.
You shall not deny the Stranger.
***
But it seems that something has happened that has never happenedbefore:though we know not just when, or why, or
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
8/140
P a g e | 8
how, or where.
Men have left God not for other gods, they say, but for no god;
and this has never happened before
That men both deny gods and worship gods, professing first
Reason,
And then Money, and Power, and what they call Life, or Race,
or Dialectic.
The Church disowned, the tower overthrown, the bells up-
turned, what have we to do
But stand with empty hands and palms turned upwards
In an age which advances progressively backwards?
***
T.S. Eliot
Ok, Now I feel that I will understand the paper from the BaselCommittee.
I also found another part of the poem that is suitable to start anotherBasel iii paper:
Be prepared for him who knows how to ask questions.
Read more (about the paper, not the poem) at number 1 below.Welcome to the Top 10 list.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
9/140
P a g e | 9
Principles for effective risk dataaggregation and risk reporting
January 2013
The financial crisis that began in 2007revealed that many banks, including globalsystemically important banks (G-SIBs), wereunable to aggregate risk exposures andidentify concentrationsfully, quickly andaccurately.
This meant that banks' ability to take risk
decisions in a timely fashion was seriouslyimpaired with wide-ranging consequences for the banks themselves and
for the stability of the financial system as a whole.
Vice Chair Janet L. YellenAt the American EconomicAssociation/ American Finance Association JointLuncheon, San Diego, California
Interconnectedness and Systemic Risk:Lessons from the Financial Crisis andPolicy Implications
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
10/140
P a g e | 10
Islamic finance industryneeds transformation
The Islamic financial services industry needs to undergo a completetransformation in order to be recognized and respected as a major globalplayer, a key conference in Bahrain heard.
ESMA and the EBA
take action tostrengthen Euriborand benchmark rate-setting processes
The European Securities and Markets Authority (ESMA) and theEuropean Banking Authority (EBA) published the resultsof their jointwork on Euribor and propose principles for benchmark rate-settingprocesses. The publications include:
Report from the Commissionto the European Parliamentand the Council
The review of theDirective 2002/87/ EC of the European Parliament and the
Council on the supplementary supervision of credit institutions,insurance undertakings and investment firms in a financialconglomerate
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
11/140
P a g e | 11
ESMA to provide technical advice
on possible delegated actsconcerning the ProspectusDirective
The European Commission sent a formal request on 20 January 2011 toESMA to provide technical advice on possible delegated acts concerningthe Prospectus Directive as amended by Directive 2010/ 73/EU (theMandate).
Regulatory Resolutionsfor 2013
Remarks by Assistant SuperintendentMark Zelmer, Office of the Superintendent of Financial InstitutionsCanada (OSFI) to the 2013 RBC Capital Markets Canadian Bank CEOConference
Fifth progress note on the GlobalLEI Initiative
This is the fifth of a series of notes onthe implementation of the legal entity identifier (LEI) initiative.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
12/140
P a g e | 12
Corporate governance
Address by Mr Yandraduth Googoolye, First DeputyGovernor of the Bank of Mauritius, at theworkshop on Corporate governance, organised bythe Mauritius Institute of Directors, Port-Louis
'Standard Quantum Limit'Smashed, Could Mean BetterFiber-Optic Comms
From NIST Tech Beat
Communicating with light maysoon get a lot easier, hints recentresearch from the NationalInstitute of Standards andTechnology (NIST) and the
University of Maryland's JointQuantum Institute (JQI), wherescientists have potentially found away to overcome a longstandingbarrier to cleaner signals.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
13/140
P a g e | 13
Principles for effective risk dataaggregation and risk reporting
January 2013
The financial crisis that began in 2007revealed that many banks, including globalsystemically important banks (G-SIBs), wereunable to aggregate risk exposures andidentify concentrationsfully, quickly andaccurately.
This meant that banks' ability to take risk
decisions in a timely fashion was seriouslyimpaired with wide-ranging consequences for the banks themselves and
for the stability of the financial system as a whole.
The Basel Committee's Principles for effective risk data aggregation willstrengthen banks' risk data aggregation capabilities and internal riskreporting practices.
