Below are some views from John Bottega, on risk around data and risk management:
1. What are the biggest data-related challenges that you expect to see in risk management for banks? What are some opportunities that banks should take advantage of?
I see three areas that challenge the data profession today in their support of risk and risk management.
The first is the challenge of unwinding years of legacy data infrastructure. It is imperative that we have confidence in the data that feeds our risk functions. From a data perspective, risk is about transparency – one must be able to “see” and identify data throughout its lineage in order to measure, assess and predict. Many firms, in particular, the larger banks, have grown over the years through mergers & acquisitions, leaving decades of disparate legacy data infrastructure to unwind. This presents a very real (and very expensive) challenge to firms striving to achieve improved risk management.
Second is enabling a data centric business culture. Data that feed into risk functions are the result of business processes and workflows, enabled by technology. It is the business that must define the data. It is the business that must define the processes. It is the business that must define how it is maintained. If the processes that surround this creation, definition and maintenance are faulty, then the data will be as well. This represents a significant culture change in how we, as an industry do, business. Data is in every activity and is everyone’s responsibility. Firms must therefore, embrace a “culture of data management” across all of its operations.
And the third is establishing an effective and sustainable governance environment. Who is responsible for a firm’s data? What policies are in place to ensure data has been properly entered, correctly maintained and appropriately used? Who defines how data is harmonized across the enterprise? Data governance must ensure consistent definition of data, aligned to meaning, through the creation and maintenance of data taxonomies, ontologies and metadata. This can only be achieved and sustained when an operational data control environment is achieved.
If these are the highlighted challenges, the good news is, overcoming these challenges will enable firms to truly realize the value of their data. Everything needed for risk is foundation for all other activities. A sustainable data infrastructure for risk is the same infrastructure for analytics. It is the same for BIG Data. It is the same for Marketing. Data management best practices and operational data hygiene will pay dividends across all functions of a firm once operationalized.
2. How can banks improve their data aggregation and data reporting processes?
Like any discipline, applying best practices is the best way to ‘influence’ improvement. Thus, there are a number of steps that must be done to improve the data aggregation and data reporting processes.
First, simplify. Given the complexity and disparity of the legacy environment, it is important to first identify and document information about the most critical domains of data. This would include identification of the domains, declaration of critical data elements and documentation of data flows, calling out any compounding and/or transformation processes. Second, make sure data is aligned to meaning. This is a data ‘engineering’ exercise. This is not about technology, instead, it’s about making sure the data definitions, taxonomies and metadata are precise and complete. Next implement a discipline of data quality. For all relevant domains, ensure the critical elements values fall within required data quality tolerances, and the processes and checkpoints are in place to monitor and maintain. And finally, enable with technology. Technology must play the role of enabler – to take the business definitions and business processed defined above and instantiate these into a technology platform that is resilient and sustainable.
3. What do you suggest in terms of frequency of reporting to top management? Do you recommend standardized reports or ad-hoc reports?
From a risk reporting perspective, there are usually standard schedules of reporting that most firms follow. These can be daily, weekly, monthly or quarterly reports, depending on the specific category of risk being tracked and reported. Standardized reports are the best way to ensure a regular flow of information to senior management and across the organization, however, risk reporting is actually about the ability to produce a risk profile at a moment’s notice, in response to an escalated risk, crisis or contagion. This is what BCBS 239 (Risk Data Aggregation) is all about. What is the best frequency of reporting – ideally – real-time!
John A Bottega, Senior Advisor and Consultant, EDM Council, Principal, Managing Member, Data Management Advisory Services, LLC