UK: Risk, Data And The Supervisor The Clock Is Ticking …

Last Updated: 18 October 2012
Article by Deloitte Financial Services Group

Most Read Contributor in UK, August 2017


Resilience and transparency are driving a regulatory focus on data within G-SIBs, but the clock is ticking for all banks

This paper provides a Deloitte perspective on the recent Basel Committee on Banking Supervision (BCBS) consultative document 'Principles for Effective Risk Data Aggregation and Risk Reporting'.1 We present a point of view on the regulatory drivers for change within the industry, the implications for banks and discuss the actions that should be undertaken over the coming months.

The BCBS proposes 14 principles to ensure that data and associated processes used by the risk function are "fit for purpose". Global Systemically Important Banks (G-SIBs) are required to implement the principles in full by the beginning of 2016. However, they will need to submit a self-assessment against the principles to their local supervisor in 2013.

The BCBS paper sets clear expectations that banks will quantify their risk appetite and have robust infrastructure, processes and controls in place to monitor risks within the appropriate thresholds across credit, market, liquidity and operational risk. A summary of the 14 principles is provided in the table below.

While the individual BCBS principles cover specific aspects of risk data management and reporting, it is clear the overall intent is to set a benchmark for what is acceptable in the way a bank manages and reports risk. The implications are wider than VARs or P&L strips and have major implications for a bank's risk operating model and, more broadly, how data is managed across the bank.

Regulatory context

Moving data to centre stage

In the aftermath of the financial crisis, firms' risk management processes came under increasing regulatory scrutiny. The focus of new legislation is expanding to encompass risk governance alongside more stringent technical requirements, particulary data. The aim of the data agenda is two-fold; firstly to rectify the perceived inadequacies of banks' data capabilities during the financial crisis, particularly with regards to risk management. Secondly to ensure that firms can meet the ever growing data capture and reporting requirements that have sprung up as a result of initiatives aimed at improving the resilience and transparency of the financial system.

The ability of firms to provide timely, high quality and accurate data is a key international priority from both the perspective of macro-prudential surveillance and as an integral component in the effort to tackle the particular risks posed by Systemically Important Financial Institutions (SIFIs). Indeed inadequate data aggregation and insufficient risk reporting and IT systems have already been identified as an impediment to effective SIFI supervision. This has led to an influx of data focused international initiatives which have been endorsed at the G20 level, including the common data template for G-SIBs and the proposed BCBS principles for effective risk data aggregation and risk reporting discussed in this document. Data and data management are also a key focal point in the international work underway to increase transparency in the financial system through initiatives such as the legal entity identifier (LEI).

The issue of data has also moved to centre stage in both the EU and UK where there are a vast number of regulatory initiatives with a data reporting, processing and/or management element. These include the revisions to the Capital Requirements Directive (CRD 4) and the Capital Requirements Regulation (CRR), the proposal for revisions to the Markets in Financial Instruments Directive (MiFID II), European Market Infrastructure Regulation (EMIR) and Recovery and Resolution Directive (RRD) to name but a few. In addition there appears to be no sign of slowdown with new initiatives constantly emerging such as the Wheatley Review of LIBOR, which is likely to have a strong data element when recommendations are finalised. Furthermore, the European Supervisory Authorities (ESAs) and Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) in the UK will increasingly expect firms to extract and report specific risk data on demand.

Whilst sceptics of this revamped focus have argued that supervisors have often talked tough on data before and question their resolve to follow-through, on balance Deloitte believe this time it is quite different. Firms that put their head in the sand in the hope that this will all blow over could be in for a shock. It has already been made clear in regulatory papers and speeches that firms will be subject to supervisory reviews to ensure they are compliant with data requirements. Indeed the Bank of England and the Financial Services Authority (FSA) have stated2 that the new PRA will validate firms' data "through onsite inspections." In addition the proposed BCBS risk data principles, advocate testing firms' data processes to ensure they are robust enough to withstand a range of adverse scenarios including a surge in business volumes and potential crisis situations. Furthermore, the BCBS suggests allowing supervisors to set limits on a firm's ability to take on new risks or expand its business operations where deficiencies in data aggregation are considered to be serious enough to significantly impede risk management.

One thing is certain, poor quality, incomplete and inconsistent data is likely to put a serious strain on a firm's relationship with its supervisors and will lead to further scrutiny and challenge of the sufficiency of its risk management and governance processes in general.

The table below shows the impact of regulatory requirements on data management processes.


Our impact analysis is based on policy measures proposed in the latest official text for each regulatory initiative which may be subject to change.

We have assumed as a starting point that banks' data processes are adequate to meet current regulatory requirements. The actual impact will significantly vary from bank to bank.

Two perspectives, two solutions

Looking beyond the principles

To understand the implications of the BCBS paper the scope must be viewed through a risk lens and a data lens. Why? Because the data dimension and the risk dimension require separate and distinct solutions and pose two very different challenges.

'Risk lens'

While it is obvious from the title that the BCBS paper is addressed to the risk function, what is not immediately evident is that the implications for risk's operating model are far wider than data aggregation and reporting capabilities.

Notable requirements that will have significant implications for many banks include:

  • A bank's board and senior management should be fully aware of any limitations that prevent full risk data aggregation in terms of coverage (e.g. risks not captured or subsidiaries not included), in technical terms (e.g. risk model performance indicators or degree of reliance on manual processes) or in legal terms (e.g. sharing data across jurisdictions) [Para 23].
  • The scope relates to all risks facing the bank including Credit, Market, Liquidity and Operational risk [Para 47]. An example of time-critical operational risk is given as system unavailability or unauthorised access [Para 38 (e)].
  • The ability to define risk appetite in a measurable way and then monitor Credit, Market and Operational risks against these tolerances is expected [Para 12]. Following on from the above point, a measurable appetite for operational risk must be developed and tolerance levels set for the likes of system unavailability or unauthorised access risks.
  • The group structure should not hinder aggregation capabilities at a consolidated level or any relevant level within the organisation [Para 22]. Regional, legal entity or business line boundaries must be overcome to enable one group level view of risk consistent across geography and business units.
  • Banks are expected to maintain documented processes for reconciling reports: automated and manual reasonableness checks including an inventory of the validation rules, procedures for identifying and explaining data errors and precision requirements for regular and crisis reports [Para 44 & 45].

