Book 1. Foundations of Risk Management

FRM Part 1

FRM 7. Principles for Effective Data Aggregation and Risk Reporting

Presented by: Sudhanshu

Module 1. Data Quality, Governance, and Infrastructure

Module 2. Risk Data Aggregation and Reporting Capabilities

Module 1. Data Quality, Governance, and Infrastructure

Topic 1. Benefits of Effective Risk Data Aggregation and Reporting

Topic 2. Challenges for Strong Risk Data Aggregation and Reporting

Topic 3. Key Governance Principles Related to Risk Data Aggregation and Reporting

Topic 4. Principle 1-Governance

Topic 5. Principle 2- Data Architecture and Infrastructure

Topic 1. Benefits of Effective Risk Data Aggregation and Reporting

• Risk Data Aggregation definition as per BCBS: Defining, gathering and processing risk data according to the bank’s risk reporting requirements to enable the bank to measure its performance against its risk tolerance/appetite.”
• Increased Ability to Anticipate Problems: Aggregated data provides a holistic view of risks, making it easier for risk managers to foresee issues.
• Enhanced Ability to Return to Financial Health During Stress: Effective data aggregation helps banks identify ways to recover financial viability during crises, such as finding suitable merger partners.
• Improved Resolvability in Stress or Failure: Regulatory authorities benefit from access to aggregated risk data, especially for global systemically important banks (G-SIBs), to resolve issues related to bank health and viability.
• Strengthened Risk Function: This leads to better strategic decisions, increased efficiency, reduced losses, and ultimately, increased profitability.

Practice Questions: Q1

Q1. A bank should include information on data characteristics (metadata) and naming conventions for legal entities, counterparties, customers, and account data in aggregated risk data. This is suggested by the Basel Committee on Banking Supervision in the principle related to:

A. accuracy.

B. completeness.

C. clarity and usefulness.

D. data architecture and infrastructure.

Practice Questions: Q1 Answer

Explanation: C is correct.

There are several benefits that accrue to banks that have effective risk data aggregation and reporting systems in place. These benefits include an increased ability to anticipate problems. Also, in times of severe financial stress, effective risk data aggregation enhances a bank’s ability to identify alternative routes to restore financial health. Regulatory authorities should have access to aggregated risk data to resolve issues related to bank health and viability. This aids regulators in resolving problems in the event of financial stress.

By strengthening a bank’s risk function, the bank is better able to make strategic decisions, increase efficiency, reduce the probability of loss and ultimately increase profitability. In this case, the bank appears to be in financial stress, so the most relevant benefit is improved resolvability.

Topic 2. Challenges for Strong Risk Data Aggregation and Reporting

• Model Reliance on Data: Financial institutions heavily use models, and even small errors in the model development process can have serious consequences, especially due to input risk.

• Model risk: input risk, estimation risk, valuation risk, hedging risk

• Historical Disjointed Data Collection: Historically, bank data collection was fragmented, leading to duplication, neglect, and destruction of data due to incompatible systems.

• Inadequate Data Quality: A special subcommittee of the Basel Committee on Banking Supervision (BCBS) found data quality insufficient for aggregating and reporting risk exposures across business lines.

• BCBS 239 Principles: In response, the committee published 14 principles (BCBS 239) to overhaul data aggregation and reporting, aiming to better measure performance against risk tolerances. These principles are relevant for managing model risks, leading to more chief data officers in banks.

• Model developers must ensure that the data aligns with the underlying theory and methodologies, and that models undergo thorough vetting and validation. Federal Reserve supports effective model risk management practices in banks.

• Standadization: Standards must be consistent across departments. 

Topic 3. Key Governance Principles and Characteristics of IT & Data Infrastructure

• Global Financial Crisis: During the 2007 financial crisis, many banks struggled to identify risk concentrations due to an inability to effectively aggregate and report bank-wide risks.
• Pillar 2 Guidance: The Basel Committee issued supplemental Pillar 2 guidance to improve banks' capabilities in recognizing and managing bank-wide risks.
• Senior Management and Board Involvement: Senior management and the board of directors must identify and remedy issues preventing effective Risk Data Aggregation and Risk Reporting (RDARR).

