The European Central Bank’s guidance on risk data aggregation and risk reporting (RDARR) issued in July, if followed, would produce great benefits for financial institutions. The ECB guidance identifies better risk management and advanced digitization of operations, to name a couple, leading to lower risk, fewer large investment losses and other economic benefits.
To achieve these aspirations, however, requires significant technology and operations updates that the industry has already held off for many years. Data operations have to be brought up to speed enough to support application of modern AI strategies to data governance and quality work.
RDARR Standards
The ECB guidance does set out standards firms can follow and some specific applications and programs to be implemented – particularly, data governance frameworks, data architectures and internal risk reporting. Let’s take a look at what the ECB is prescribing to consider what is possible, realistic and achievable for your firm.
Before anything else, the firm’s management must accept responsibility for risk data quality and governance, which means making RDARR a priority. Management has to make sure those working on risk and data issues are knowledgeable and qualified – and that managers responsible for risk management and compliance do understand the relevant areas. If timelines are set for a RDARR program, firm management has to make sure the milestones in the program are met.
Another element of ECB’s prescription is setting a data governance framework that has a “sufficient scope” in its risk reporting, financial reporting and supervisory reports, as well as necessary risk management models and risk appetite indicators. Also, to be effective, the data governance framework should have data owners or stewards who can guide critical data elements through the complete aggregation process. The framework will be key to implementation, monitoring and validation of RDARR processes.
Additional Elements
Other elements to the data architecture, data quality management, risk reporting and implementation for RDARR include:
- Integrated data architecture, including data taxonomies for main business concepts, and a metadata repository. This helps keep data definitions, ownership and validation clear.
- Group wide data quality management and standards, including data quality checks and regular reconciliation with other sources, data quality indicators, a register of data quality issues and limitations, integration of end-user computing and applications, adequate controls for manual workarounds, and consideration of data quality risks in capital adequacy assessments.
- Timeliness of internal risk reporting. Frequency of reporting and awareness of the time needed to do the reporting.
- Effective implementation programs. Best practices for RDARR have been available since 2013 from the international banking supervisor, the Basel Committee, in its BCBS 239 principles, and can help implement data architectures for higher data quality.
While the ECB has set out this very detailed prescription for what to do and how to comply with RDARR principles, it also is planning to work through 2025 on promoting adoption of its supervisory expectations. ECB’s “work program” will push management bodies to oversee RDARR governance and execution, benchmarking findings against the expectations in its guidance, and increased focus on data quality and reporting.
The ECB’s Banking Supervision department is planning regular annual supervision, including on-site inspections and internal model investigations to check on RDARR compliance. Promising to “intensify its intrusiveness,” the ECB plans stronger quantitative and qualitative measures to address governance gaps, as well as remediation deadlines and integration of RDARR into regular supervision.
In its guidance, the ECB noted that its previous RDARR review in 2016 found a lot of deficiencies in firms’ compliance and it began urging improvements under a new mechanism in 2019. The organization is still compelled to redouble its efforts now for the course of two more years, hoping to close the circle on these data management and risk reporting issues.