Implementation of the principles will strengthen risk management atbanks - in particular, G-SIBs - thereby enhancing their ability to copewith stress and crisis situations.
An earlier version of the principles published today was issued forconsultation in June 2012.
The Committee wishes to thank those who provided feedback andcomments as these were instrumental in revising and finalising theprinciples.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
14/140
P a g e | 14
Principles for effective risk data aggregation and risk reporting
Where is the wisdom we have lost in knowledge?Where is the knowledge we have lost in information?T. S. Eliot. The Rock (1934)
Introduction
1.One of the most significant lessons learned from the global financialcrisis that began in 2007 was that banksinformation technology (IT ) anddata architectures were inadequate to support the broad management offinancial risks.
Many banks lacked the ability to aggregate risk exposures and identifyconcentrations quickly and accurately at the bank group level, acrossbusiness lines and between legal entities.
Some banks were unable to manage their risks properly because of weakrisk data aggregation capabilities and risk reporting practices.
This hadsevere consequencesto the banks themselves and to thestability of the financial system as a whole.
2.In response, the Basel Committee issued supplemental Pillar 2
(supervisory review process) guidance to enhance banksability toidentify and manage bank-wide risks.
In particular, the Committee emphasised that a sound risk managementsystem should have appropriate management information systems (M IS)at the business and bank-wide level.
The Basel Committee also included references to data aggregation as partof its guidance on corporate governance.
3.Improving banksability to aggregate risk data will improve theirresolvability.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
15/140
P a g e | 15
Forglobal systemically important banks (G-SIBs) in particular, it isessential that resolution authorities have access to aggregate risk data thatcomplies with the FSBs Key Attributes of Effective Resolution Regimesfor Financial I nstitutions as well as the principles set out below.
For recovery, a robust data framework will help banks and supervisorsanticipate problems ahead.
It will alsoimprove the prospects of finding alternative optionsto restorefinancial strength and viability when the firm comes under severe stress.
For example, it could improve the prospects of finding a suitable mergerpartner.
4.Many in the banking industry recognise the benefits of improving theirrisk data aggregation capabilities and are working towards this goal.
They see the improvements in terms of strengthening the capability andthe status of the risk function to make judgements.
This leads to gains in efficiency, reduced probability of losses andenhanced strategic decision-making, and ultimately increasedprofitability.
5.Supervisors observe that making improvements in risk data aggregationcapabilities and risk reporting practicesremains a challenge for banks,and supervisors would like to see more progress, in particular, at G-SIBs.
Moreover, as the memories of the crisis fade over time, there is a dangerthat the enhancement of banks capabilities in these areas may receive aslower-track treatment.
This is because IT systems, data and reporting processes requiresignificant investmentsof financial and human resources with benefitsthat may only be realised over the long-term.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
16/140
P a g e | 16
6. The Financial Stability Board (FSB) has several international initiativesunderway to ensure continued progressis made in strengthening firmsrisk data aggregation capabilities and risk reporting practices, which isessential to support financial stability.
These include:
The development of the Principles for effective risk data aggregationand risk reporting included in this report.
This work stems from a recommendation in the FSBs Progress report onimplementing the recommendations on enhanced supervision, issued on4 November 2011:
The FSB, in collaboration with the standard setters, will develop a set ofsupervisory expectations to move firms, particularly SIFIs, dataaggregation capabilitiesto a level where supervisors, firms, and otherusers (eg resolution authorities) of the data are confident that the MISreports accurately capture the risks.
A timeline should be set for all SIFIs to meet supervisory expectations;the deadline for G-SIBs to meet these expectations should be thebeginning of 2016, which is the date when the added loss absorbencyrequirement begins to be phased in for G-SIBs.
The development of a new common data template for global systemicallyimportant financial institutions (G-SIFIs) in order to address keyinformation gaps identified during the crisis, such as bi-lateral exposuresand exposures to countries/sectors/ instruments.
This should provide the authorities with a stronger framework forassessing potential systemic risks.
A public-private sector initiative to develop a Legal Entity Identifier(LEI) system.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
17/140
P a g e | 17
The LEI system will identify unique parties to financial transactionsacross the globe and is designed to be a key building block forimprovements in the quality of financial data across the globe.
