Brenda Boultwood
Agenda
•
•
•
•
•
•
•
•
•
●
●
●
What prevents companies from becoming more data driven?
Experimental Enterprise
Source: “Building Experimental Enterprise” - Silicon Valley
Data Science (http://svds.com/)
Agile Data Infrastructure
•
•
•
•
Global Financial Crisis highlighted the failure of banks to discover, understand and respond to their key risk exposures
• Poor and inaccurate models indicating poor data
• Management does not trust the model results
• No Single Source of Truth • Manual Processes
• Board and senior management not having visibility into risk data
• Incoherent risk appetite
• Legacy systems and standard technologies no longer suitable
• Inability to unlock the value in risk data
Background on Risk Data Aggregation – Triggers for BCBS 239
• Insufficient investment in data and infrastructure
• Failure of data processes to influence critical decision making
• Siloed ownership of data • Inability to respond to changes
Rising Data Volumes • Most banks in US have at
least 100 Terabytes of data • NYSE captures 1 Terabyte of
trade info during each trading session
Poor Data Quality • Costs US economy $600
Billion annually • Can cost a bank
between 20-35 % of their operating revenue
Data Protection Challenge • 78% of organizations
experienced a data breach in past 2 years
• 72% of business that experience data loss shut down within 24 months
Data Quality & Protection Concerns – Some Facts
Fragmented Risk Data across multiple sources
Leads to
• Data duplication
• Data inconsistency
• Data Taxonomy differs in each Risk
Silo
• Data relationships are complex and
poorly documented
• Risk Data Aggregation becomes
challenging
• Reduced ability to respond to new
regulatory requirements
• Inaccurate reporting for board and
senior management
Risk Silos
Inconsistency In Data Models – Siloed Risk Data Management
Questionnaire for self assessment sent to G-SIBs
Mar
2013 Jan
2013
Principles on Risk Data Aggregation issued by BCBS
G-SIBs submit responses for self- assessment
Jul
2013
BCBS report on findings of self-assessment by G-SIBs
Dec
2013
BCBS 239 – Timeline
Date by which G-SIBs need to be compliant with principles of Risk Data Aggregation
Jan
2016
Governance and
Architecture
Risk Data Aggregation
Supervisory Review
Risk Reporting
Principle 7: Accuracy Principle 8: Comprehensiveness Pricciple9: Clarity and Usefulness Principle 10: Frequency Principle 11: Distribution
Principle 12: Review Principle 13: Remedial Action & Supervisory Measures Principle 14: Home/host cooperation
Principle1: Governance Principle 2: Data Architecture & IT Infrastructure
Principle 3: Accuracy and Integrity Principle 4: Completeness Principle 5: Timeliness Principle 6: Adaptability
BCBS 239 – Principles for effective risk data aggregation & reporting
BCBS 239
Revamping of aggregation processes to generate accurate risk data 01
02
03
04
05
06
07
08
Risk Data Aggregation Process
Risk Management Systems
Risk Management Personnel
Risk taxonomy
Risk Governance
Risk Reporting
Measuring Compliance
Issue Management
Risk management systems have to support centralized data aggregation
Potential change in the role and nature of work
Data has to be standardized for various asset classes and geographies
Risk data quality assurance mechanisms have to be setup
Reporting tools should support ad hoc statistical analysis and provide relevant information to management
Banks need to demonstrate their efforts to comply with BCBS 239
Issue management process needs to be setup to deal with data quality issues
BCBS 239 – Impact on banks and challenges in implementation
Impact Challenges
Siloed and complex existing processes will make the task difficult
Upgrading the risk management systems may be time consuming and expensive
Complexity involved in transition would make them resistant to change
Risk taxonomies may be different across entities, geographies, LOBs, etc.
Different risk types require data with varying degrees of granularity
Advanced real time reporting tools may be required with appropriate security & access controls
In the absence of defined compliance metrics, this becomes difficult
Extra resource and cost implications for the bank
Failure to Comply - Implications
Complying with BCBS 239
6
Complying with BCBS 239 – Adopting a multi-step approach
1
Insurance Capital Markets Treasury Payments Trade Finance
Wealth Management Retail Banking Corporate Banking
Better Business Decision Making
Advanced Risk Analytics Risk Metrics (KPI, KRI, KCI) Powerful Visualization Geo-Spatial Reporting
Unstructured Data Structured Data
Risk Data Repository
Data Sourcing Data Cleaning Data Quality
Standard Risk Taxonomy
Control Frameworks
Issue Management
Banking Applications
Risk Data Management
Centralized GRC Platform
Risk Analytics & Reporting
Centralized GRC platform – For agile and scalable risk data infrastructure
Event Notifications Security
Reports & Dashboards
Infolets Cloud Infrastructure
GRC Foundation Risks Controls Processes Products/Services Organizations Regulations
Ap
plic
atio
ns
Horizontal Solutions (Integrated GRC, Vendor Governance, etc.)
