Monday January 21 2013 Top 10 Risk Compliance News Events
1. Page |1
International Association of Risk and Compliance
Professionals (IARCP)
1200 G Street NW Suite 800 Washington, DC 20005-6705 USA
Tel: 202-449-9750 www.risk-compliance-association.com
Top 10 risk and compliance management related news stories
and world events that (for better or for worse) shaped the
week's agenda, and what is next
Dear Member,
If I tell you that this paper from the Basel
Committee starts with a poem, will you
believe me?
It is true!
I saw it and I immediately thought… Oh, it’s going to be a bad day.
In the past, I sometimes had to spend one hour per page to understand
some Basel ii/iii papers… now that they need a poem to start, what is
going to happen?
I know you ask… what poem George?
“Where is the wisdom we have lost in knowledge?
Where is the knowledge we have lost in information?”
T. S. Eliot. The Rock (1934)
Now I am sure: T.S Eliot could become a risk management expert.
I always investigate every section, reference and past paper mentioned to
any paper from the Basel committee (this is how I spend one hour per
page average), so I want to read all the poem, not only this part. It may be
important in order to understand the regulation! Otherwise, why would
they start with a poem?
I found the part of the poem that was written in the paper:
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
2. Page |2
Where is the Life we have lost in living?
Where is the wisdom we have lost in knowledge?
Where is the knowledge we have lost in information?
Now I wonder why they ignored the first part “Where is the Life we have
lost in living?”
Perhaps they know the answer… trying to comply with Basel {1, 2, 3…}
I called a friend, attorney and lobbyist in Washington DC and I asked him
about the poem… well, he knew it very well, and he told me that the poem
is about a life lived without religion; it is against communism and
fascism, against totalitarian regimes. (My first thought: Did I mention
which poem?)
Oh, perhaps I must call another friend, a university professor in Harvard,
to have another opinion and to keep somewhere in the middle? No, it is
too much for a day, I will better read the poem.
The poem…
The Eagle soars in the summit of Heaven,
The Hunter with his dogs pursues his circuit.
О perpetual revolution of configured stars,
О perpetual recurrence of determined seasons,
О world of spring and autumn, birth and dying!
***
Where is the Life we have lost in living?
Where is the wisdom we have lost in knowledge?
Where is the knowledge we have lost in information?
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
3. Page |3
***
I journeyed to London, to the timekept City,
Where the River flows, with foreign flotations.
There I was told: we have too many churches,
And too few chop-houses. There I was told:
Let the vicars retire. Men do not need the Church
In the place where they work, but where they spend their
Sundays.
In the City, we need no bells:
Let them waken the suburbs.
I journeyed to the suburbs, and there I was told:
We toil for six days, on the seventh we must motor
To Hindhead, or Maidenhead.
If the weather is foul we stay at home and read the papers.
In industrial districts, there I was told
Of economic laws.
In the pleasant countryside, there it seemed
That the country now is only fit for picnics.
And the Church does not seem to be wanted
In country or in suburbs; and in the town
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
4. Page |4
Only for important weddings.
***
The world turns and the world changes,
But one thing does not change.
In all of my years, one thing does not change.
However you disguise it, this thing does not change:
The perpetual struggle of Good and Evil.
***
The desert is not remote in southern tropics,
The desert is not only around the corner,
The desert is squeezed in the tube-train next to you.
The desert is in the heart of your brother.
***
The voices of the Unemployed:
No man has hired us
With pocketed hands
And lowered faces
We stand about in open places
And shiver in unlit rooms.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
5. Page |5
Only the wind moves
Over empty fields, untilled
Where the plough rests, at an angle
To the furrow. In this land
There shall be one cigarette to two men,
To two women one half pint of bitter
Ale. In this land
No man has hired us.
Our life is unwelcome, our death
Unmentioned in “The Times.”
***
What life have you if you have not life together?
There is no life that is not in community,
And no community not lived in praise of God.
***
And now you live dispersed on ribbon roads.
And no man knows or cares who is his neighbour
Unless his neighbour makes too much disturbance,
But all dash to and fro in motor cars,
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
6. Page |6
Familiar with the roads and settled nowhere.
Nor does the family even move about together.
But every son would have his motor cycle,
And daughters ride away on casual pillions.
***
In the land of lobelias and tennis flannels
The rabbit shall burrow and the thorn revisit,
The nettle shall flourish on the gravel court,
And the wind shall say: “Here were decent godless people:
Their only monument the asphalt road
And a thousand lost golf balls.”
***
When the Stranger says: “What is the meaning of this city?
Do you huddle close together because you love each other?”
What will you answer? “We all dwell together
To make money from each other”? or “This is a community”?
And the Stranger will depart and return to the desert.
О my soul, be prepared for the coming of the Stranger,
Be prepared for him who knows how to ask questions.
О weariness of men who turn from God
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
7. Page |7
To the grandeur of your mind and the glory of your action,
To arts and inventions and daring enterprises.
To schemes of human greatness thoroughly discredited.
Binding the earth and the water to your service,
Exploiting the seas and developing the mountains,
Dividing the stars into common and preferred.
Engaged in devising the perfect refrigerator,
Engaged in working out a rational morality,
Engaged in printing as many books as possible,
Plotting of happiness and flinging empty bottles,
Turning from your vacancy to fevered enthusiasm
For nation or race or what you call humanity;
Though you forget the way to the Temple,
There is one who remembers the way to your door:
Life you may evade, but Death you shall not.
You shall not deny the Stranger.
***
But it seems that something has happened that has never happened
before:
though we know not just when, or why, or
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
8. Page |8
how, or where.
Men have left God not for other gods, they say, but for no god;
and this has never happened before
That men both deny gods and worship gods, professing first
Reason,
And then Money, and Power, and what they call Life, or Race,
or Dialectic.
The Church disowned, the tower overthrown, the bells up-
turned, what have we to do
But stand with empty hands and palms turned upwards
In an age which advances progressively backwards?
***
T.S. Eliot
Ok, Now I feel that I will understand the paper from the Basel
Committee.
I also found another part of the poem that is suitable to start another
Basel iii paper:
“Be prepared for him who knows how to ask questions”.
Read more (about the paper, not the poem) at number 1 below.
Welcome to the Top 10 list.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
9. Page |9
Principles for effective risk data
aggregation and risk reporting
January 2013
The financial crisis that began in 2007
revealed that many banks, including global
systemically important banks (G-SIBs), were
unable to aggregate risk exposures and
identify concentrations fully, quickly and
accurately.
This meant that banks' ability to take risk
decisions in a timely fashion was seriously
impaired with wide-ranging consequences for the banks themselves and
for the stability of the financial system as a whole.
Vice Chair Janet L. Yellen
At the American Economic
Association/American Finance Association Joint
Luncheon, San Diego, California
Interconnectedness and Systemic Risk:
Lessons from the Financial Crisis and
Policy Implications
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
10. P a g e | 10
Islamic finance industry
needs transformation
The Islamic financial services industry needs to undergo a complete
transformation in order to be recognized and respected as a major global
player, a key conference in Bahrain heard.
ESMA and the EBA
take action to
strengthen Euribor
and benchmark rate-setting processes
The European Securities and Markets Authority (ESMA) and the
European Banking Authority (EBA) published the results of their joint
work on Euribor and propose principles for benchmark rate-setting
processes. The publications include:
Report from the Commission
to the European Parliament
and the Council
The review of the
Directive 2002/87/EC of the European Parliament and the
Council on the supplementary supervision of credit institutions,
insurance undertakings and investment firms in a financial
conglomerate
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
11. P a g e | 11
ESMA to provide technical advice
on possible delegated acts
concerning the Prospectus
Directive
The European Commission sent a formal request on 20 January 2011 to
ESMA to provide technical advice on possible delegated acts concerning
the Prospectus Directive as amended by Directive 2010/73/EU (the
Mandate).