7.There are also other initiatives and requirements relating to data thatwill have to be implemented in the following years.
The Committee considers that upgraded risk data aggregation and riskreporting practices will allow banks to comply effectively with thoseinitiatives.
Definition
8. For the purpose of this paper, the term risk data aggregationmeans
d efinin g, gatherin g an d p rocess in g risk d ata accordin g to theban ks risk reporting requirementsto enable the bank to measure itsperformanceagainst its risk tolerance/ appetite.
This includes sorting, merging or breaking down sets of data.
Objectives
9.This paper presents a set of principles to strengthen banksrisk dataaggregation capabilities and internal risk reporting practices (thePrinciples).
In turn, effective implementation of the Principles is expected to enhancerisk management and decision-making processes at banks.
10.The adoption of these Principles will enable fundamentalimprovements to the management of banks.
The Principles are expected to support a banks efforts to:
Enhance the infrastructure for reporting key information, particularlythat used by the board and senior management to identify, monitor andmanage risks;
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
18/140
P a g e | 18
Improve the decision-making process throughout the bankingorganisation;
Enhance the management of information across legal entities, whilefacilitating a comprehensive assessment of risk exposures at the globalconsolidated level;
Reduce the probability and severity of losses resulting from riskmanagement weaknesses;
Improve the speed at which information is available and hencedecisions can be made; and
Improve the organisationsquality of strategic planning and the ability
to manage the risk ofnew products and services.
11.Strong risk management capabilities are an integral part of thefranchise value of a bank.
Effective implementation of the Principles should increase the value ofthe bank.
The Committee believes that the long-termbenefits of improved risk dataaggregation capabilities and risk reporting practices will outweigh theinvestment costs incurred by banks.
12.For bank supervisors, these Principles will complement other efforts toimprove the intensity and effectiveness of bank supervision.
For resolution authorities, improved risk data aggregation should enablesmoother bank resolution, thereby reducing the potential recourse totaxpayers.
Scope and initial considerations
13.These Principles are initially addressed to SIBs and apply at both thebanking group and on a solo basis.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
19/140
P a g e | 19
Common and clearly stated supervisory expectations regarding risk dataaggregation and risk reporting are necessary for these institutions.
National supervisors may nevertheless choose to apply the Principles to awider range of banks, in a way that is proportionateto the size, nature andcomplexity of these banksoperations.
14. Banks identified as G-SIBs by the FSB in November 2011 orNovember 2012 must meet these Principles by January 2016;
G-SIBs designated in subsequent annual updateswill need to meet thePrinciples within three years of their designation.
G-SIBs subject to the 2016 timeline are expected to start making progress
towards effectively implementing the Principles from early 2013.
National supervisors and the Basel Committee will monitor and assessthis progress in accordance with section V of this document.
15. I t is strongly suggested that national supervisors also apply thesePrinciples to banks identified as D-SIBs by their national supervisorsthree years after their designation as D-SIBs.
16.The Principles and supervisory expectations contained in this paper
apply to a banksrisk management data.
This includes data that iscritical to enabling the bank to manage the risksit faces.
Risk data and reports should provide management with the ability tomonitor and track risks relative to the banks risk tolerance/appetite.
17.These Principles alsoapply to all key internal risk management
models, including but not limited to, Pillar 1 regulatory capital models (eginternal ratings-based approaches for credit risk and advancedmeasurement approaches for operational risk), Pillar 2 capital models andother key risk management models (eg value-at-risk).
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
20/140
P a g e | 20
18.The Principles apply to a banksgroup risk management processes.
However, banks may also benefit from applying the Principles to other
processes,such as financial and operational processes, as well assupervisory reporting.
19.All the Principles included in this paper are also applicable toprocesses that have been outsourced to third parties.
20.The Principles coverfour closely related topics:
Overarching governance and infrastructure
Risk data aggregation capabilities
Risk reporting practices
Supervisory review, tools and cooperation
21.Risk data aggregation capabilities and risk reporting practices areconsidered separately in this paper, but they are clearly inter-linked andcannot exist in isolation.
High quality risk management reports rely on the existence of strong risk
data aggregation capabilities, and sound infrastructure and governanceensures the information flow from one to the other.