Vertical Solutions (Banking, Financial Services, Insurance, etc.)
Solu
tio
ns
Third Party Risk Management
Operational Risk Management
Policy and Document Mgmt.
Compliance Mgmt.
Internal Audit Mgmt.
IT Compliance. IT Risk
Management. Operational Risk
Management
Apps
[+] other Apps
Zaplet AppStore
Community
3rd-Party Apps Content
Alerts & Feeds
GRC Intelligence
AppStudio Workflow Forms Data Templates
GR
C P
latf
orm
Audit Universe
Relational DB Big Data Unstructured Data
Compliance Online
Training
Retail Content
Risk Analytics & Intelligence
Data Import
Rules Engine
Business Configuration
Provisioning Collaboration
Policies
System Console
Integrated Enterprise GRC Platform Architecture
2
Standardized Risk Taxonomy – For effective data management
•
•
3
Building Relationship Based Data Model – Relational data architecture
Organization
Objectives
Risk
Control
Question / Procedure
Evidence
Function
Financial Account
Exception Asset
Asset Class
Product
Process
Requirement
Standard
Area of Compliance
Regulatory Body
Framework Reference
Document Reference
4
Process Methodology For Risk Data Quality – Data validations & controls`
1. Reference Data
Business / Process/Other
Business Objectives
Business Units
Business Processes
Sub-Processes
Policy
Risks
Level 1: Basel II Category
Level 2: Group Name
Level 3: Business Unit Name
Level 4: Local Owner Name
Controls
Level 1: Category Name
Level 2: Group Name
Level 3: Business Unit Name
Level 4: UCF Standard Control
Level 5: NIST, COBIT, COSO, etc.
Illustrative Data Not all levels required Mappings can be automated Initial Setup; Infrequent Change
Risks
Inherent Risk Rating
Residual Risk Rating
Apply
Control
Ratings
Use standard or federated rating scales or surveys
Rate: • Design Effectiveness
• Operational Effectiveness
• Importance
• Importance Control Attributes:
• Automated
• Manual
Determine optimal residual risk level
Controls Use standard or federated rating scales or surveys
2. Rating Risks & Controls and Testing Controls
Control Enhancement Cost Estimate
• Dynamically changed: scheduled and ad-hoc • Link controls to control tests, loss events and KCIs to confirm control ratings
Advanced Risk Analytics – Bird’s eye view of critical risk information
Advanced Risk Analytics – Loss events & Issues Dashboard
6
Leveraging Scenario Analysis – As per risk profile & business model
INTERNAL LOSS DATA
RCSA
Assess Risk Regulatory
Capital
Calculate Risk
Exposure
EXTERNAL LOSS
DATA
BUSINESS
ENVIRONMENT
INTERNAL CONTROL FACTORS
METRICS
What if the key controls failed? How will a global event impact business? What if the markets crash by xx% What if interest rates go-up by xx% What if GDP falls by xx%
Loss Reduction
and Forecasting
Determine Risk
Appetite
Top Risks
Cybersecurity, Third Party, Compliance Risk, Reputational Risk, Conduct Risk
Accurate stress testing results Accurate risk data modelling Accurate capital assessment Accurate loss data forecasting
Scenario Analysis – To determine capital adequacy
27
Scenario Analysis – For risk data modelling
Q & A
Creating a culture of risk awareness®
Global Association of
Risk Professionals
111 Town Square Place
14th Floor
Jersey City, New Jersey 07310
U.S.A.
+ 1 201.719.7210
2nd Floor
Bengal Wing
9A Devonshire Square
London, EC2M 4YN
U.K.
+ 44 (0) 20 7397 9630
www.garp.org
© 2015 Global Association of Risk Professionals. All rights reserved.
About GARP | The Global Association of Risk Professionals (GARP) is a not-for-profit global membership organization dedicated to preparing
professionals and organizations to make better informed risk decisions. Membership represents over 150,000 risk management practitioners and
researchers from banks, investment management firms, government agencies, academic institutions, and corporations from more than 195
countries and territories. GARP administers the Financial Risk Manager (FRM®) and the Energy Risk Professional (ERP®) exams; certifications
recognized by risk professionals worldwide. GARP also helps advance the role of risk management via comprehensive professional education and
training for professionals of all levels. www.garp.org