Regulatory Alerts2014-02-13
G3/2014: Effective Risk Data Aggregation and Risk Reporting
The South African Reserve Bank mandates that all domestic banks and foreign branches adopt the Basel Committee’s Principles for Effective Risk Data Aggregation and Risk Reporting to strengthen governance, data architecture, and reporting capabilities. Institutions must submit a comprehensive self-assessment questionnaire by 30 April 2014 to evaluate their current compliance status and outline implementation roadmaps for achieving full adherence by 1 January 2017. Supervisors will review these submissions to potentially adjust compliance deadlines on a case-by-case basis, ensuring that enhanced risk data practices improve institutional decision-making and resolvability.
South African Reserve Bank
From the Office of
the Registrar of Banks
G3/2014
2014-02-13
To banks, branches of foreign institutions, controlling companies, eligible institutions and auditors of banks or controlling companies
Guidance Note 3/2014 issued in terms of section 6(5) of the Banks Act, 1990
Effective risk data aggregation and risk reporting
## Executive summary
Regulation 39 of the Regulations relating to Banks (the Regulations) requires banks, controlling companies and branches of foreign institutions (hereinafter collectively referred to as ‘banks’) to establish and maintain a process of corporate governance. This process includes the maintenance of effective risk management and capital by a bank. In order to achieve the objective relating to the maintenance of effective risk management and capital, every bank is required to have in place comprehensive risk management processes, practices and procedures, and board-approved policies.
The purpose of this guidance note is to reiterate the importance of adhering to these risk management practices, specifically with regard to risk data aggregation and risk reporting.
## 1. Introduction
### 1.1
The Principles for Effective Risk Data Aggregation and Risk Reporting¹ (the Principles) were issued by the Basel Committee on Banking Supervision (BCBS) in January 2013. The Principles aim to strengthen banks’ risk management practices by improving their risk data aggregation and risk reporting. It is anticipated that complying with the Principles will improve banks’ ability to provide rapid and comprehensive risk data by legal entity and business line, which will ultimately enhance banks’ decision-making processes and improve their resolvability.
¹ Available at http://www.bis.org/publ/bcbs239.pdf.
PO Box 8432 Pretoria 0001 · 370 Helen Joseph Street Pretoria 0002 · South Africa · Tel +27 12 3133911/0861 12 7272 · Fax +27 12 3133758 · www.reservedbank.co.za
---
2
### 1.2
The Principles were initially addressed to systemically important banks and apply not only at a group level, but also to all material business units or entities within the group. National supervisors may nevertheless choose to apply the Principles to all banks in their jurisdiction. This Office will adopt the Principles and therefore recommends that they be applied by all South African banks. This Office expects all banks, specifically domestic systemically important banks (D-SIBs), to comply with the Principles by no later than 1 January 2017. However, this due date for implementation may be reconsidered on a case-by-case basis once banks have completed and submitted the self-assessments as detailed below. The effective due date for all non-D-SIBs to comply with the Principles will be agreed with each bank.
## 2. Self-assessments
### 2.1
To facilitate consistent and effective implementation of the Principles among banks, this Office has decided to use a co-ordinated approach to monitor and assess banks’ progress until 2017. The first step of this co-ordinated approach is to ascertain banks’ readiness to comply with the Principles by 1 January 2017.
### 2.2
Banks are therefore required to complete the attached questionnaire on a group level (controlling company consolidated) and to submit it to this Office by no later than 30 April 2014. This Office will analyse the results to ascertain if the due date of 1 January 2017 is realistically achievable, and if this date should be reconsidered for banks that have indicated their inability to comply with the Principles by the specified date. However, this Office will only reconsider the due date for banks that provided sufficient details regarding their implementation plans and realistic time frames for ensuring compliance with the Principles. This Office will interact individually with these banks to agree on the due date for compliance with the Principles.
## 3. Acknowledgement of receipt
### 3.1
Two additional copies of this guidance note are enclosed for use by your institution’s independent auditors. The attached acknowledgement of receipt, duly completed and signed by both the chief executive officer of the institution and the said auditors, should be returned to this Office at the earliest convenience of the aforementioned signatories.
René van Wyk
Registrar of Banks
Encl.
The previous guidance note issued was Guidance Note 2/2014, dated 5 February 2014.
---
Principles for effective risk data aggregation and risk reporting
## Banks’ stock-taking questionnaire
### 1. Introduction
The Principles for Effective Risk Data Aggregation and Risk Reporting¹ (the Principles) were issued by the Basel Committee on Banking Supervision (BCBS) in January 2013. The Principles aim to strengthen banks’ risk management practices by improving their risk data aggregation and risk reporting. It is anticipated that complying with the Principles will improve banks’ ability to provide rapid and comprehensive risk data by legal entity and business line, which will ultimately enhance banks’ decision-making processes and improve their resolvability.