Regulatory Resolutions
for 2013
Remarks by Assistant Superintendent
Mark Zelmer, Office of the Superintendent of Financial Institutions
Canada (OSFI) to the 2013 RBC Capital Markets Canadian Bank CEO
Conference
Fifth progress note on the Global
LEI Initiative
This is the fifth of a series of notes on
the implementation of the legal entity identifier (LEI) initiative.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
12. P a g e | 12
Corporate governance
Address by Mr Yandraduth Googoolye, First Deputy
Governor of the Bank of Mauritius, at the
workshop on “Corporate governance”, organised by
the Mauritius Institute of Directors, Port-Louis
'Standard Quantum Limit'
Smashed, Could Mean Better
Fiber-Optic Comms
From NIST Tech Beat
Communicating with light may
soon get a lot easier, hints recent
research from the National
Institute of Standards and
Technology (NIST) and the
University of Maryland's Joint
Quantum Institute (JQI), where
scientists have potentially found a
way to overcome a longstanding
barrier to cleaner signals.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
13. P a g e | 13
Principles for effective risk data
aggregation and risk reporting
January 2013
The financial crisis that began in 2007
revealed that many banks, including global
systemically important banks (G-SIBs), were
unable to aggregate risk exposures and
identify concentrations fully, quickly and
accurately.
This meant that banks' ability to take risk
decisions in a timely fashion was seriously
impaired with wide-ranging consequences for the banks themselves and
for the stability of the financial system as a whole.
The Basel Committee's Principles for effective risk data aggregation will
strengthen banks' risk data aggregation capabilities and internal risk
reporting practices.
Implementation of the principles will strengthen risk management at
banks - in particular, G-SIBs - thereby enhancing their ability to cope
with stress and crisis situations.
An earlier version of the principles published today was issued for
consultation in June 2012.
The Committee wishes to thank those who provided feedback and
comments as these were instrumental in revising and finalising the
principles.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
14. P a g e | 14
Principles for effective risk data aggregation and risk reporting
Where is the wisdom we have lost in knowledge?
Where is the knowledge we have lost in information?
T. S. Eliot. The Rock (1934)
Introduction
1. One of the most significant lessons learned from the global financial
crisis that began in 2007 was that banks’ information technology (IT) and
data architectures were inadequate to support the broad management of
financial risks.
Many banks lacked the ability to aggregate risk exposures and identify
concentrations quickly and accurately at the bank group level, across
business lines and between legal entities.
Some banks were unable to manage their risks properly because of weak
risk data aggregation capabilities and risk reporting practices.
This had severe consequences to the banks themselves and to the
stability of the financial system as a whole.
2. In response, the Basel Committee issued supplemental Pillar 2
(supervisory review process) guidance to enhance banks’ ability to
identify and manage bank-wide risks.
In particular, the Committee emphasised that a sound risk management
system should have appropriate management information systems (MIS)
at the business and bank-wide level.
The Basel Committee also included references to data aggregation as part
of its guidance on corporate governance.
3. Improving banks’ ability to aggregate risk data will improve their
resolvability.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
15. P a g e | 15
For global systemically important banks (G-SIBs) in particular, it is
essential that resolution authorities have access to aggregate risk data
that complies with the FSB’s Key Attributes of Effective Resolution
Regimes for Financial Institutions as well as the principles set out below.
For recovery, a robust data framework will help banks and supervisors
anticipate problems ahead.
It will also improve the prospects of finding alternative options to restore
financial strength and viability when the firm comes under severe stress.
For example, it could improve the prospects of finding a suitable merger
partner.
4. Many in the banking industry recognise the benefits of improving their
risk data aggregation capabilities and are working towards this goal.
They see the improvements in terms of strengthening the capability and
the status of the risk function to make judgements.
This leads to gains in efficiency, reduced probability of losses and
enhanced strategic decision-making, and ultimately increased
profitability.
5. Supervisors observe that making improvements in risk data
aggregation capabilities and risk reporting practices remains a challenge
for banks, and supervisors would like to see more progress, in particular,
at G-SIBs.
Moreover, as the memories of the crisis fade over time, there is a danger
that the enhancement of banks’ capabilities in these areas may receive a
slower-track treatment.
This is because IT systems, data and reporting processes require
significant investments of financial and human resources with benefits
that may only be realised over the long-term.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
16. P a g e | 16
6. The Financial Stability Board (FSB) has several international initiatives
underway to ensure continued progress is made in strengthening firms’
risk data aggregation capabilities and risk reporting practices, which is
essential to support financial stability.
These include:
• The development of the Principles for effective risk data aggregation
and risk reporting included in this report.
This work stems from a recommendation in the FSB’s Progress report on
implementing the recommendations on enhanced supervision, issued on
4 November 2011:
“The FSB, in collaboration with the standard setters, will develop a set of
supervisory expectations to move firms’, particularly SIFIs, data
aggregation capabilities to a level where supervisors, firms, and other
users (eg resolution authorities) of the data are confident that the MIS
reports accurately capture the risks.
A timeline should be set for all SIFIs to meet supervisory expectations;
the deadline for G-SIBs to meet these expectations should be the
beginning of 2016, which is the date when the added loss absorbency
requirement begins to be phased in for G-SIBs.”
• The development of a new common data template for global
systemically important financial institutions (G-SIFIs) in order to address
key information gaps identified during the crisis, such as bi-lateral
exposures and exposures to countries/sectors/instruments.
This should provide the authorities with a stronger framework for
assessing potential systemic risks.
• A public-private sector initiative to develop a Legal Entity Identifier
(LEI) system.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
17. P a g e | 17
The LEI system will identify unique parties to financial transactions
across the globe and is designed to be a key building block for
improvements in the quality of financial data across the globe.
7. There are also other initiatives and requirements relating to data that
will have to be implemented in the following years.
The Committee considers that upgraded risk data aggregation and risk
reporting practices will allow banks to comply effectively with those
initiatives.
Definition
8. For the purpose of this paper, the term “risk data aggregation” means
defining, gathering and processing risk data according to the bank’s risk
reporting requirements to enable the bank to measure its performance
against its risk tolerance/appetite.
This includes sorting, merging or breaking down sets of data.
Objectives
9. This paper presents a set of principles to strengthen banks’ risk data
aggregation capabilities and internal risk reporting practices (the
Principles).
In turn, effective implementation of the Principles is expected to enhance
risk management and decision-making processes at banks.
10. The adoption of these Principles will enable fundamental
improvements to the management of banks.
The Principles are expected to support a bank’s efforts to:
• Enhance the infrastructure for reporting key information, particularly
that used by the board and senior management to identify, monitor and
manage risks;
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
18. P a g e | 18
• Improve the decision-making process throughout the banking
organisation;
• Enhance the management of information across legal entities, while
facilitating a comprehensive assessment of risk exposures at the global
consolidated level;
• Reduce the probability and severity of losses resulting from risk
management weaknesses;
• Improve the speed at which information is available and hence
decisions can be made; and
• Improve the organisation’s quality of strategic planning and the ability
to manage the risk of new products and services.
11. Strong risk management capabilities are an integral part of the
franchise value of a bank.
Effective implementation of the Principles should increase the value of
the bank.
The Committee believes that the long-term benefits of improved risk data
aggregation capabilities and risk reporting practices will outweigh the
investment costs incurred by banks.
12. For bank supervisors, these Principles will complement other efforts to
improve the intensity and effectiveness of bank supervision.
For resolution authorities, improved risk data aggregation should enable
smoother bank resolution, thereby reducing the potential recourse to
taxpayers.
Scope and initial considerations
13. These Principles are initially addressed to SIBs and apply at both the
banking group and on a solo basis.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
19. P a g e | 19
Common and clearly stated supervisory expectations regarding risk data
aggregation and risk reporting are necessary for these institutions.
National supervisors may nevertheless choose to apply the Principles to a
wider range of banks, in a way that is proportionate to the size, nature and
complexity of these banks’ operations.
14. Banks identified as G-SIBs by the FSB in November 2011 or
November 2012 must meet these Principles by January 2016;
G-SIBs designated in subsequent annual updates will need to meet the
Principles within three years of their designation.
G-SIBs subject to the 2016 timeline are expected to start making progress
towards effectively implementing the Principles from early 2013.
