We here at Acin welcome the insightful approach to operational risk data that the new Basel Committee on Banking Supervision (BCBS) consultation, Revisions to the principles for the sound management of operational risk is calling for. We believe that better quality data will have a transformative impact on the ability of organisations to manage their operational risksand, on the way, how the financial industry as a whole engages with systemic risk issues.
We think the approach that the BCBS’s new consultation takes is exciting. The paper suggests firms should apply broader data governance principles to operational risk data, with a view to achieving many of the same ends that the data governance movement aspires to. These include three key areas:
- Knowing where the data comes from – The BCBS is asking firms to “establish risk reporting and management information systems (MIS) producing timely, and accurate data.” The BCBS also says that risk and control reporting should be “based on accurate data, whose integrity is ensured by strong governance and robust verification and validation procedures.” Among data governance professionals, this is known as “data lineage” – it means that firms understand how the data is created, who owns the data, how the data is used, when the data changes, and other details. Data lineage covers the whole journey the data makes, from creation to the end-user, and its purpose is to ensure data quality. Operational risk teams will need to know the lineage of the data they use to meet the new standards that the BCBS is proposing.
- Creating a unified understanding of the data – The consultation says firms should have “a common taxonomy of operational risk terms to ensure consistency of risk identification, exposure rating and risk management objectives across all business units.” In data governance lingo, this is much like a data dictionary. The objective of building one is to ensure that the entire organisation is aligned around the definitions of the terms used to talk about operational risk. Data dictionaries also identify relationships between data, and the BCBS talks about this too: “The taxonomy can distinguish operational risk exposures by event types, causes, materiality and business units where they occur; it can also flag those operational exposures that partially or entirely represent legal (including conduct), model and IT (including cyber) risks as well as exposures in the credit or market risk boundary.” At Acin, we believe that a common taxonomy within a firm helps break down barriers between the three lines of defence, because everyone has a common language to communicate in. All too often business’ are not able to comprehend how, for example, the RCSA benefits their management of their business; “risk appetite” may be misunderstood, not understood or has different meaning depending on who in the organisation you are talking to. A common taxonomy would enable the second and front line to talk in language that benefits them both, breaking down the barriers between them and possibly replacing 3 LOD with something much more fluid. If applied across the financial services industry as a whole, it would do even more – it would enable firms to quickly and easily benchmark themselves and share best practices. We are sure that this would reduce operational risk and increase resilience across the whole financial system.
- Comparing the data – In fact, the BCBS has put a whole paragraph into the consultation that specifically calls out the benefits of firms being able to perform benchmarking and comparative analysis both internally and with each other. Regulators want to see more conversations based on high-quality operational risk data. In fact, one of the big-picture goals of the data governance movement is the fostering of better collaboration, based on good-quality data. We think that, in this consultation, regulators are showing that they want to foster this dynamic within the operational risk community as well.
We believe the benefits of good data governance for operational risk data for individual firms will be tremendous – having data that everyone can trust, and which everyone understands, means that better conversations can be had. Internally, the board and senior management will feel more confident using operational risk data to make strategic decisions. Additionally, all three lines of defence will be able to trust and talk about the data, helping to reduce risk and increase control efficiency.
On a larger scale, we think that if firms across the industry were able to adopt the same definitions and standards, the door would be opened for very powerful benchmarking and comparative analysis that could substantially reduce risk levels for all participating firms. Operational risk professionals could have much deeper and more meaningful conversations around ways to analyse risks and enhance controls.
At Acin, we are already supporting enhanced data governance within the operational risk discipline by defining a standard taxonomy for risk and control data. This has been engineered with and for a group of leading financial institutions, who make up The Network. This collective and collaborative approach is enabling a group of operational risk teams to deliver improved decision-making, agile data-driven risk management, risk intelligence and strategic insights. We continue to support better data governance within operational risk because of the clear benefits it creates for firms, and could deliver for the financial system as a whole.