As a preamble, the ECB emphasises that the ability of credit institutions to manage and aggregate risk related data is a prerequisite of a strong risk management and a solid decision-making governance. The supervisory body also points out that this contributes to improved revenues and profitability for banks and, in the longer term, to lower operational and IT expenses resulting from enhanced automation and the modernisation of IT architectures.
Even if the conclusive character of RDARR was noted in 2008, the regulator recalls that it has also been highlighted in its data collection activities, especially during the pandemic and other stress situations. The ECB also points out that difficulties in terms of data accuracy, timeliness and adaptability remain widespread.
Since 2016, the ECB Banking Supervision has considered quality and governance of risk data as a supervisory priority. The ECB assessed 25 significant credit institutions in 2016 as regards their governance, data aggregation capabilities and reporting practices based on the BCBS 239 principles, pointing out serious weaknesses.
Despite this increased scrutiny, the ECB has concluded that the progress made has been insufficient and that RDARR has not been given the required level of focus as well as importance as major deficiencies have not yet been addressed. In that context, the ECB has identified deficiencies in RDARR as a supervisory priority for the 2023-25 cycle to ensure that credit institutions improve their RDARR capabilities and ultimately comply with theBCBS principles.
The purpose of this guide is to refine and reinforce supervisory expectations for RDARR based on the BCBS 239 principles. The document, which does not contain any new requirement, is intended to include a set of prerequisites for effective risk data aggregation and risk reporting to help credit institutions in improving and strengthening their capabilities.
The ECB has identified seven key areas of concern that are considered as prominent prerequisites for strong governance and effective processes to identify, monitor and report risks.
Responsibilities of the management body
The ECB emphasises the role of the management body who bears responsibility for the implementation of the institution’s objectives, risk strategy and internal governance. The ECB notes that the management body is responsible for:
- Accepting and exercising full responsibility for risk data quality and governance.
- Making RDARR a key priority.
- Overseeing, prioritising, and monitoring key deliverables.
- Setting clear roles and responsibilities for RDARR.
- Ensuring the implementation of policies and procedures for RDARR.
- Confirming that internal risk, supervisory and financial reports are meaningful from a qualitative and quantitative point of view.
- Ensuring that members of the management body and internal control functions (incl. head of Risk/CRO, compliance and internal audit) have a sufficient understanding of data management, IT and financial and non-financial risks and are considered when assessing the collective suitability of its members.
- Undertaking regular training to ensure up-to-date knowledge and skills of its members.
Sufficient scope of application
The ECB recommends establishing a data governance framework applicable to all legal entities of its group, risk categories, business lines and supervisory reporting processes. The framework should also cover the entire life cycle of the data from its origin to its reporting. The framework is also expected to define and document the scope of application and specify the reports (internal risk reporting, financial reporting and supervisory reports sent to the regulator), models (Pillar 1, Pillar 2 and capital models), risk data and indicators (at minimum the risk appetite indicators) that are included.
Effective data governance framework
The ECB expects institutions to define clear roles and responsibilities in data quality and ownership for business, control, and IT functions. Institutions should at least cover the 3 lines of defense through:
- Data owners / stewards (1st line)
- Central governance function (1st line) responsible for issuing policies and procedures, overseeing their implementation, ensuring data quality monitoring, and participating in change management processes.
- Validation function (2nd line) performing regular assessments of the institution's capabilities for all material entities and risk types.
- Internal audit (3rd line) providing regular independent reviews of the data governance framework.
Integrated data architecture
The ECB also points out the necessity of having an integrated data architecture in place. This shall include data taxonomies covering material legal entities, business lines, material risks (including the risk indicators), reports, and models.
Group-wide data quality management and standards
The regulator also prescribes establishing group-wide policies and procedures covering the overall risk management framework and data governance framework to ensure:
- Quality and completeness of quality controls.
- Remediation of data quality issues.
- Definition of transparent limitations and of data quality risks.
Timeliness of internal risk reporting
The ECB also insists on the importance of having accurate, complete, and timely data as regards risk management and identification. In that context, it is essential to recall that both the frequency of risks reporting, and the time needed to produce the reports are of significant relevance.
Frequency of internal risk reporting shall be consistent with the dynamics of potential changes in key risk drivers: the higher the dynamism, the higher the frequency of reporting should be. The time needed to produce a report has similar consequences on the effectiveness of risk management: the less time it takes to produce accurate reporting, the quicker the risk situation is to be analysed and managed. It is also expected that significant institutions implement capabilities allowing for the management of unexpected stress events.
Effective implementation programs
Finally, the ECB prescribes that significant institutions that have not yet implemented the BCBS 239 principles put in place implementation programs that will cover any gaps and address any identified weaknesses under the responsibility of the management body.
The regulator finally reminds that the guide is a key building block of its 2023-25 supervisory priorities. The ECB, by means of this guide, reinforces and clarifies its minimum supervisory expectations for effective Risk Data Aggregation and Risk Reporting.
If you wish to understand how you could improve your internal governance, risk management and ensure compliance with the regulatory requirements, please contact our Head of Governance and Risk – Financial Services, Olivier Graisse, Head of Accounting and Regulatory reporting – Financial Services, Gilles Millard or Head of Advisory Andia P. Shtepani.