National supervisors and the Basel Committee will monitor and assess
this progress in accordance with section V of this document.
15. It is strongly suggested that national supervisors also apply these
Principles to banks identified as D-SIBs by their national supervisors
three years after their designation as D-SIBs.
16. The Principles and supervisory expectations contained in this paper
apply to a bank’s risk management data.
This includes data that is critical to enabling the bank to manage the risks
it faces.
Risk data and reports should provide management with the ability to
monitor and track risks relative to the bank’s risk tolerance/appetite.
17. These Principles also apply to all key internal risk management
models, including but not limited to, Pillar 1 regulatory capital models (eg
internal ratings-based approaches for credit risk and advanced
measurement approaches for operational risk), Pillar 2 capital models and
other key risk management models (eg value-at-risk).
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
20. P a g e | 20
18. The Principles apply to a bank’s group risk management processes.
However, banks may also benefit from applying the Principles to other
processes, such as financial and operational processes, as well as
supervisory reporting.
19. All the Principles included in this paper are also applicable to
processes that have been outsourced to third parties.
20. The Principles cover four closely related topics:
• Overarching governance and infrastructure
• Risk data aggregation capabilities
• Risk reporting practices
• Supervisory review, tools and cooperation
21. Risk data aggregation capabilities and risk reporting practices are
considered separately in this paper, but they are clearly inter-linked and
cannot exist in isolation.
High quality risk management reports rely on the existence of strong risk
data aggregation capabilities, and sound infrastructure and governance
ensures the information flow from one to the other.
22. Banks should meet all risk data aggregation and risk reporting
principles simultaneously.
However, trade-offs among Principles could be accepted in exceptional
circumstances such as urgent/ad hoc requests of information on new or
unknown areas of risk.
There should be no trade-offs that materially impact risk management
decisions.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
21. P a g e | 21
Decision-makers at banks, in particular the board and senior
management, should be aware of these trade-offs and the limitations or
shortcomings associated with them.
Supervisors expect banks to have policies and processes in place
regarding the application of trade-offs.
Banks should be able to explain the impact of these trade-offs on their
decision- making process through qualitative reports and, to the extent
possible, quantitative measures.
23. The concept of materiality used in this paper means that data and
reports can exceptionally exclude information only if it does not affect the
decision-making process in a bank (ie decision-makers, in particular the
board and senior management, would have been influenced by the
omitted information or made a different judgment if the correct
information had been known).
In applying the materiality concept, banks will take into account
considerations that go beyond the number or size of the exposures not
included, such as the type of risks involved, or the evolving and dynamic
nature of the banking business.
Banks should also take into account the potential future impact of the
information excluded on the decision-making process at their
institutions.
Supervisors expect banks to be able to explain the omissions of
information as a result of applying the materiality concept.
24. Banks should develop forward looking reporting capabilities to
provide early warnings of any potential breaches of risk limits that may
exceed the bank’s risk tolerance/appetite.
These risk reporting capabilities should also allow banks to conduct a
flexible and effective stress testing which is capable of providing
forward-looking risk assessments.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
22. P a g e | 22
Supervisors expect risk management reports to enable banks to anticipate
problems and provide a forward looking assessment of risk.
25. Expert judgment may occasionally be applied to incomplete data to
facilitate the aggregation process, as well as the interpretation of results
within the risk reporting process.
Reliance on expert judgment in place of complete and accurate data
should occur only on an exception basis, and should not materially
impact the bank’s compliance with the Principles.
When expert judgment is applied, supervisors expect that the process be
clearly documented and transparent so as to allow for an independent
review of the process followed and the criteria used in the
decision-making process.
I. Overarching governance and infrastructure
26. A bank should have in place a strong governance framework, risk data
architecture and IT infrastructure.
These are preconditions to ensure compliance with the other Principles
included in this document.
In particular, a bank’s board should oversee senior management’s
ownership of implementing all the risk data aggregation and risk
reporting principles and the strategy to meet them within a timeframe
agreed with their supervisors.
Principle 1
Governance – A bank’s risk data aggregation capabilities and risk
reporting practices should be subject to strong governance arrangements
consistent with other principles and guidance established by the Basel
Committee.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
23. P a g e | 23
27. A bank’s board and senior management should promote the
identification, assessment and management of data quality risks as part
of its overall risk management framework.
The framework should include agreed service level standards for both
outsourced and in-house risk data-related processes, and a firm’s policies
on data confidentiality, integrity and availability, as well as risk
management policies.
28. A bank’s board and senior management should review and approve
the bank’s group risk data aggregation and risk reporting framework and
ensure that adequate resources are deployed.
29. A bank’s risk data aggregation capabilities and risk reporting
practices should be:
(a) Fully documented and subject to high standards of validation.
This validation should be independent and review the bank’s compliance
with the Principles in this document.
The primary purpose of the independent validation is to ensure that a
bank's risk data aggregation and reporting processes are functioning as
intended and are appropriate for the bank's risk profile.
Independent validation activities should be aligned and integrated with
the other independent review activities within the bank's risk
management program, and encompass all components of the bank's risk
data aggregation and reporting processes.
Common practices suggest that the independent validation of risk data
aggregation and risk reporting practices should be conducted using staff
with specific IT, data and reporting expertise.
(b) Considered as part of any new initiatives, including acquisitions
and/or divestitures, new product development, as well as broader process
and IT change initiatives.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
24. P a g e | 24
When considering a material acquisition, a bank’s due diligence process
should assess the risk data aggregation capabilities and risk reporting
practices of the acquired entity, as well as the impact on its own risk data
aggregation capabilities and risk reporting practices.
The impact on risk data aggregation should be considered explicitly by
the board and inform the decision to proceed.
The bank should establish a timeframe to integrate and align the
acquired risk data aggregation capabilities and risk reporting practices
within its own framework.
(c) Unaffected by the bank’s group structure.
The group structure should not hinder risk data aggregation capabilities
at a consolidated level or at any relevant level within the organisation (eg
sub-consolidated level, jurisdiction of operation level).
In particular, risk data aggregation capabilities should be independent
from the choices a bank makes regarding its legal organisation and
geographical presence.
30. A bank’s senior management should be fully aware of and understand
the limitations that prevent full risk data aggregation, in terms of
coverage (eg risks not captured or subsidiaries not included), in technical
terms (eg model performance indicators or degree of reliance on manual
processes) or in legal terms (legal impediments to data sharing across
jurisdictions).
Senior management should ensure that the bank’s IT strategy includes
ways to improve risk data aggregation capabilities and risk reporting
practices and to remedy any shortcomings against the Principles set forth
in this document taking into account the evolving needs of the business.
Senior management should also identify data critical to risk data
aggregation and IT infrastructure initiatives through its strategic IT
planning process, and support these initiatives through the allocation of
appropriate levels of financial and human resources.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
25. P a g e | 25
31. A bank’s board is responsible for determining its own risk reporting
requirements and should be aware of limitations that prevent full risk data
aggregation in the reports it receives.
The board should also be aware of the bank’s implementation of, and
ongoing compliance with the Principles set out in this document.
Principle 2
Data architecture and IT infrastructure – A bank should design, build and
maintain data architecture and IT infrastructure which fully supports its
risk data aggregation capabilities and risk reporting practices not only in
normal times but also during times of stress or crisis, while still meeting
the other Principles.
32. Risk data aggregation capabilities and risk reporting practices should
be given direct consideration as part of a bank’s business continuity
planning processes and be subject to a business impact analysis.
33. A bank should establish integrated data taxonomies and architecture
across the banking group, which includes information on the
characteristics of the data (metadata), as well as use of single identifiers
and/or unified naming conventions for data including legal entities,
counterparties, customers and accounts.
34. Roles and responsibilities should be established as they relate to the
ownership and quality of risk data and information for both the business
and IT functions.
The owners (business and IT functions), in partnership with risk
managers, should ensure there are adequate controls throughout the
lifecycle of the data and for all aspects of the technology infrastructure.