Practice Questions: Q2

Q2. Donna Grinstead is the risk management officer at Republic Bank. She is establishing governance principles for effective risk data aggregation. The bank has historically been lenient with respect to risk management processes, and Grinstead has been hired to remedy the situation. Which of the following statements regardin governance principles is false?

A. The overall risk management framework of the bank should include risk data aggregation.

B. Human and financial resources should be devoted to risk data aggregation, and thus senior management should approve the framework.

C. A bank should have multiple sources for risk data for each type of risk to improve reliability.

D. Risk data aggregation should be considered when the firm undergoes new initiatives, including acquisitions and divestitures.

Practice Questions: Q2 Answer

Explanation: C is correct.  

Governance principles for risk data aggregation relate to overall bank processes and the roles of senior management and the board in supporting risk data aggregation and reporting. Data sources relate to the accuracy and integrity of the data, not governance. In addition, the bank should strive to have a single source for risk data, not multiple sources.

Topic 4. Principle 1 - Governance

• As per BCBS, "a bank's risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with the other principles and guidance established by the Basel Committee".

• Integration and Approval: Risk data aggregation should be part of the bank's overall risk management framework, and senior management must approve it.

• Key Requirements:

  • Fully documented processes.

  • Independent review and validation by IT, data, and risk reporting experts.

  • Consideration during new initiatives (e.g., product development, acquisitions, divestitures), including assessing and integrating capabilities of target firms.

  • Independence from bank structure (physical location, geographical presence, legal organization).

  • Senior management should prioritize risk data aggregation and reporting by allocating financial and human resources, integrating these processes into strategic IT planning, and ensuring their smooth implementation.

  • The board of directors should oversee the bank's compliance with Basel Committee governance principles and ensure RDARR is reviewed following mergers and acquisitions.

Topic 5. Principle 2 - Data Architecture and Infrastructure

• As per BCBS, "a bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles".

• Resource Allocation: Requires commitment of financial and human resources to RDARR, both in normal and stressed periods.

• Key Requirements:

  • Part of bank planning processes and subject to business impact analysis.

  • Integrated data classifications and architecture across the banking group, with robust automated reconciliation if multiple data models are used.

  • Define clear accountability, roles, and responsibilities for data, ensuring proper controls throughout its lifecycle, with risk managers, business managers, and IT ensuring data accuracy, relevance, alignment with taxonomies, and consistency with bank policies.

• The main data models (also called schemas) are as follows:

  • ​Semantic data models: structure data in a logical order and include semantic information

  • Conceptual data models: most abstract, map the concepts and relationships used in databases

  • Logical data models: describe data in as much detail as possible.

  • Physical data models: define the components required to build a database, such as the logical database components

Practice Questions: Q3

Q3. A bank should include information on data characteristics (metadata) and naming conventions for legal entities, counterparties, customers, and account data in aggregated risk data. This is suggested by the Basel Committee on Banking Supervision in the principle related to:

A. accuracy.

B. completeness.

C. clarity and usefulness.

D. data architecture and infrastructure.

Practice Questions: Q3 Answer

Explanation: D is correct.

Principle 2, data architecture and infrastructure, requires that risk data aggregation and reporting practices should be a part of the bank’s planning processes and subject to business impact analysis. Banks should establish integrated data classifications and architecture across the banking group.

Multiple data models may be used as long as there are robust automated reconciliation measures in place. In addition, data architecture should include information on data characteristics (metadata) and naming conventions for legal entities, counterparties, customers, and account data.

