Published on March 13, 2014
Axon for BCBS239 compliance Connecting Risk & Data Management
© Diaku 2014 2 for BCBS239 Principles for Effective Risk Data Aggregation and Risk Reporting Contents 1: Summary Context Collaborative Understanding with Diaku Axon Risk & Data Perspectives About Diaku 2: Deep Dive Diaku Axon & BCBS239 ...for Risk ...for Data Management ...for Collaboration ...Diaku Self-Assessment Against BCBS239
© Diaku 2014 3 Context After the 2008 crisis there was a general consensus that banks needed to enhance their ability to aggregate and report risk. BCBS239 - Principles for Effective Risk Data Aggregation & Risk Reporting is a core component of the regulatory effort to address the shortcomings. Compliance for GSIBs is 01-01-16. DSIBs are likely to be held to the same timelines and requirements by their local regulator. 14 principles, grouped into four categories: Governance & Infrastructure A bank should have in place a strong governance framework, risk data architecture and IT infrastructure. The board and senior management are called out to understand coverage and limitations. Risk Data Aggregation Capabilities Banks must demonstrate the ability to generate accurate and reliable risk data in a timely manner even for ad hoc reports during crisis or at request of the regulator. Risk Reporting Practices Ensuring the right information is accurately presented to the right people in a clear & useful manner at the right time. Supervisory Review, Tools & Co-Operation The regulators should ensure they can evaluate & remediate compliance accurately and effectively.
© Diaku 2014 4 A new way of working BCBS239 mandates collaborative enterprise understanding BCBS239 explicitly challenges the silo driven structure of banks today with clear requirements to bring a holistic enterprise understanding of risk data, risk data aggregation & reporting. Holistic refers to both the understanding, which must span many disciplines, and to the community, where business, IT and Risk functions need to collaborate to bring consistency and control across the data life cycle. The BCBS268 progress report showed the industry’s worst rated principles reﬂect today’s inability to have connected documentation, adaptability and control. To satisfy this regulation a new approach is necessary.
© Diaku 2014 5 Collaborative enterprise understanding with Diaku Axon Inventorise Connect Explore Collate inventories describing the building blocks of risk data aggregation Collaborate Connect business & data together to provide context, relevance & lineage Share, ﬁlter & analyse a cross- functional, cross-discipline view of the business Combine ownership with a knowledgeable community at your ﬁngertips Community Leverage Combine understanding & community to manage risk data aggregation throughout the enterprise A governed, controlled and shared view of your business with data and people at its heart
© Diaku 2014 6 BCBS239 : the Risk Perspective A bank’s board and senior management should be fully aware of any limitations that prevent full risk data aggregation – coverage, technical and legal Management needs to be aware of & understand limitations Visualise & inspect risk data aggregation methods regardless of business lens or seniority Processes, controls, roles, data deﬁnitions, validations, reports, usage, requirements, errors etc. must be fully documented and subject to high standards of validation. Transparency across the full lifecycle of data aggregation Capture all aggregation building blocks along with interconnectedness, lineage & governance Where a bank relies on manual processes and desktop apps it should have effective mitigants and controls in place that are consistently applied Manage manual processes & desktop apps Bring visibility, context & governance to manual processes & desktop applications Group structure should not hinder aggregation capabilities within the organisation. Regional, legal entity or business line boundaries must be overcome Span organisational boundaries Central knowledge repository with built-in glossary to bridge organisational boundaries Banks need to implement a ﬂexible infrastructure and operational environment to quickly produce adaptable ad-hoc reports in line with stressed scenarios Aggregated risk on demand End-to-end transparency drives continuous improvement towards a more lean & agile state Must be able to assess impact to risk data aggregation & reporting capability for any new initiatives e.g. new products , process change, IT change Impact of change initiatives Built-in capabilities to efﬁciently assess & manage impact of change Governance / Oversight / Documentation / Validation / Control