The role of the business owner includes ensuring data is correctly entered
by the relevant front office unit, kept current and aligned with the data
definitions, and also ensuring that risk data aggregation capabilities and
risk reporting practices are consistent with firms’ policies.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
26. P a g e | 26
II. Risk data aggregation capabilities
35. Banks should develop and maintain strong risk data aggregation
capabilities to ensure that risk management reports reflect the risks in a
reliable way (ie meeting data aggregation expectations is necessary to
meet reporting expectations).
Compliance with these Principles should not be at the expense of each
other.
These risk data aggregation capabilities should meet all Principles below
simultaneously in accordance with paragraph 22 of this document.
Principle 3
Accuracy and Integrity – A bank should be able to generate accurate and
reliable risk data to meet normal and stress/crisis reporting accuracy
requirements.
Data should be aggregated on a largely automated basis so as to
minimise the probability of errors.
36. A bank should aggregate risk data in a way that is accurate and
reliable.
(a) Controls surrounding risk data should be as robust as those applicable
to accounting data.
(b) Where a bank relies on manual processes and desktop applications
(eg spreadsheets, databases) and has specific risk units that use these
applications for software development, it should have effective mitigants
in place (eg end-user computing policies and procedures) and other
effective controls that are consistently applied across the bank’s
processes.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
27. P a g e | 27
(c) Risk data should be reconciled with bank’s sources, including
accounting data where appropriate, to ensure that the risk data is
accurate.
(d) A bank should strive towards a single authoritative source for risk data
per each type of risk.
(e) A bank’s risk personnel should have sufficient access to risk data to
ensure they can appropriately aggregate, validate and reconcile the data
to risk reports.
37. As a precondition, a bank should have a “dictionary” of the concepts
used, such that data is defined consistently across an organisation.
38. There should be an appropriate balance between automated and
manual systems.
Where professional judgements are required, human intervention may be
appropriate.
For many other processes, a higher degree of automation is desirable to
reduce the risk of errors.
39. Supervisors expect banks to document and explain all of their risk data
aggregation processes whether automated or manual (judgement based
or otherwise).
Documentation should include an explanation of the appropriateness of
any manual workarounds, a description of their criticality to the accuracy
of risk data aggregation and proposed actions to reduce the impact.
40. Supervisors expect banks to measure and monitor the accuracy of data
and to develop appropriate escalation channels and action plans to be in
place to rectify poor data quality.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
28. P a g e | 28
Principle 4
Completeness – A bank should be able to capture and aggregate all
material risk data across the banking group.
Data should be available by business line, legal entity, asset type,
industry, region and other groupings, as relevant for the risk in question,
that permit identifying and reporting risk exposures, concentrations and
emerging risks.
41. A bank’s risk data aggregation capabilities should include all material
risk exposures, including those that are off-balance sheet.
42. A banking organisation is not required to express all forms of risk in a
common metric or basis, but risk data aggregation capabilities should be
the same regardless of the choice of risk aggregation systems
implemented.
However, each system should make clear the specific approach used to
aggregate exposures for any given risk measure, in order to allow the
board and senior management to assess the results properly.
43. Supervisors expect banks to produce aggregated risk data that is
complete and to measure and monitor the completeness of their risk data.
Where risk data is not entirely complete, the impact should not be critical
to the bank’s ability to manage its risks effectively.
Supervisors expect banks’ data to be materially complete, with any
exceptions identified and explained.
Principle 5
Timeliness – A bank should be able to generate aggregate and up-to-date
risk data in a timely manner while also meeting the principles relating to
accuracy and integrity, completeness and adaptability.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
29. P a g e | 29
The precise timing will depend upon the nature and potential volatility of
the risk being measured as well as its criticality to the overall risk profile
of the bank.
The precise timing will also depend on the bank-specific frequency
requirements for risk management reporting, under both normal and
stress/crisis situations, set based on the characteristics and overall risk
profile of the bank.
44. A bank’s risk data aggregation capabilities should ensure that it is able
to produce aggregate risk information on a timely basis to meet all risk
management reporting requirements.
45. The Basel Committee acknowledges that different types of data will
be required at different speeds, depending on the type of risk, and that
certain risk data may be needed faster in a stress/crisis situation.
Banks need to build their risk systems to be capable of producing
aggregated risk data rapidly during times of stress/crisis for all critical
risks.
46. Critical risks include but are not limited to:
(a) The aggregated credit exposure to a large corporate borrower.
By comparison, groups of retail exposures may not change as critically in
a short period of time but may still include significant concentrations;
(b) Counterparty credit risk exposures, including, for example,
derivatives;
(c) Trading exposures, positions, operating limits, and market
concentrations by sector and region data;
(d) Liquidity risk indicators such as cash flows/settlements and funding;
and
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
30. P a g e | 30
(e) Operational risk indicators that are time-critical (eg systems
availability, unauthorised access).
47. Supervisors will review that the bank specific frequency requirements,
for both normal and stress/crisis situations, generate aggregate and
up-to-date risk data in a timely manner.
Principle 6
Adaptability – A bank should be able to generate aggregate risk data to
meet a broad range of on-demand, ad hoc risk management reporting
requests, including requests during stress/crisis situations, requests due
to changing internal needs and requests to meet supervisory queries.
48. A bank’s risk data aggregation capabilities should be flexible and
adaptable to meet ad hoc data requests, as needed, and to assess
emerging risks.
Adaptability will enable banks to conduct better risk management,
including forecasting information, as well as to support stress testing and
scenario analyses.
49. Adaptability includes:
(a) Data aggregation processes that are flexible and enable risk data to be
aggregated for assessment and quick decision-making;
(b) Capabilities for data customisation to users’ needs (eg dashboards,
key takeaways, anomalies), to drill down as needed, and to produce quick
summary reports;
(c) Capabilities to incorporate new developments on the organisation of
the business and/or external factors that influence the bank’s risk profile;
and
(d) Capabilities to incorporate changes in the regulatory framework.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
31. P a g e | 31
50. Supervisors expect banks to be able to generate subsets of data based
on requested scenarios or resulting from economic events.
For example, a bank should be able to aggregate risk data quickly on
country credit exposures as of a specified date based on a list of countries,
as well as industry credit exposures as of a specified date based on a list of
industry types across all business lines and geographic areas.
III. Risk reporting practices
51. Accurate, complete and timely data is a foundation for effective risk
management.
However, data alone does not guarantee that the board and senior
management will receive appropriate information to make effective
decisions about risk.
To manage risk effectively, the right information needs to be presented to
the right people at the right time.
Risk reports based on risk data should be accurate, clear and complete.
They should contain the correct content and be presented to the
appropriate decision-makers in a time that allows for an appropriate
response.
To effectively achieve their objectives, risk reports should comply with
the following principles. Compliance with these principles should not be
at the expense of each other in accordance with paragraph 22 of this
document.
Principle 7
Accuracy - Risk management reports should accurately and precisely
convey aggregated risk data and reflect risk in an exact manner. Reports
should be reconciled and validated.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
32. P a g e | 32
52. Risk management reports should be accurate and precise to ensure a
bank’s board and senior management can rely with confidence on the
aggregated information to make critical decisions about risk.
53. To ensure the accuracy of the reports, a bank should maintain, at a
minimum, the following:
(a) Defined requirements and processes to reconcile reports to risk data;
(b) Automated and manual edit and reasonableness checks, including an
inventory of the validation rules that are applied to quantitative
information.
The inventory should include explanations of the conventions used to
describe any mathematical or logical relationships that should be verified
through these validations or checks; and
(c) Integrated procedures for identifying, reporting and explaining data
errors or weaknesses in data integrity via exceptions reports.
54. Approximations are an integral part of risk reporting and risk
management.
Results from models, scenario analyses, and stress testing are examples of
approximations that provide critical information for managing risk.
While the expectations for approximations may be different than for other
types of risk reporting, banks should follow the reporting principles in
this document and establish expectations for the reliability of
approximations (accuracy, timeliness, etc) to ensure that management
can rely with confidence on the information to make critical decisions
about risk.
This includes principles regarding data used to drive these
approximations.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
33. P a g e | 33
55. Supervisors expect that a bank’s senior management should establish
accuracy and precision requirements for both regular and stress/crisis
reporting, including critical position and exposure information.