22.Banks should meet all risk data aggregation and risk reportingprinciples simultaneously.
However, trade-offs among Principles could be accepted in exceptionalcircumstances such as urgent/ ad hoc requests of information on new orunknown areas of risk.
There should be no trade-offs that materially impact risk managementdecisions.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
21/140
P a g e | 21
Decision-makers at banks, in particular the board and seniormanagement, should be aware of these trade-offsand the limitations orshortcomings associated with them.
Supervisors expect banks to have policies and processes in placeregarding the application of trade-offs.
Banks should be able to explain the impact of these trade-offs on theirdecision- making process through qualitative reports and, to the extentpossible, quantitative measures.
23.The concept ofmaterialityused in this paper means that data andreports can exceptionally exclude information only ifit does not affect thedecision-making process in a bank (ie decision-makers, in particular the
board and senior management, would have been influenced by theomitted information or made a different judgment if the correctinformation had been known).
In applying the materiality concept, banks will take into accountconsiderations that go beyond the number or size of the exposures notincluded, such as the type of risks involved, or the evolving and dynamicnature of the banking business.
Banks should also take into account the potential future impact of the
information excluded on the decision-making process at theirinstitutions.
Supervisors expect banks to be able to explain the omissionsofinformation as a result of applying the materiality concept.
24.Banks should develop forward looking reporting capabilities toprovide early warningsof any potential breaches of risk limits that mayexceed the banks risk tolerance/ appetite.
These risk reporting capabilities should also allow banks to conduct aflexible and effective stress testing which is capable of providingforward-looking risk assessments.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
22/140
P a g e | 22
Supervisors expect risk management reports to enable banks to anticipateproblems and provide a forward looking assessment of risk.
25. Expert judgment may occasionally be applied to incomplete data tofacilitate the aggregation process, as well as the interpretation of resultswithin the risk reporting process.
Reliance on expert judgment in place of complete and accurate datashould occur only on an exception basis, and should not materiallyimpact the banks compliancewith the Principles.
When expert judgment is applied, supervisors expect that the process beclearly documented and transparent so as to allow for an independentreview of the process followed and the criteria used in the
decision-making process.
I. Overarching governance and infrastructure
26. A bank should have in place a strong governance framework, risk dataarchitecture and I T infrastructure.
These are preconditions to ensure compliance with the other Principlesincluded in this document.
In particular, a banks board should oversee senior managementsownership of implementing all the risk data aggregation and riskreporting principles and the strategy to meet them within a timeframeagreed with their supervisors.
Principle 1
Governance A banks risk data aggregation capabilities and riskreporting practices should be subject to strong governance arrangements
consistent with other principles and guidance established by the BaselCommittee.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
23/140
P a g e | 23
27.A banksboard and senior management should promote theidentification, assessment and management ofdata quality risksas partof its overall risk management framework.
The framework should includeagreed service level standardsfor bothoutsourced and in-house risk data-related processes, and a firms policieson data confidentiality, integrity and availability, as well as riskmanagement policies.
28.A banks board and senior management should review and approve thebanks group risk data aggregation and risk reporting framework andensure that adequate resources are deployed.
29.A banks risk data aggregation capabilities and risk reporting
practices should be:
(a)Fully documented and subject to high standards of validation.
This validation should be independent and rev iew th e b an ks compliance with the Principles in this document.
The primary purpose of the independent validation is to ensure that abank's risk data aggregation and reporting processes are functioning asintended and are appropriate for the bank's risk profile.
Independent validation activities should be aligned and integrated withthe other independent review activities within the bank's riskmanagement program, and encompass all components of the bank's riskdata aggregation and reporting processes.
Common practices suggest that the independent validation of risk dataaggregation and risk reporting practices should be conducted using staffwith specific IT, data and reporting expertise.
(b)Considered aspart of any new initiatives, including acquisitions and/ ordivestitures, new product development, as well as broader process and ITchange initiatives.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
24/140
P a g e | 24
When considering a material acquisition, a banks due diligence processshould assess the risk data aggregation capabilities and risk reportingpractices of the acquired entity, as well as the impact on its own risk dataaggregation capabilities and risk reporting practices.