Module 2. Risk Data Aggregation and Reporting Capabilities

Topic 1. Principle 3- Accuracy and Integrity

Topic 2. Principle 4- Completeness

Topic 3. Principle 5- Timeliness

Topic 4. Principle 6- Adaptability

Topic 5. Effective Risk Management

Topic 5. Principle 7-Accuracy

Topic 6. Principle 8- Comprehensiveness

Topic 7. Principle 9- Clarity and Usefulness

Topic 8. Principle 10- Frequency

Topic 9. Principle 11- Distribution

Topic 1. Principle 3 - Accuracy and Integrity

• As per BCBS, "a bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimize the probability of errors".
• Key Requirements:
  • Accurate and reliable data aggregation and reporting.
  • Robust controls for risk data, similar to accounting data.
  • Effective controls for manual processes and desktop applications (spreadsheets, databases).
  • Reconciliation with other bank data, including accounting data.
  • Striving for a single authoritative source for each specific type of risk data.
  • Risk personnel access to data for aggregation, validation, reconciliation, and reporting.
  • The production of aggregate risk information should be timely.
  • Data should be defined consistently across the bank.
  • Balance between manual and automated risk management systems.
  • Banks must document both manual and automated risk data aggregation systems, explaining the necessity of any manual workarounds for data accuracy and proposing actions to minimize their impact.

  • Banks must monitor the accuracy of risk data and establish plans to correct poor data quality.

Practice Questions: Q4

Q4. Emily Lister, a risk management specialist at American Bank and Trust, has been asked, as part of Principle 3 on the accuracy and integrity of aggregated risk data, to provide a report to bank supervisors on why a bank employee decided to forgo the automated processes put in place by the risk management team and write data entries by hand. Lister believes it was necessary after discussing the action with the employee. In her report, she details why it was necessary for the employee to forgo automated processes and why she believes the integrity of the data is still intact. In the report, she is describing a(n):

A. breach of protocol.

B. manual workaround.

C. reliability exception to Principle 3.

D. unexcused exception to risk data aggregation principles.

Practice Questions: Q4 Answer

Explanation: B is correct.

As part of Principle 3 on the accuracy and integrity of aggregated risk data, bank supervisors expect banks to document manual and automated risk data aggregation systems and explain when there are manual workarounds, explain why the workarounds are critical to data accuracy, and propose actions to minimize the impact of a manual workaround.

Topic 2. Principle 4 - Completeness

• As per BCBS, "A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations and emerging risks".
• Key Requirements:
  • Aggregation of both on- and off-balance sheet risks.
  • Clear and specific risk measures and aggregation methods for senior managers and the board to assess exposures. Not all risks need the same metric.
  • Identification and explanation of areas of incompleteness to bank supervisors if data is not complete.

Topic 3. Principle 5 - Timeliness

• As per BCBS,  "a bank should be able to generate aggregate and up-to-date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as its criticality to the overall risk profile of the bank.
• Key Requirements:
  • Timely risk data aggregation meeting all reporting requirements, reviewed by bank supervisors.
  • Systems to quickly produce aggregated risk data for critical risks during stress/crisis situations. Examples of critical risks:
    • Aggregated credit exposures to large corporate borrowers, counterparty credit risk exposures (including derivatives), trading exposures, market concentrations, liquidity risk indicators, and time-critical operational risk indicators.
  • Varying degrees of timeliness depending on the business line (e.g., portfolio managers need faster data than corporate lending)

Topic 4. Principle 6 - Adaptability

• As per BCBS, "a bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs and requests to meet supervisory queries".
• Key Requirements:
  • Adaptable and flexible data aggregation capabilities to facilitate stress tests, scenario analysis, and ad hoc requests for emerging risks.

  • A bank should be able to pull out specifics from aggregated risk data.

• The principles of accuracy, integrity, completeness, timeliness, and adaptability interact, with banks sometimes prioritizing one over another or aggregating data with a focus on one principle while neglecting others.

• The bank should consider all the standards when creating and maintaining a risk data aggregation framework.

Topic 5. Effective Risk Management

• Effective risk management includes:

  • Clear, complete, timely, and accurate data; and

  • Reporting of risk data to the right people at the right time.

• In recent reports, the BCBS contrasts effective and ineffective risk data aggregation and risk reporting.

• Effective risk data aggregation and reporting includes "appropriate data element certification, data quality documentation, data quality assurance mechanisms, assessment of data quality per risk type, and documented and effective controls for manual processes."

• Ineffective risk data aggregation and reporting may include:

  • ​efficiencies in data quality control; improperly established data quality rules (e.g., lacking minimum standards for reporting);

  • lack of oversight; lack of an effective escalation model;

  • weaknesses in quality control; overuse of improperly documented manual processes;

  • lack of reconciliation between key risk reports; lack of variance analysis;

  • inability to get risk data from foreign subsidiaries in a timely fashion; and

    lack of standardization of reference data.