These requirements should reflect the criticality of decisions that will be
based on this information.
56. Supervisors expect banks to consider accuracy requirements
analogous to accounting materiality.
For example, if omission or misstatement could influence the risk
decisions of users, this may be considered material.
A bank should be able to support the rationale for accuracy requirements.
Supervisors expect a bank to consider precision requirements based on
validation, testing or reconciliation processes and results.
Principle 8
Comprehensiveness - Risk management reports should cover all material
risk areas within the organisation.
The depth and scope of these reports should be consistent with the size
and complexity of the bank’s operations and risk profile, as well as the
requirements of the recipients.
57. Risk management reports should include exposure and position
information for all significant risk areas (eg credit risk, market risk,
liquidity risk, operational risk) and all significant components of those
risk areas (eg single name, country and industry sector for credit risk).
Risk management reports should also cover risk-related measures (eg
regulatory and economic capital).
58. Reports should identify emerging risk concentrations, provide
information in the context of limits and risk appetite/tolerance and
propose recommendations for action where appropriate.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
34. P a g e | 34
Risk reports should include the current status of measures agreed by the
board or senior management to reduce risk or deal with specific risk
situations.
This includes providing the ability to monitor emerging trends through
forward-looking forecasts and stress tests.
59. Supervisors expect banks to determine risk reporting requirements
that best suit their own business models and risk profiles.
Supervisors will need to be satisfied with the choices a bank makes in
terms of risk coverage, analysis and interpretation, scalability and
comparability across group institutions.
For example, an aggregated risk report should include, but not be limited
to, the following information: capital adequacy, regulatory capital, capital
and liquidity ratio projections, credit risk, market risk, operational risk,
liquidity risk, stress testing results, inter- and intra-risk concentrations,
and funding positions and plans.
60. Supervisors expect that risk management reports to the board and
senior management provide a forward-looking assessment of risk and
should not just rely on current and past data.
The reports should contain forecasts or scenarios for key market variables
and the effects on the bank so as to inform the board and senior
management of the likely trajectory of the bank’s capital and risk profile
in the future.
Principle 9
Clarity and usefulness - Risk management reports should communicate
information in a clear and concise manner.
Reports should be easy to understand yet comprehensive enough to
facilitate informed decision-making.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
35. P a g e | 35
Reports should include meaningful information tailored to the needs of
the recipients.
61. A bank’s risk reports should contribute to sound risk management and
decision-making by their relevant recipients, including, in particular, the
board and senior management.
Risk reports should ensure that information is meaningful and tailored to
the needs of the recipients.
62. Reports should include an appropriate balance between risk data,
analysis and interpretation, and qualitative explanations.
The balance of qualitative versus quantitative information will vary at
different levels within the organisation and will also depend on the level of
aggregation that is applied to the reports.
Higher up in the organisation, more aggregation is expected and
therefore a greater degree of qualitative interpretation will be necessary.
63. Reporting policies and procedures should recognise the differing
information needs of the board, senior management, and the other levels
of the organisation (for example risk committees).
64. As one of the key recipients of risk management reports, the bank’s
board is responsible for determining its own risk reporting requirements
and complying with its obligations to shareholders and other relevant
stakeholders.
The board should ensure that it is asking for and receiving relevant
information that will allow it to fulfil its governance mandate relating to
the bank and the risks to which it is exposed.
This will allow the board to ensure it is operating within its risk
tolerance/appetite.
65. The board should alert senior management when risk reports do not
meet its requirements and do not provide the right level and type of
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
36. P a g e | 36
information to set and monitor adherence to the bank’s risk
tolerance/appetite.
The board should indicate whether it is receiving the right balance of
detail and quantitative versus qualitative information.
66. Senior management is also a key recipient of risk reports and it is
responsible for determining its own risk reporting requirements.
Senior management should ensure that it is receiving relevant
information that will allow it to fulfil its management mandate relative to
the bank and the risks to which it is exposed.
67. A bank should develop an inventory and classification of risk data
items which includes a reference to the concepts used to elaborate the
reports.
68. Supervisors expect that reports will be clear and useful.
Reports should reflect an appropriate balance between detailed data,
qualitative discussion, explanation and recommended conclusions.
Interpretation and explanations of the data, including observed trends,
should be clear.
69. Supervisors expect a bank to confirm periodically with recipients that
the information aggregated and reported is relevant and appropriate, in
terms of both amount and quality, to the governance and
decision-making process.
Principle 10
Frequency – The board and senior management (or other recipients as
appropriate) should set the frequency of risk management report
production and distribution.
Frequency requirements should reflect the needs of the recipients, the
nature of the risk reported, and the speed, at which the risk can change, as
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
37. P a g e | 37
well as the importance of reports in contributing to sound risk
management and effective and efficient decision-making across the bank.
The frequency of reports should be increased during times of
stress/crisis.
70. The frequency of risk reports will vary according to the type of risk,
purpose and recipients.
A bank should assess periodically the purpose of each report and set
requirements for how quickly the reports need to be produced in both
normal and stress/crisis situations.
A bank should routinely test its ability to produce accurate reports within
established timeframes, particularly in stress/crisis situations.
71. Supervisors expect that in times of stress/crisis all relevant and critical
credit, market and liquidity position/exposure reports are available
within a very short period of time to react effectively to evolving risks.
Some position/exposure information may be needed immediately
(intraday) to allow for timely and effective reactions.
Principle 11
Distribution - Risk management reports should be distributed to the
relevant parties while ensuring confidentiality is maintained.
72. Procedures should be in place to allow for rapid collection and
analysis of risk data and timely dissemination of reports to all appropriate
recipients.
This should be balanced with the need to ensure confidentiality as
appropriate.
73. Supervisors expect a bank to confirm periodically that the relevant
recipients receive timely reports.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
38. P a g e | 38
IV. Supervisory review, tools and cooperation
74. Supervisors will have an important role to play in monitoring and
providing incentives for a bank’s implementation of, and ongoing
compliance with the Principles.
They should also review compliance with the Principles across banks to
determine whether the Principles themselves are achieving their desired
outcome and whether further enhancements are required.
Principle 12
Review - Supervisors should periodically review and evaluate a bank’s
compliance with the eleven Principles above.
75. Supervisors should review a bank’s compliance with the Principles in
the preceding sections.
Reviews should be incorporated into the regular programme of
supervisory reviews and may be supplemented by thematic reviews
covering multiple banks with respect to a single or selected issue.
Supervisors may test a bank’s compliance with the Principles through
occasional requests for information to be provided on selected risk issues
(for example, exposures to certain risk factors) within short deadlines,
thereby testing the capacity of a bank to aggregate risk data rapidly and
produce risk reports.
Supervisors should have access to the appropriate reports to be able to
perform this review.
76. Supervisors should draw on reviews conducted by the internal or
external auditors to inform their assessments of compliance with the
Principles.
Supervisors may require work to be carried out by a bank’s internal audit
functions or by experts independent from the bank.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
39. P a g e | 39
Supervisors must have access to all appropriate documents such as
internal validation and audit reports, and should be able to meet with and
discuss risk data aggregation capabilities with the external auditors or
independent experts from the bank, when appropriate.
77. Supervisors should test a bank’s capabilities to aggregate data and
produce reports in both stress/crisis and steady-state environments,
including sudden sharp increases in business volumes.
Principle 13
Remedial actions and supervisory measures - Supervisors should have
and use the appropriate tools and resources to require effective and timely
remedial action by a bank to address deficiencies in its risk data
aggregation capabilities and risk reporting practices.
Supervisors should have the ability to use a range of tools, including Pillar
2.
78. Supervisors should require effective and timely remedial action by a
bank to address deficiencies in its risk data aggregation capabilities and
risk reporting practices and internal controls.
79. Supervisors should have a range of tools at their disposal to address
material deficiencies in a bank’s risk data aggregation and reporting
capabilities.
Such tools may include, but are not limited to, requiring a bank to take
remedial action; increasing the intensity of supervision; requiring an
independent review by a third party, such as external auditors; and the
possible use of capital add-ons as both a risk mitigant and incentive
under Pillar 2.