The impact on risk data aggregation should be considered explicitly bythe board and inform the decision to proceed.
The bank should establish a timeframe to integrate and align theacquired risk data aggregation capabilities and risk reporting practiceswithin its own framework.
(c) Unaffected by the banks group structure.
The group structure should not hinder risk data aggregation capabilitiesat a consolidated level or at any relevant level within the organisation (egsub-consolidated level, jurisdiction of operation level).
In particular, risk data aggregation capabilities should be independentfrom the choices a bank makes regarding its legal organisation andgeographical presence.
30. A banks senior management should be fully aware of and understandthe limitationsthat prevent full risk data aggregation, in terms of coverage
(eg risks not captured or subsidiaries not included), in technical terms (egmodel performance indicators or degree of reliance on manual processes)or in legal terms (legal impediments to data sharing across jurisdictions).
Senior management should ensure that the banks IT strategy includesways to improve risk data aggregation capabilities and risk reportingpractices and toremedy any shortcomingsagainst the Principles set forthin this document taking into account the evolving needs of the business.
Senior management should also identify data critical to risk dataaggregation and IT infrastructure initiatives through its strategic ITplanning process, and support these initiatives through the allocation ofappropriate levels of financial and human resources.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
25/140
P a g e | 25
31.A banksboard is responsible for determining its own risk reportingrequirements and should be aware of limitations that prevent full risk dataaggregation in the reports it receives.
The board should also be aware of the banks implementation of, andongoing compliance with the Principles set out in this document.
Principle 2
Data architecture and IT infrastructureA bank should design, build andmaintain data architecture and IT infrastructure which fully supports itsrisk data aggregation capabilities and risk reporting practices not only innormal times but also during times of stress or crisis, while still meetingthe other Principles.
32.Risk data aggregation capabilities and risk reporting practices shouldbe given direct consideration as part of a banks business continuityplanning processes and be subject to a business impact analysis.
33.A bank should establish integrated data taxonomies and architectureacross the banking group, which includes information on thecharacteristics of the data (metadata), as well as use of single identifiersand/ or unified naming conventions for data including legal entities,counterparties, customers and accounts.
34.Roles and responsibilities should be established as they relate to theownership and quality of risk data and information for both the businessand IT functions.
The owners (business and IT functions), in partnership with riskmanagers, should ensure there are adequate controls throughout thelifecycle of the data and for all aspects of the technology infrastructure.
The role of the business ownerincludes ensuring data is correctly enteredby the relevant front office unit, kept current and aligned with the datadefinitions, and also ensuring that risk data aggregation capabilities andrisk reporting practices are consistent with firmspolicies.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
26/140
P a g e | 26
I I . Risk data aggregation capabilities
35.Banks should develop and maintain strong risk data aggregationcapabilities to ensure that risk management reports reflect the risks in a
reliable way (ie meeting data aggregation expectations is necessary tomeet reporting expectations).
Compliance with these Principles should not be at the expense of eachother.
These risk data aggregation capabilities should meet all Principles belowsimultaneously in accordance with paragraph 22 of this document.
Principle 3
Accuracy and IntegrityA bank should be able to generate accurate andreliable risk data to meet normal and stress/ crisis reporting accuracyrequirements.
Data should be aggregated on a largely automated basis so as tominimise the probability of errors.
36.A bank should aggregate risk data in a way that is accurate and
reliable.
(a)Controlssurrounding risk data should be as robust as those applicableto accounting data.
(b)Where a bank relies on manual processes and desktop applications(egspreadsheets, databases) and has specific risk units that use theseapplications for software development, it should have effective mitigantsin place (eg end-user computing policies and procedures) and othereffective controls that are consistently applied across the banks
processes.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
27/140
P a g e | 27
(c)Risk data should be reconciled with banks sources, includingaccounting data where appropriate, to ensure that the risk data isaccurate.
(d)A bank should strive towards a single authoritative source for risk dataper each type of risk.
(e)A banksrisk personnel should have sufficient accessto risk data toensure they can appropriately aggregate, validate and reconcile the datato risk reports.
37.As a precondition, a bank should have a dictionary of the conceptsused, such that data is defined consistently across an organisation.
38.There should be an appropriate balance between automated andmanual systems.