Topic 6. Principle 7 - Accuracy

• As per BCBS, "Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated".
• Key Requirements:
  • Accurate and precise risk reports for critical decision-making by senior managers and board members.
  • To ensure accuracy of risk reports, processes for creating reports should be defined, including reasonableness checks, verification of mathematical/logical relationships, and error reports.
  • Bank should ensure the reliability, accuracy, and timeliness of risk approximations (e.g., scenario analysis, stress testing).
  • Board and senior managers to establish precision and accuracy requirements for regular and stress/crisis reports.
  • Banks should impose accuracy requirements on par with accounting materiality; an omission is material if it influences risk decision-making.

Practice Questions: Q5

Q5. Senior management and the board of directors should receive accurate and timely aggregated risk data reports for all of the following reasons except:

A. bank supervisors request risk reports from board members, who should be prepared to provide this information during bank examinations.

B. senior management and board members use risk reports to make decisions regarding bank risks.

C. senior management and board members should react in times of financial stress and/or crisis and need reliable risk reports to make good decisions.

D. the board should ensure that the bank is operating within its risk
tolerance/appetite and should therefore make sure that it receives relevant risk information.

Practice Questions: Q5 Answer

Explanation: A is correct.

It is important for the board and senior management to have accurate and timely risk reports to oversee the bank’s risk-taking activities. The bank’s risk tolerance/appetite is monitored by the board. The board and senior managers should be prepared to make decisions in times of financial stress and crisis. The board does not provide reports to regulators. Information requests from supervisors would be made at the bank level, not the board level.

Topic 7. Principle 8 - Comprehensiveness

• As per BCBS, "risk management reports should cover all material risk areas within the organization. The depth and scope of these reports should be consistent with the size and complexity of the bank's operations and risk profile, as well as the requirements of the recipients".
• Key Requirements:
  • Reports should contain position and risk exposure information for all relevant risks (credit, liquidity, market, operational), including detailed information for specific areas like country, region, or sector exposures.
  • Forward-looking reports with forecasts and stress tests, discussing risk appetite/tolerance in the context of emerging risks.
  • Sufficiency in coverage, analysis, and comparability across institutions, including information on credit risk, market risk, liquidity risk, operational risk, stress test results, capital adequacy, regulatory capital, liquidity projections, capital projections, risk concentrations, and funding plans.

Topic 8. Principle 9 - Clarity and Usefulness

• As per BCBS, "risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include meaningful information tailored to the needs of the recipients".
• Key Requirements:
  • Reports tailored to end users (board, senior managers, risk committee members) to assist with sound risk management and decision-making.
  • Reports should include risk data, risk analysis, interpretation of risks, and qualitative explanations.
• Information needs vary by organizational role (e.g., risk committee vs. board, traders vs. lenders).
• Increased need for qualitative interpretation and explanation as aggregation increases.
  • The board of directors must ensure the bank operates within its risk tolerance by receiving relevant risk information, balancing quantitative and qualitative data for informed decision-making.
  • Risk data should be classified, and the bank should develop an inventory of terms used in risk reports.
  • Bank supervisors will confirm periodically that the risk data is clear, relevant, and useful for decision-making.

Topic 9. Principle 10 - Frequency

• As per BCBS, "The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risks reported, and the speed at which the risks can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision making across the bank.
• Key Requirements:
  • Varying frequency depending on recipient, risk type, and report purpose. Banks to ensure periodic testing of report production accuracy within established timeframes during normal and stress/crisis periods.
  • Immediate requirement for liquidity, credit, and market risk reports during stress/crisis to react to mounting risks.
• Increased reporting frequency during stress periods to facilitate decision-making in rapidly changing financial markets.

• In some cases, reporting frequency must slow because the volume of data is so large (e.g., stochastic cash flow simulations).

Topic 10. Principle 11 - Distribution

• As per BCBS, "Risk management reports should be distributed to the relevant parties while ensuring confidentiality is maintained".
• Key Requirements:
  • Timely dissemination of reports while maintaining confidentiality. Supervisors expect banks to confirm timely receipt of reports by recipients.