80. Supervisors should be able to set limits on a bank’s risks or the growth
in their activities where deficiencies in risk data aggregation and
reporting are assessed as causing significant weaknesses in risk
management capabilities.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
40. P a g e | 40
81. For new business initiatives, supervisors may require that banks’
implementation plans ensure that robust risk data aggregation is possible
before allowing a new business venture or acquisition to proceed.
82. When a supervisor requires a bank to take remedial action, the
supervisor should set a timetable for completion of the action.
Supervisors should have escalation procedures in place to require more
stringent or accelerated remedial action in the event that a bank does not
adequately address the deficiencies identified, or in the case that
supervisors deem further action is warranted.
Principle 14
Home/host cooperation - Supervisors should cooperate with relevant
supervisors in other jurisdictions regarding the supervision and review of
the Principles, and the implementation of any remedial action if
necessary.
83. Effective cooperation and appropriate information sharing between
the home and host supervisory authorities should contribute to the
robustness of a bank’s risk management practices across a bank’s
operations in multiple jurisdictions.
Wherever possible, supervisors should avoid performing redundant and
uncoordinated reviews related to risk data aggregation and risk reporting.
84. Cooperation can take the form of sharing of information within the
constraints of applicable laws, as well as discussion between supervisors
on a bilateral or multilateral basis (eg through colleges of supervisors),
including, but not limited to, regular meetings.
Communication by conference call and email may be particularly useful
in tracking required remedial actions.
Cooperation through colleges should be in line with the Basel
Committee’s Good practice principles on supervisory colleges.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
41. P a g e | 41
85. Supervisors should discuss their experiences regarding the quality of
risk data aggregation capabilities and risk reporting practices in different
parts of the group.
This should include any impediments to risk data aggregation and risk
reporting arising from cross-border issues and also whether risk data is
distributed appropriately across the group.
Such exchanges will enable supervisors to identify significant concerns at
an early stage and to respond promptly and effectively.
V. Implementation timeline and transitional arrangements
86. Supervisors expect that a bank’s data and IT infrastructures will be
enhanced in the coming years to ensure that its risk data aggregation
capabilities and risk reporting practices are sufficiently robust and
flexible enough to address their potential needs in normal times and
particularly during times of stress/crisis.
87. National banking supervisors will start discussing implementation of
the Principles with G-SIB’s senior management in early 2013.
This will ensure that banks they develop a strategy to meet the Principles
by 2016.
88. In order for G-SIBs to meet the Principles in accordance with the 2016
timeline, national banking supervisors will discuss banks’ analysis of risk
data aggregation capabilities with their senior management and agree to
timelines for required improvements.
Supervisory approaches are likely to include requiring self-assessments
by G-SIBs against these expectations in early 2013, with the goal of
closing significant gaps before 2016.
Supervisors may also engage technical experts to support their
assessments of banks’ plans in respect of the 2016 deadline.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
42. P a g e | 42
89. The Basel Committee will track G-SIBs progress towards complying
with the Principles through its Standards Implementation Group (SIG)
from 2013 onwards.
This will include any observations on the effectiveness of the Principles
themselves and whether any enhancements or other revisions of the
Principles are necessary in order to achieve the desired outcomes.
The Basel Committee will share its findings with the FSB at least annually
starting from the end of 2013.
Annex 1
Terms used in the document
Accuracy
Closeness of agreement between a measurement or record or
representation and the value to be measured, recorded or represented.
This definition applies to both risk data aggregation and risk reports.
Adaptability
The ability of risk data aggregation capabilities to change (or be
changed) in response to changed circumstances (internal or external).
Approximation
A result that is not necessarily exact, but acceptable for its given purpose.
Clarity
The ability of risk reporting to be easily understood and free from
indistinctness or ambiguity.
Completeness
Availability of relevant risk data aggregated across all firm's constituent
units (eg legal entities, business lines, jurisdictions, etc)
Comprehensiveness
Extent to which risk reports include or deal with all risks relevant to the
firm.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
43. P a g e | 43
Distribution
Ensuring that the adequate people or groups receive the appropriate risk
reports.
Frequency
The rate at which risk reports are produced over time.
Integrity
Freedom of risk data from unauthorised alteration and unauthorised
manipulation that compromise its accuracy, completeness and reliability.
Manual workarounds
Employing human-based processes and tools to transfer, manipulate or
alter data used to be aggregated or reported.
Precision
Closeness of agreement between indications or measured quantity values
obtained by replicating measurements on the same or similar objects
under specified conditions.
Reconciliation
The process of comparing items or outcomes and explaining the
differences.
Risk tolerance/appetite
The level and type of risk a firm is able and willing to assume in its
exposures and business activities, given its business and obligations to
stakeholders. It is generally expressed through both quantitative and
qualitative means.
Risk Data aggregation
Defining, gathering, and processing risk data according to the bank’s risk
reporting requirements to enable the bank to measure its performance
against its risk tolerance/appetite.
This includes sorting, merging or breaking down sets of data.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
44. P a g e | 44
Timeliness
Availability of aggregated risk data within such a timeframe as to enable a
bank to produce risk reports at an established frequency.
Validation
The process by which the correctness (or not) of inputs, processing, and
outputs is identified and quantified.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
45. P a g e | 45
Vice Chair Janet L. Yellen
At the American Economic
Association/American Finance Association
Joint Luncheon, San Diego, California
Interconnectedness and Systemic Risk:
Lessons from the Financial Crisis and
Policy Implications
Thank you, Claudia, and thanks to the American Economic Association
and the American Finance Association for the opportunity to speak to you
on a topic of growing interest to our profession and of great importance to
understanding the causes and implications of the financial crisis.
Everyone here today, I'm sure, is familiar with the tumultuous events
that introduced many Americans to the concept of systemic risk.
To recap briefly, losses arising from leveraged investments caused a few
important, but perhaps not essential, financial institutions to fail.
At first, the damage appeared to be contained, but the resulting stresses
revealed extensive interconnections among traditional banks, investment
houses, and the rapidly growing and less regulated shadow banking
sector.
Market participants lost confidence in their trading partners, and, as the
crisis unfolded, the financial sector struggled to cope with a massive
withdrawal of liquidity, the collapse of one of its most prominent
institutions, and a 40 percent drop in equity prices.
The effects of the crisis were felt far beyond the financial sector as credit
dried up and a mild recession became something far worse.
You are also, no doubt, familiar with the political response to that crisis.
After considerable debate, the Congress passed sweeping reform
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
46. P a g e | 46
legislation designed to place the nation's financial infrastructure on a
more solid foundation.
I'm referring, of course, to the banking panic of 1907.
The legislation that President Wilson signed in December 1913 created
the Federal Reserve, providing the nation with a lender of last resort to
respond to such crises.
As we approach the centennial of the Federal Reserve System, it is
striking how many of the challenges of that era remain with us today.
In 1907, the correspondent banking networks that helped concentrate
reserves in New York and other money centers also made the banking
system highly interconnected.
Today, our capability to monitor and model financial outcomes is vastly
greater, and the tools available to the Federal Reserve are vastly more
powerful, than the private capital and moral suasion that financier J. P.
Morgan summoned in 1907 to stabilize the banks and trusts.
But as we learned during the recent crisis, the financial system has also
grown much larger and more complex, and our efforts to understand and
influence it have, at best, only kept pace.
Complex links among financial market participants and institutions are a
hallmark of the modern global financial system.
Across geographic and market boundaries, agents within the financial
system engage in a diverse array of transactions and relationships that
connect them to other participants.
Indeed, much of the financial innovation that preceded the most recent
financial crisis increased both the number and types of connections that
linked borrowers and lenders in the economy.
The rapid growth in securitization and derivatives markets prior to the
crisis provides a stark example of this phenomenon.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
47. P a g e | 47
As shown in figure 1, between 2000 and 2007, the notional value of
collateralized debt obligations outstanding increased from less than $300
billion to more than $1.4 trillion.
From 2004, the earliest date for which comprehensive data are available,
to 2007, the outstanding notional amount of credit default swap (CDS)
contracts increased tenfold, from $6 trillion to $60 trillion.