While banks will recognise the importance of the 14 principles in establishing a robust risk management function, it is likely that many will not have this level of maturity in their current risk operating model.

'Data lens'

The focus of the BCBS paper is on risk data but the implications are far wider than P&L strips or VAR metrics. The old adage of 'rubbish in, rubbish out' is a universal truth and implicit in the BCBS's principles is that underlying data which enables the generation of risk metrics must also be of sufficient quality. This means all forms of reference and transaction data consumed by the risk function fall within the scope of the principles. This includes counterparty data, legal entity hierarchies, book data, trade data, prices, instrument static etc.

The implications of this are huge. While the risk function is clearly responsible for the data it generates and aggregates, it is not responsible for reference or transaction data it consumes. Initial analysis of the BCBS paper may lead organisations to conclude they require a risk-data management solution. However, the requirement is much broader - an organisation-wide solution is required that will own and resolve reference or transaction data issues that affect the risk function.

While many banks have some form of data management function, Deloitte's experience is that banks have focussed on tactical work-arounds (such as manual adjustments and off-system data analysis) and not taken a more strategic approach to data management. The BCBS paper strengthens the business case for strategic change rather than yet another quick fix. For those in banks today who are trying to get the data problem recognised at CxO level and secure budget and support to improve the effectiveness of the data management function, the BCBS paper significantly strengthens the business case for change.

In many respects, the risk dimension may be an easier challenge to address as there is a defined risk organisation and operating model which reports into an accountable executive – the Chief Risk Officer. The data dimension is different. The majority of reference or transaction data in a bank is shared across many different functions and lacks a single accountable owner making it very difficult to make the necessary changes across people, process and technology.

Who should lead this data management function within the bank? This is a common challenge for many banks that are starting to tackle the data question and there is no easy answer. The role of Chief Data Officer is becoming more common but many banks still look to the CIO or CTO because data is still viewed as an 'IT issue'. However, Deloitte's experience shows that 'business-side' executives must take the lead, starting with a Data Governance committee comprising of senior executives from across the functions (Operations, Risk, Finance, Sales & trading etc) with the authority and willingness to drive change in their own organisations for the greater good of the firm.

What needs to be done now?

The clock is ticking; supervisors will be expecting G-SIBs to begin self-assessment preparation now

In preparing the self-assessment submission, banks may be tempted to only focus on satisfying each individual principle. However, while it is important to identify data issues within the self-assessment, it is critical to demonstrate to the supervisor a deep understanding of the current operating model and its deficiencies, alongside a strategic level of commitment to reach the required level of maturity and a robust plan to get there.


G-SIBs will be subject to external monitoring of their implementation of, and ongoing compliance with, the principles outlined in the BCBS paper. Supervisors across all relevant jurisdictions will be responsible for establishing a programme of ongoing review, through both firm-specific reviews and broader industry-wide thematic reviews. It is expected that national supervisors will start discussing the principles with G-SIBs in early 2013, ahead of a self-assessment submission later in the year. By 2016 all G-SIBs should have addressed the principles and closed any significant gaps.

An overview of the timeline to the 2016 deadline is shown below.


A self-assessment framework must be developed that incorporates the 14 principles. The framework should be developed by the risk function and owned by the Chief Risk Officer and embedded in the group's operating model so that the framework becomes part of business-as-usual rather than a tool for responding to a supervisory request.

One of the first activities of the self-assessment should define what 'fit for purpose' risk data looks like. The next step is to undertake a data quality review to determine reference and transaction data deficiencies as soon as possible. These data deficiencies must be passed onto the bank's data management function for effective and timely resolution.

The table below outlines the suggested activities required to prepare for the self-assessment submission.

Although the self-assessment framework will be owned by the risk function, there are number of other stakeholders that should be consulted as part of this process, such as compliance and internal audit. Compliance will need to determine the nature of their involvement regarding the self-assessment submission to the supervisor.


G-SIBs need to act now to meet the 2013 deadline but those that embrace this opportunity to deliver strategic change will gain competitive advantage.

It is clear that the 'eye' of the supervisory community is moving onto data management and away from simply prescribing the data outputs; and given the focus of the supervisory community on systemic risk, it is no surprise that risk data is under increased scrutiny.

Ensuring effective and accurate risk data aggregation across all business lines, jurisdictions and legal entities will be a major challenge for those banks that have multiple risk operating models, of varying maturity levels, and a technology and data landscape that is disparate and siloed. Establishing a data management function that can address the organisational, process and technology layers of the data lifecycle across front-office and operations, as well as other functional areas, is a goal that many have tried to achieve but with little success.

G-SIBs need to act now to be ready for self-assessment in 2013; however, all banks should recognise this paper as a sign of things to come and start to assess the current maturity of their risk operating model and data management function and develop a plan to move up the curve.

This is also an opportunity to differentiate the bank in the eyes of investors through an industry-leading risk function, to optimise regulatory capital, to establish a data management function that can increase revenue through client insights, differentiate services, improve STP rates, and decrease costs across the bank. In short, this is an opportunity to gain sustainable competitive advantage.



2 Bank of England, Prudential Regulation Authority: "Our Approach to banking supervision"; May 2011

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.