Where professional judgements are required, human intervention may beappropriate.
For many other processes, a higher degree of automation is desirable toreduce the risk of errors.
39.Supervisors expect banks to document and explain all of their risk data
aggregation processes whether automated or manual (judgement based orotherwise).
Documentation should include an explanationof the appropriateness ofany manual workarounds, a description of their criticality to the accuracyof risk data aggregation and proposed actions to reduce the impact.
40.Supervisors expect banks to measure and monitor the accuracy of dataand to develop appropriate escalation channels and action plans to be in
place to rectify poor data quality.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
28/140
P a g e | 28
Principle 4
Completeness A bank should be able to capture and aggregate allmaterial risk data across the banking group.
Data should be available by business line, legal entity, asset type,industry, region and other groupings, as relevant for the risk in question,that permit identifying and reporting risk exposures, concentrations andemerging risks.
41.A banks risk data aggregation capabilities should include all materialrisk exposures, including those that are off-balance sheet.
42.A banking organisation is not required to express all forms of risk in a
common metric or basis, but risk data aggregation capabilities should bethe same regardless of the choice of risk aggregation systemsimplemented.
However, each system should make clear the specific approach used toaggregate exposuresfor any given risk measure, in order to allow theboard and senior management to assess the results properly.
43.Supervisors expect banks to produce aggregated risk data that iscomplete and to measure and monitor the completeness of their risk data.
Where risk data is not entirely complete, the impact should not be criticalto the banks ability to manage its risks effectively.
Supervisors expect banksdata to be materially complete, with anyexceptions identified and explained.
Principle 5
Timeliness A bank should be able to generate aggregate and up-to-daterisk data in a timely manner while also meeting the principles relating toaccuracy and integrity, completeness and adaptability.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
29/140
P a g e | 29
The precise timing will depend upon the nature and potential volatility ofthe risk being measured as well as its criticality to the overall risk profileof the bank.
The precise timing will also depend on the bank-specific frequencyrequirements for risk management reporting, under both normal andstress/crisis situations, set based on the characteristics and overall riskprofile of the bank.
44.A banks risk data aggregation capabilities should ensure that it is ableto produce aggregate risk information on a timely basis to meet all riskmanagement reporting requirements.
45.The Basel Committee acknowledges that different types of data will
be required at different speeds, depending on the type of risk, and thatcertain risk data may be needed faster in a stress/ crisis situation.
Banks need to build their risk systems to be capable of producingaggregated risk data rapidly during times of stress/ crisis for all criticalrisks.
46.Critical risks includebut are not limited to:
(a)The aggregated credit exposure to alarge corporate borrower.
By comparison, groups of retail exposures may not change as critically ina short period of time but may still include significant concentrations;
(b) Counterparty credit risk exposures, including, for example,derivatives;
(c)Trading exposures, positions, operating limits, and marketconcentrations by sector and region data;
(d)Liquidity risk indicators such as cash flows/ settlements and funding;and
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
30/140
P a g e | 30
(e) Operational risk indicators that are time-critical (eg systemsavailability, unauthorised access).
47.Supervisors will review that the bank specific frequency requirements,for both normal and stress/crisis situations, generate aggregate andup-to-date risk data in a timely manner.
Principle 6
AdaptabilityA bank should be able to generate aggregate risk data tomeet a broad range of on-demand, ad hoc risk management reportingrequests, including requests during stress/crisis situations, requests dueto changing internal needs and requests to meet supervisory queries.
48.A banks risk data aggregation capabilities should be flexible andadaptable to meet ad hoc data requests, as needed, and to assessemerging risks.
Adaptability will enable banks to conduct better risk management,including forecasting information, as well as to support stress testing andscenario analyses.
49. Adaptability includes:
(a)Data aggregation processes that are flexibleand enable risk data to beaggregated for assessment and quick decision-making;
(b)Capabilities fordata customisation tousersneeds (eg dashboards, keytakeaways, anomalies), to drill down as needed, and to produce quicksummary reports;
(c)Capabilities to incorporate new developmentson the organisation ofthe business and/ or external factors that influence the banks risk profile;
and
(d) Capabilities to incorporate changesin the regulatory framework.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
31/140
P a g e | 31
50. Supervisors expect banks to be able to generate subsets of data basedon requested scenarios or resulting from economic events.