This incredible growth in securitization and derivatives markets reflects a
significant increase in the number, types, and complexity of network
connections in the financial system.
Financial economists have long stressed the benefits of interactions
among financial intermediaries, and there is little doubt that some degree
of interconnectedness is vital to the functioning of our financial system.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
48. P a g e | 48
Economists take a well-reasoned and dim view of autarky as the path to
growth and stability.
Banks and other financial intermediaries channel capital from savers,
who often have short-term liquidity demands, into productive
investments that typically require stable, long-term funding.
Financial intermediaries work with one another because no single
institution can hope to access the full range of available capital and
investment opportunities in our complex economy.
Connections among market actors also facilitate risk sharing, which can
help minimize (though not eliminate) the uncertainty faced by individual
agents.
Yet experience--most importantly, our recent financial crisis--as well as a
growing body of academic research suggests that interconnections
among financial intermediaries are not an unalloyed good.
Complex interactions among market actors may serve to amplify existing
market frictions, information asymmetries, or other externalities.
The difficult task before market participants, policymakers, and
regulators with systemic risk responsibilities such as the Federal Reserve
is to find ways to preserve the benefits of interconnectedness in financial
markets while managing the potentially harmful side effects.
Indeed, new regulations required by the Dodd-Frank Wall Street Reform
and Consumer Protection Act of 2010 (Dodd-Frank Act) and changes in
supervisory practices by the Federal Reserve and other financial
regulators are intended to do just that.
In my remarks, I will discuss a few of the major regulatory and
supervisory changes under way to address the potential for excessive
systemic risk arising from the complexity and interconnectedness that
characterize our financial system.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
49. P a g e | 49
The design of an appropriate regulatory framework entails tradeoffs
between costs and benefits, and to illustrate them, I will discuss in some
detail proposals currently under consideration to mitigate risk in
over-the-counter (OTC) derivatives, which proved to be an important
channel for the transmission of risk during the recent crisis.
I am quite aware that some reforms in the wake of the financial crisis,
including those pertaining to derivatives, have been controversial.
In connection with recent rulemakings--and, more broadly, in the arena
of public debate--critics have asked whether complexity and
interconnectedness should be treated as potential sources of systemic
risk.
This is a legitimate question that the Federal Reserve welcomes and itself
seeks to answer in its roles of researcher, regulator, and supervisor.
Let me say at the outset, though, that a lack of complete certainty about
potential outcomes is not a justification for inaction, considering the size
of the threat encountered in the recent crisis.
Responsible policymakers try to make decisions with the best
information available but would always like to know more.
With that in mind, I'll begin by briefly surveying research that highlights
ways in which network structure and interconnectedness can give rise to
or exacerbate systemic risk in the financial system.
The Economics of Interconnectedness and Systemic Risk
Academic research that explores the relationship between network
structure and systemic risk is relatively new.
Not surprisingly, interest in this field has increased considerably since the
financial crisis.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
50. P a g e | 50
A search of economics research focusing on "systemic risk" or
"interconnectedness" since 2007 yields 624 publications, twice as many
as were produced in the previous 25 years.
That's not to say that economists were blind to the importance of
networks before the financial crisis.
In 2000, Franklin Allen and Douglas Gale, for example, developed an
important model of financial networks that provides insight into how
networks can influence systemic risk.
In the model studied by Allen and Gale, systemic risk arises through
liquidity shocks that can have a domino effect, causing a problem at one
bank to spread to others, potentially leading to failures throughout the
system.
In their model, interbank deposits are a primary mechanism for the
transmission of liquidity shocks from one bank to another.
Allen and Gale compare two canonical network structures: a "complete"
network, in which all banks lend to and borrow from all other banks, and
an "incomplete" network, in which each bank borrows from only one
neighbor and lends to only one other neighbor.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
51. P a g e | 51
Figure 2, panel A, presents an example of a complete network, and figure
2, panel B, an example of an incomplete network.
In the case of the complete network, banks benefit from diversified
funding streams.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
52. P a g e | 52
A liquidity shock at one bank is less likely to cause the bankruptcy of
another bank since the shock can be distributed among all banks in the
system.
In the incomplete network, funding is not diversified.
A liquidity shock at one bank is more likely to cause liquidity problems at
other connected banks because the same shock is spread over fewer
banks and is therefore larger and more destabilizing.
The principle behind this result is familiar and basic to economics:
Diversification reduces risk and improves stability.
While this idea is compelling, both economic research and the events of
the financial crisis suggest that it is incomplete.
In their classic paper on bank runs, Douglas Diamond and Philip Dybvig
showed how rational and prudent actions by individual depositors to limit
their own risks may be highly destabilizing to an institution designed to
transform short-term liabilities into long-term assets.
Xavier Freixas, Bruno Parigi, and Jean-Charles Rochet show that a
similar kind of collective action problem can arise in a network akin to a
modern check-clearing system in which credit extensions among banks
allow claims on one institution to be fulfilled by another.
Such a system is socially useful because it allows depositors to shift funds
among banks without forcing banks to sell illiquid assets, thus enabling
society as a whole to undertake more productive, long-term investment.
But in times of stress or uncertainty, such systems can be subject to
coordination failures:
A "gridlock" equilibrium can arise in which depositors at each bank
withdraw funds early in order to avoid losses arising from credit
extensions to other banks whose depositors are also expected to force an
early liquidation of assets.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
53. P a g e | 53
In Freixas, Parigi, and Rochet (2000), interbank credit extensions, while
useful, can result in institutions that are "too interconnected to fail."
These models underscore that the pattern of connections throughout a
financial network determines the systemwide implications of liquidity
shocks or other financial stresses in one part of the network.
This finding is one reason why efforts to collect more and better data on
the precise linkages among financial institutions are so important.
Without such comprehensive and detailed data, it is simply not possible
to understand how stress in one part of the network may spread and affect
the entire system.
Networks that are more interconnected are inherently more complex
than those in which market participants have fewer links to one another,
and complexity can exacerbate the kinds of coordination problems
highlighted by Diamond and Dybvig and by Freixas, Parigi, and Rochet.
Of course, "complexity" is difficult to define in a completely systematic
and satisfactory manner, but one way emphasized in recent work by
Hyun Song Shin is to consider the number of links required to connect
savers to borrowers.
Shin's analysis of interconnectedness among financial institutions is
based on the idea that the ultimate amount of lending and borrowing that
can occur in an economy is determined by economic fundamentals such
as income growth, which change only slowly over time, whereas
interbank claims can grow or contract far more quickly.
Of course, claims within the entire financial system net out to zero, but
they do affect the leverage of the institutions involved.
In Shin's model, financial institutions seek to take on more leverage
during a boom, when banks have strong capital positions and risks are
perceived to be low, but can increase leverage, in the aggregate, only by
borrowing and lending more intensively to each other.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
54. P a g e | 54
This causes the resulting network of intertwining claims to extend further
and further.
Conversely, when fundamental conditions or market sentiments change
and financial institutions prefer to shed risk, they can deleverage in the
short term only by withdrawing credit from one another.
Such deleveraging can be particularly destabilizing in longer
intermediation chains as debt claims that are called by one financial
intermediary to shore up its own assets adversely affect the liability sides
of other institutions' balance sheets.
As deleveraging accelerates and more and more financial institutions
hoard liquidity, other institutions may become concerned that their own
funding may dry up and may preemptively withdraw funding from others.
Fundamentally strong institutions are forced to liquidate assets at fire sale
prices, which results in more deleveraging and instability.
More-complex network structures are likely to be more opaque than less
complex ones.
For example, as the number of intermediaries standing between
borrowers and lenders grows, it becomes increasingly difficult to
understand how one member of the network fits into the overall system.
The well-publicized difficulties that some mortgage borrowers have had
in simply figuring out who owns their mortgages illustrates the extent to
which lengthening intermediation chains have increased the complexity
of the financial system.
Moreover, in many cases, market participants may have strong incentives
not to disclose their connections to one another.