The Principles were initially addressed to systemically important banks and apply not only at a group level, but also to all material business units or entities within the group. National supervisors may nevertheless choose to apply the Principles to all banks in their jurisdiction.
### 2. Objective of the Questionnaire
To facilitate consistent and effective implementation of the Principles among banks, this Office has decided to use a co-ordinated approach to monitor and assess banks’ progress until 2017. The first step of this co-ordinated approach is to ascertain banks’ readiness to comply with the Principles by 1 January 2017.
Banks are therefore required to complete the attached questionnaire on a group level (controlling company consolidated) and to submit it to this Office by no later than 30 April 2014. This Office will analyse the results to ascertain if the due date of 1 January 2017 is realistically achievable, and if this date should be reconsidered for banks that have indicated their inability to comply with the Principles by the specified date. However, this Office will only reconsider the due date for banks that provided sufficient details regarding their implementation plans and realistic time frames for ensuring compliance with the Principles. This Office will interact individually with these banks to agree on the due date for compliance with the Principles.
This Office also expects that the Questionnaire will be a useful tool for banks’ to familiarise themselves with the Principles and to assist with their own internal monitoring process for meeting the 2017 deadline.
### 3. Participating banks
The questionnaire is required to be completed by all South African banks and branches of foreign institutions.
### 4. Completing the Questionnaire
Shortly after receiving the Questionnaire documentation, banks are expected to communicate to this Office the details of the key contact person for the purposes of this exercise. This person should be senior enough as to be able to speak on behalf of the bank during the interactions with this Office. Although each participating bank should decide which bank function should complete the Questionnaire, the expectation is that:
- A key stakeholder in promoting a sound risk data aggregation and risk reporting framework such as, for instance, the risk management function should be coordinating the completion of the Questionnaire.
¹ Available at http://www.bis.org/publ/bcbs239.pdf.
---
2
- Technical people in the organisation should contribute to the completion of the Questionnaire and participate in the discussions with this Office related to this exercise.
The Questionnaire to be completed by banks (see annex 1) covers Principles 1 to 11, including specific requirements within each Principle. The Principles are broad statements summarising what the Basel Committee considers as desirable properties and characteristics of banks’ risk data aggregation and risk reporting frameworks in the following areas:
- Governance and infrastructure;
- Risk data aggregation capabilities; and
- Risk reporting practices
It is required that banks rate their **current** degree of compliance with each Principle and the underlying requirements on a 1 to 4 scale.
The ratings will be understood to reflect the following assessments:
- **4** The Principle/requirement is fully complied with (as per today) ie the objective of the Principle/requirement is fully achieved with the existing architecture and processes;
- **3** The Principle/requirement is largely complied with (as per today) ie only minor actions are needed in order to fully comply with the Principle/requirement;
- **2** The Principle/requirement is materially non-compliant (as per today) ie significant actions are needed in order to progress further or achieve full compliance with the Principle/requirement; and
- **1** The Principle has not been implemented (as per today).
It is anticipated that, if compliance with any requirement under a Principle is rated below 4, so will general compliance with such Principle.
In the column “comments”, the respondent bank is requested to provide in concise manner information to substantiate the ratings. In particular, banks are expected to offer:
- In case full compliance is claimed (4 rating), a brief explanation highlighting the key elements (bullet point format) that support such claim;
- Concise summary of key internal indicators and metrics in use to support banks responses to specific questions (for example, questions 32, 39, 40, 45, and 48);
- Where necessary, references and/or examples illustrating how banks apply terms such as “appropriately”, “adequately” or similar to the implementation of the Principles/requirements (for instance, see questions 2, 3, 12, 22, 28, 30, 69, 75 and 76);
- References and/or examples of the application of trade-offs, the materiality concept and expert judgement as indicated in paragraphs 22, 23 and 25 of the Principles, respectively (for example, see questions 32, 33, 38 and 41); and
- Their view on requirements within each Principle that banks consider essential/critical for achieving the objectives of each Principle (please just indicate “essential” where appropriate)
---
3
In the column “action plans”, the respondent bank is requested to detail plans for questions where a rating of below 4 is provided.
In addition, only for Principles showing overall compliance below the 4 rating, the respondent is requested to indicate an expected date (Month/Year) of full compliance with the Principle as a whole.
Banks should send their completed Questionnaires according to the timeline indicated by this Office, in any case, no later than 30 April 2014 to **SARB-BANKSUP@resbank.co.za** for the attention of the relevant bank analyst.
---
Annexure 1
## Principles for effective risk data aggregation and risk reporting
## Banks’ stock-taking questionnaire
Name of the Bank:...........................................................
Name of the contact person at the Bank:...................................................
Email/phone number of the contact person:...................................................