For example, a bank should be able to aggregate risk data quickly oncountry credit exposures as of a specified date based on a list of countries,as well as industry credit exposures as of a specified date based on a list ofindustry types across all business lines and geographic areas.
I I I. Risk reporting practices
51.Accurate, complete and timely data is a foundation for effective riskmanagement.
However, data alone does not guarantee that the board and senior
management will receive appropriate information to make effectivedecisions about risk.
To manage risk effectively, the right information needsto be presentedtothe right people at the right time.
Risk reports based on risk data should be accurate, clear and complete.
They should contain the correct content and be presented to the
appropriate decision-makers in a time that allows for an appropriateresponse.
To effectively achieve their objectives, risk reports should comply withthe following principles. Compliance with these principles should not beat the expense of each other in accordance with paragraph 22 of thisdocument.
Principle 7
Accuracy - Risk management reports should accurately and preciselyconvey aggregated risk data and reflect risk in an exact manner. Reportsshould be reconciled and validated.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
32/140
P a g e | 32
52.Risk management reports should be accurate and precise to ensure abanks board and senior management can rely with confidence on theaggregated information to make critical decisions about risk.
53.To ensure the accuracy of the reports, a bank should maintain, at aminimum, the following:
(a)Defined requirements and processes to reconcile reports to risk data;
(b)Automated and manual edit and reasonableness checks, including aninventory of the validation rules that are applied to quantitativeinformation.
The inventory should include explanations of the conventions used to
describe any mathematical or logical relationships that should be verifiedthrough these validations or checks; and
(c)Integrated procedures foridentifying, reporting and explaining dataerrors or weaknesses in data integrity via exceptions reports.
54.Approximationsare an integral part of risk reporting and riskmanagement.
Results from models, scenario analyses, and stress testingare examples of
approximations that provide critical information for managing risk.
While theexpectations for approximations may be different than for othertypes of risk reporting, banks should follow the reporting principles in thisdocument and establish expectations for the reliability of approximations(accuracy, timeliness, etc) to ensure that management can rely withconfidence on the information to make critical decisions about risk.
This includes principles regarding data used to drive theseapproximations.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
33/140
P a g e | 33
55.Supervisors expect that a banks senior management should establishaccuracy and precision requirements forboth regular and stress/ crisisreporting, including critical position and exposure information.
These requirements should reflect the criticality of decisions that will bebased on this information.
56.Supervisors expect banks to consider accuracy requirementsanalogous to accounting materiality.
For example, if omission or misstatement could influence the riskdecisions of users, this may be considered material.
A bank should be able to support the rationale for accuracy requirements.
Supervisors expect a bank to consider precision requirements based onvalidation, testing or reconciliation processes and results.
Principle 8
Comprehensiveness - Risk management reports should cover all materialrisk areas within the organisation.
The depth and scope of these reports should be consistent with the sizeand complexity of the banks operations and risk profile, as well as therequirements of the recipients.
57.Risk management reports should include exposure and positioninformation for all significant risk areas (eg credit risk, market risk,liquidity risk, operational risk) and all significant components of thoserisk areas (eg single name, country and industry sector for credit risk).
Risk management reports should also coverrisk-related measures(eg
regulatory and economic capital).
58.Reports should identify emerging risk concentrations, provideinformation in the context of limits and risk appetite/ tolerance andpropose recommendations for action where appropriate.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
34/140
P a g e | 34
Risk reports should include the current status of measures agreed by theboard or senior management to reduce risk or deal with specific risksituations.
This includes providing the ability to monitor emerging trends throughforward-looking forecasts and stress tests.
59.Supervisors expect banks to determine risk reporting requirementsthat best suit their own business models and risk profiles.
Supervisors will need to be satisfied with the choices a bank makes interms of risk coverage, analysis and interpretation, scalability andcomparability across group institutions.
For example, an aggregated risk report should include, but not be limitedto, the following information: capital adequacy, regulatory capital, capitaland liquidity ratio projections, credit risk, market risk, operational risk,liquidity risk, stress testing results, inter- and intra-risk concentrations,and funding positions and plans.