If a bank has a profitable relationship with a borrower, it may be unwilling
to disclose it to other banks for fear that competitors will reduce or
eliminate the rents that it earns.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
55. P a g e | 55
Ricardo Caballero and Alp Simsek illustrate how a lack of information
can create systemic risk in financial networks.
In a model that is structurally similar to the incomplete interbank network
model of Allen and Gale, Caballero and Simsek examine how banks
might respond to news of a liquidity shock when each bank knows the
identities of its own counterparties but not the identities of its
counterparties' counterparties.
The authors posit that banks deal with this uncertainty by appealing to
the "maximin principle": Each seeks to maximize profits under the
assumption that the network is configured in the worst possible manner
from its own perspective.
Because each behaves as though the network structure is "stacked
against it," when banks learn of an adverse liquidity shock, each tends to
sell more of its illiquid assets and withdraw more funding from its
counterparties than it would if it had access to complete information
about the structure of interbank credit relationships.
As in Shin's model, this excessive deleveraging can create a vicious cycle,
magnifying the effects of the initial shock.
The four models we've discussed thus far are aimed at exploring general
features of financial networks.
As such, they are necessarily somewhat abstract.
With a few narrow exceptions, they treat all market participants as similar
in size and in range of activities, and they use relatively simplistic network
structures.
In the past few years, research on financial networks has moved beyond
stylized models of interbank relationships to examine the propagation of
shocks in more-realistic settings.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
56. P a g e | 56
Recent research by Gai, Haldane, and Kapadia and by Cont, Moussa, and
Santos examines how shocks propagate in network structures in which
some banks are larger and more interconnected than others.
Using numerical simulations, Gai, Haldane, and Kapadia show that, in
concentrated networks, contagion occurs less frequently and is less severe
for low degrees of network connectivity.
Contagion is significantly more likely at higher levels of connectivity.
In a concentrated financial network with a few key players, and when
liquidity shocks are targeted at the most connected institutions, distress
at highly connected banks spreads widely through the rest of the system.
In this sense, the intuition of Allen and Gale--that highly connected
networks are resilient to systemic shocks--can be misleading.
In an empirical study of 3,000 Brazilian banks, Cont, Moussa, and Santos
find that, not surprisingly, institutions with larger interbank exposures
tend to be more systemically important.
But, critically, they also find that an institution's position within the
financial network plays a significant role.
A bank that does business with a large number of relatively weak
counterparties may have greater systemic importance than an institution
with a similar number of counterparties that are better equipped to
manage potential losses.
The work of Gai, Haldane, and Kapadia and that of Cont, Moussa, and
Santos suggest that detailed and comprehensive data on the structure of
financial networks is needed to understand the systemic risks facing the
financial system and to gauge the contributions to systemic risk by
individual institutions.
I will describe in a moment how the Federal Reserve is using such data to
enhance its understanding of the OTC derivatives market.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
57. P a g e | 57
This line of research suggests that a one-size-fits-all approach to the
regulation of financial intermediaries may not be appropriate.
So, what have we learned from this brief tour through recent research on
interconnectedness and systemic risk?
We have seen how interconnectedness can be a source of strength for
financial institutions, allowing them to diversify risk while providing
liquidity and investment opportunities to savers that would not be
available otherwise.
But more-numerous and more-complex linkages also appear to make it
more difficult for institutions to address certain types of externalities,
such as those arising from incomplete information or a lack of
coordination among market participants.
These externalities may do little harm or may even be irrelevant in normal
times, but they can be devastating during a crisis.
The Global Policy Response to Reduce Systemic Risk
Governments around the globe have responded to the financial crisis by
adopting a strong, multifaceted, and coordinated reform agenda aimed at
reducing systemic risk.
At a meeting in Pittsburgh in September 2009, governments in the Group
of Twenty (G-20) endorsed work already under way in the Basel
Committee on Banking Supervision to improve capital and the
management of liquidity risk in the banking system.
I'll briefly review several Basel Committee initiatives that address
interconnectedness and systemic risk, but first, let me focus on one in
particular: higher capital requirements for global systemically important
banks (GSIBs).
Enhanced capital standards for GSIBs serve to limit the risks undertaken
by the largest, most interconnected institutions whose distress has the
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
58. P a g e | 58
greatest potential to impose negative externalities on the broader
financial system.
A framework of higher minimum regulatory capital standards for these
institutions was issued by the Basel Committee in November 2011, and
indicators of interconnectedness account for a significant proportion of
the overall score used to determine whether a bank will be subject to
higher standards.
As shown by Gai, Haldane, and Kapadia, among others, highly
interconnected firms can transmit shocks widely, impairing the rest of the
financial system and the economy.
We saw, for example, that when Lehman Brothers failed, the shock was
transmitted through money market mutual funds to the short-term
funding and interbank markets.
While some participants in each of these sectors had direct exposures to
Lehman, many more did not.
Moreover, even in cases in which direct exposures to Lehman were
manageable, the turmoil caused by Lehman's failure added stress to the
system at a particularly unwelcome time.
In this way, the failure of a highly interconnected institution such as
Lehman imposes costs on society well in excess of those borne by the
firm's shareholders and direct creditors.
Accordingly, tying enhanced capital requirements to interconnectedness
improves the resilience of the system.
Of course, higher capital requirements are not costless; they may raise
financing costs for some borrowers, and they have the potential to induce
institutions to engage in regulatory arbitrage.
An important ongoing agenda for research and policy is the design and
implementation of data-based measures of interconnectedness to ensure
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
59. P a g e | 59
that our understanding of financial system interconnections evolves in
tandem with financial innovation.
While enhanced capital standards for GSIBs are an important tool for
managing systemic risk that arises through interconnectedness, they are
not the only tool.
The Basel Committee's program contains a number of initiatives that will
help manage interconnectedness and systemic risk.
These measures include countercyclical capital buffers, liquidity
requirements, increased capital charges for exposures to large financial
institutions, large exposure rules, and deductions from capital for equity
investments in banks.
These and other initiatives will all play a role in managing the effect of
complexity and interconnectedness on financial stability.
In fact, the multifaceted nature of the reform program is an important
design principle.
One of the lessons of the recent financial crisis was that capital alone is
not sufficient to prevent or stem a crisis. Multiple channels for reform
initiatives will enhance systemic stability.
Managing Tradeoffs between Reducing Systemic Risk and
Increasing Costs: OTC Derivatives Market Reforms
In addition to the banking reforms I just discussed, the G-20 also
committed to reduce risk in OTC derivatives markets by enacting reforms
to improve transparency and decrease counterparty exposures among
market participants.
These policies must be considered carefully, as they are apt to increase
the cost of financial intermediation and that of hedging risk.
To illustrate the tradeoffs policymakers and regulators must manage
when crafting such policies, I'll next discuss in some detail a set of
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
60. P a g e | 60
initiatives currently being implemented by prudential, market, and
systemic risk regulators around the world to address weaknesses in OTC
derivatives markets.
An OTC derivative is a privately negotiated contract between a pair of
counterparties to exchange future cash flows that depend on the
performance of an underlying asset or benchmark index.
Unlike an immediate purchase or sale of assets, OTC derivatives require
one or both sides of the transaction to make payments in the future.
Counterparty risk is therefore a key element of OTC derivatives
transactions.
The scale and significance of counterparty risks in the OTC derivatives
markets are large and, as we saw, can have economy-wide implications.
The prudent management, regulation, and oversight of these risks are
critical to ensuring that derivatives markets serve to diversify, rather than
exacerbate, systemic risk.
Significant problems with the functioning, regulation, and oversight of
derivatives markets became apparent during the financial crisis.
These problems are perhaps best exemplified by the widespread effects of
large losses by American International Group, Inc. (AIG), on its OTC
structured finance and credit derivatives positions.
In the absence of government intervention, AIG's failure would have
exposed its counterparties to substantial losses at a time of significant
financial stress and uncertainty for them and the financial system.
Indeed, for a time, the prospect of AIG's failure exacerbated the already
impaired functioning in important segments of the OTC market, and, as
that happened, it became more costly or even impossible for firms to
manage financial risks.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com