### I. Governance and infrastructure
**Principle 1 (Governance) - A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee (as per references on page 6 of the BCBS document).**
| Question | Paragraph | Current Status | Rating Scale | Comments | Action plans |
|----------|-----------|----------------|--------------|----------|--------------|
| 1 | 28 | The bank has established a group risk data aggregation and risk reporting framework. | 1-4 | | |
| 2 | 28 | Senior management and the board have reviewed and approved the bank’s group risk data aggregation and risk reporting framework, and ensured that adequate resources have been deployed. | 1-4 | | |
| 3 | 27 | The bank adequately addresses the identification, assessment and management of data quality risks as part of its overall risk management framework. | 1-4 | | |
| 4 | 27 | The bank’s group risk data aggregation and risk reporting framework includes agreed service level standards for both outsourced and in-house risk data-related processes, and policies on data confidentiality, integrity and availability, as well as risk management policies. | 1-4 | | |
| 5 | 29(a) | The bank’s risk data aggregation capabilities and risk reporting practices are fully documented and subject to high standards of validation that is aligned and integrated with the other independent review activities within the bank’s risk management program, and encompass all components of the bank’s risk data aggregation and reporting processes. | 1-4 | | |
| 6 | 29(a) | The independent validation of risk data aggregation and risk reporting practices is conducted using staff with specific IT, data and reporting expertise. | 1-4 | | |
Page 1 of 11
---
| Question | Paragraph | Current Status | Rating Scale | Comments | Action plans |
|----------|-----------|----------------|--------------|----------|--------------|
| 7 | 29(b) | The bank’s risk data aggregation capabilities and risk reporting practices are considered as part of any new initiatives, including acquisitions and/or divestitures, new product development, as well as broader process and IT change initiatives. | 1-4 | | |
| 8 | 29(b) | The bank’s due diligence process for material acquisitions includes an assessment of the risk data aggregation capabilities and risk reporting practices of the acquired entity, the impact on its own risk data aggregation capabilities and risk reporting practices, development of a plan to integrate and align the acquired risk data aggregation capabilities and risk reporting practices within its own framework, and a process to report to the board for explicit consideration. | 1-4 | | |
| 9 | 29(c) | The bank’s risk data aggregation capabilities and risk reporting practices are unaffected by the bank’s group structure. | 1-4 | | |
| 10 | 30 | The board and senior management is aware of any coverage, legal, technical limitations in risk data aggregation or shortcomings in risk reporting processes. See questions 76, 79 | 1-4 | | |
| 11 | 30 | The bank’s IT strategy addresses improvements in risk data aggregation capabilities and risk reporting practices. | 1-4 | | |
| 12 | 30 | Senior management supports risk data aggregation and risk reporting initiatives through the allocation of appropriate levels of financial and human resources. | 1-4 | | |
| 13 | 31 | The bank’s board determines its own risk reporting requirements to enable effective discharge of responsibilities. See questions 73, 74, 75, 79 | 1-4 | | |
| 14 | 31 | The bank’s board is aware of limitations that prevent full risk data aggregation in the reports it receives. See questions 73, 74, 75, 79 | 1-4 | | |
| 15 | 31 | The board is aware of the bank’s implementation of, and ongoing compliance with the Principles for Effective Risk Data Aggregation and Risk Reporting. | 1-4 | | |
| 16 | | **Current Compliance with Principle/Overall Assessment** Are the bank’s risk data aggregation capabilities and risk reporting practices subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee? | 1-4 | | |
| 17 | | **Expected Date of Full Compliance** (date) | | | |
Page 2 of 11
---
**Principle 2 (Data architecture and IT infrastructure) – A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles.**
| Question | Paragraph | Current Status | Rating Scale | Comments | Action plans |
|----------|-----------|----------------|--------------|----------|--------------|
| 18 | 32 | Risk data aggregation capabilities and risk reporting practices are given direct consideration as part of a bank’s business continuity planning processes and be subject to a business impact analysis. | 1-4 | | |
| 19 | 33 | The bank has established integrated data taxonomies and architecture across the banking group, including information on the characteristics of the data (metadata), as well as use of single identifiers and/or unified naming conventions for data including legal entities, counterparties, customers and account.8 | 1-4 | | |
| 20 | 34 | Roles and responsibilities have been established as they relate to the ownership and quality of risk data and information for both the business and IT functions. | 1-4 | | |
| 21 | 34 | The role of the business owner ensures that data is correctly entered by the relevant front office unit, kept current and aligned with the data definitions, and also ensures that risk data aggregation capabilities and risk reporting practices are consistent with bank’s policies. | 1-4 | | |
| 22 | 34 | The owners (business and IT functions), in partnership with risk managers, have established a process to ensure there are adequate controls throughout the lifecycle of the data and for all aspects of the technology infrastructure. | 1-4 | | |
| 23 | | **Current Compliance with Principle/Overall Assessment** Has the bank designed and built, and is it maintaining data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles? | 1-4 | | |
| 24 | | **Expected Date of Full Compliance** (date) | | | |
Page 3 of 11
Share