What does the European Central Bank consultation on risk data aggregation and risk reporting mean for your business?

Authors:

Oscar Lowe

Enrico Messori

One of the lessons learnt from the 2007 financial crisis was that IT and data architectures were inadequate for financial institutions to comprehensively manage and report on financial risks. As a result, supervisory boards have been intent on ensuring their covered institutions commit sufficient time and resources to improve their risk management capabilities. But what progress has been made since 2007, and what will the recently published European Central Bank (ECB) consultation mean for financial institutions?

First, we need to go back to January 2013, when the Basel Committee on Banking Supervision (BCBS) released “principles for effective risk data aggregation and risk reporting (RDARR)”. The principles aimed to strengthen institutions' risk data aggregation capabilities and internal risk reporting practices, improve risk management and enhance institutions’ ability to cope with stress and crisis situations. A thematic review assessing the governance, data aggregation capabilities and reporting practices was conducted by the ECB in 2016, where serious weaknesses in RDARR were identified, and institutions were urged to make timely and substantial improvements.

In July 2023, the ECB expressed further dissatisfaction that institutions were not able to manage risk-related data, due to challenges with data accuracy, timeliness, and adaptability, and released a guide on effective risk data aggregation and risk reporting to reinforce its supervisory expectations. The guide highlights that despite increased scrutiny since 2016, progress has been insufficient, and full adherence to the 2013 principles has yet to be achieved. It also broadens the reporting scope to include internal risk reports, financial reports, and supervisory reports, such as FINREP/COREP templates, submissions to stress-test exercises and Pillar 3 disclosures.

Consultation for the guide is ongoing but ends on 6 October 2023. Institutions should consider addressing their concerns via respective industry bodies and interest groups.

What are the ECB’s key concerns?

The ECB has highlighted seven key areas of concern and strongly recommended institutions make progress as a matter of priority. Addressing these requirements will improve RDARR capabilties, and build a foundation for robust governance and risk management processes.

What does the ECB’s guide mean for financial institutions?

Implementing best practices on RDARR can help institutions to realise operational and financial benefits. Industry studies have reinforced the BCBS’s view that strengthening institutions’ governance frameworks, improving enterprise-wide risk data aggregation capabilities, and implementing efficient internal risk reporting practices, have a positive impact on risk management, strategic steering and decision-making. This also contributes to profitability by lowering operational and IT costs through automation. Institutions will also avoid potential losses, such as those resulting from miscalculations of key risk indicators, or from inefficient monitoring of adherence to risk limits.

Being proactive with the implementation of RDARR capabilities is crucial in anticipation of increased regulatory scrutiny. The ECB Banking Supervision considers improvements in governance and quality of risk data a supervisory priority. It is committed to using all of its supervisory tools and powers to take more substantial disciplinary actions against institutions that fail to adhere to its guidance, as seen by the fines this year . It is also expected that RDARR will play a more critical role in Supervisory Review and Evaluation Process (SREP), where poor data quality might lead to a more punitive Pillar 2 Requirement (P2R).

As the principles are further clarified in the guide, the comprehensive scope of application could lead to large-scale reviews, change management and implementation projects, even for those institutions that have a strong foundation for risk reporting. While improvements discussed in the guide are a prerequisite for sound RDARR, they may not be sufficient to facilitate meaningful progress in institutions’ governance and wider risk management capabilities. Institutions should look beyond the direct regulatory demands and consider how they leverage their investments to drive strategic opportunities, to uncover the best value for their investment. The time to address these concerns is now.

How can Deloitte help?

Deloitte can support institutions understand and respond to the ECB guide in several ways, including:

conducting readiness assessment: considering the BCBS principles and the ECB’s 2023 RDARR guide to assess how prepared your institution is; and advising on changes required
strategy planning, project management and execution support: driving RDARR capability improvements and helping management bodies realise the benefits of implementation
developing and implementing a RDARR reference model: ensuring comprehensive coverage of the RDARR framework across the institution.