60.Supervisors expect that risk management reports to the board andsenior management provide a forward-looking assessment of risk andshould not just rely on current and past data.
The reports should contain forecasts or scenarios for key market variablesand the effects on the bank so as to inform the board and seniormanagement of the likely trajectory of the banks capital and risk profilein the future.
Principle 9
Clarity and usefulness - Risk management reports should communicateinformation in a clear and concise manner.
Reports should be easy to understand yet comprehensive enough tofacilitate informed decision-making.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
35/140
P a g e | 35
Reports should include meaningful information tailored to the needs ofthe recipients.
61.A banks risk reports should contribute to sound risk management anddecision-making by their relevant recipients, including, in particular, theboard and senior management.
Risk reports should ensure that information is meaningful and tailored tothe needs of the recipients.
62.Reports should include an appropriate balance between risk data,analysis and interpretation, and qualitative explanations.
The balance ofqualitative versus quantitative information will vary at
different levels within the organisation and will also depend on the level ofaggregation that is applied to the reports.
Higher up in the organisation, more aggregation is expected andtherefore a greater degree of qualitative interpretation will be necessary.
63.Reporting policies and procedures should recognise the differinginformation needs of the board, senior management, and the other levelsof the organisation (for example risk committees).
64.As one of the key recipients of risk management reports, the banksboard is responsible for determining its own risk reporting requirementsand complying with its obligations to shareholders and other relevantstakeholders.
The board should ensure that it is asking for and receiving relevantinformation that will allow it to fulfil its governance mandate relating tothe bank and the risks to which it is exposed.
This will allow the board to ensure it is operating within its risktolerance/appetite.
65.The board should alert senior management when risk reports do notmeet its requirements and do not provide the right level and type of
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
36/140
P a g e | 36
information to set and monitor adherence to the banks risktolerance/appetite.
The board should indicate whether it is receiving the right balance ofdetail and quantitative versus qualitative information.
66.Senior management is also a key recipient of risk reports and it isresponsible for determining its own risk reporting requirements.
Senior management should ensure that it is receiving relevantinformation that will allow it to fulfil its management mandate relative tothe bank and the risks to which it is exposed.
67.A bank should develop an inventory and classification of risk data
itemswhich includes a reference to the concepts used to elaborate thereports.
68. Supervisorsexpect that reports will be clear and useful.
Reports should reflect an appropriate balance between detailed data,qualitative discussion, explanation and recommended conclusions.
Interpretation and explanations of the data, including observed trends,should be clear.
69.Supervisors expect a bank to confirm periodically with recipients thatthe information aggregated and reported is relevant and appropriate, interms of both amount and quality, to the governance anddecision-making process.
Principle 10
Frequency The board and senior management (or other recipients as
appropriate) should set the frequency of risk management reportproduction and distribution.
Frequency requirements should reflect the needs of the recipients, thenature of the risk reported, and the speed, at which the risk can change, as
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/ -
7/28/2019 Risk Management Presentation January 21 2013
37/140
P a g e | 37
well as the importance of reports in contributing to sound riskmanagement and effective and efficient decision-making across the bank.
The frequency of reports should be increased during times ofstress/crisis.
70.The frequency of risk reports will vary according to the type of risk,purpose and recipients.
A bank should assess periodically the purpose of each report and setrequirements for how quickly the reports need to be produced in bothnormal and stress/crisis situations.
A bank should routinely test its ability to produce accurate reports within
established timeframes, particularly in stress/crisis situations.
71.Supervisors expect that in times of stress/ crisisall relevant and criticalcredit, market and liquidity position/ exposure reports are available withina very short period of time to react effectively to evolving risks. Someposition/ exposure information may be needed immediately (intraday) toallow for timely and effective reactions.
Principle 11
Distribution - Risk management reports should be distributed to therelevant parties while ensuring confidentiality is maintained.
72.Procedures should be in place to allow for rapid collection and analysisof risk data and timely dissemination of reports to all appropriaterecipients.
This should be balanced with the need to ensure confidentiality asappropriate.
73.Supervisors expect a bank to confirm periodically that the relevantrecipients receive timely reports.
International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compliance-association.com/http://www.risk-compli