© Diaku 2014 7 BCBS239 : the Data Perspective All forms of data consumed by the risk function fall within the scope of the principles. This includes entities & hierarchies, book & trade data, prices, instruments, static data etc. Risk data aggregation is not limited to ‘Risk’ data A capability to describe any data item, its lineage & its business context An organisation wide, cross-functional approach is required to bring visibility & a uniﬁed understanding to data, its deﬁnitions, ownership, lineage, usage, controls, quality etc. An organisation wide, cross-functional view of data Requires no specialist knowledge to use, makes data accessible to all functions & disciplines Data must be connected to the processes and policies that manipulate and control it. Manual movement of data and data in excel, access etc. must be visible and controlled Data in context, data in desktop applications (EUCs) Map data to systems & desktop applications, process, project, report, policy, regulation etc. Organisation wide data taxonomies must be agreed & consistently used by the business. Governance, quality, lineage & data management processes must also be delivered. Enterprise wide data management capability Integrated features for deﬁnitions, governance, data quality reporting, lineage, processes & more Requires business side executives to take the lead starting with ownership of data and its issues as well as willingness to drive change in their own organisations. A driver for cultural change Empower a new, responsible way of working with data driven by common understanding Dictionaries & Deﬁnitions / Governance / Lineage / Processes / Data Quality
© Diaku 2014 8 • Diaku is a Data Governance & Enterprise Understanding solution provider since 2007 • Proprietary Axon software with low threshold of adoption and low cost of ownership. • Successfully implemented solutions for international banks. • Proven methodology to deliver value quickly. • Providing evangelists and key personnel to support initiatives. • Embed seamlessly, working with the organisation, not disrupting business or IT About Diaku Diaku. Know your business, know your data
© Diaku 2014 9 for BCBS239 Principles for Effective Risk Data Aggregation and Risk Reporting Deep Dive...for Risk Governance & Oversight Documentation & Validation Control Framework Aggregated Risk on Demand
© Diaku 2014 10 Governance & Oversight in Risk Reporting Inventory Purpose, deﬁnition, structure, dimensions, coverage, frequency, distribution, periodic validation Report Provenance & Quality Quantitative & qualitative assessment of report contents including lineage, data quality, governance etc. Management Business Glossary Local terms mapped to deﬁned standards & data master sources Governance Responsibilities on all objects with acceptance & " sign-offs Control / Compliance Process controls mapped to policy & regulatory requirements Macro Quality Data coverage & aggregation weakness in normal & stress conditions Business Lineage Holistic business ﬂow including manual activities Data Lineage Business view on origination of data including desktop applications Business Context Data usage through link up to processes, projects, policies, reg requirements etc. Local Dictionaries Business deﬁnitions of key data, key stakeholders, technical mappings Data Quality Rules describing when data is ﬁt for purpose, linked to business context Technical Lineage Link business to technical views e.g. systems, interfaces, data models etc. • Central Knowledge Repository • No special training required • Built up progressively & collaboratively • Brings detailed and summary insight from your business lens • Build up stakeholder & knowledge community • Periodic validation • Assess & control change • Leverage regulatory spend to build up corporate memory on data Everyone Board Board and senior management should be fully aware of risk data aggregation capabilities & limitations Senior Management
© Diaku 2014 11 Documentation & validation Transparent Connected inventories of the building blocks of risk data aggregation • Key data items • Glossary • Data quality rules • People roles & responsibilities • Systems & desktop apps • Process & controls • Policies • Risk reports Validated • Acceptance and sign-off from key stakeholders • Enables independent review of data aggregation activities • Integrated and aligned with other review activities in Risk domain • Ensures validation teams are provided with appropriate IT, data and reporting knowledge Interrogable Data & Risk capabilities can be easily considered as part of any new initiatives, including acquisitions and/or divestitures, new product development, as well as broader process and IT change initiatives. Cross Functional Risk metrics are fed by data created and manipulated across many functions. Axon supports business, IT and Risk teams to enable collaboration across the organisation. Collaboratively build easy-to-maintain, validated documentation A bank’s risk data aggregation capabilities and risk reporting practices should be fully documented and subject to high standards of validation.
© Diaku 2014 12 Control Framework • The board and senior management should understand limitations and steer towards resolving those • Controls surrounding risk data should be as robust as those applicable to accounting data and independently reviewed • Data quality needs to be measured and exceptions managed throughout the data lifecycle while understanding materiality on decision making • View on manual processes and desktop applications • Service level standards on both in-house and outsourced processes • Policies on data conﬁdentiality, integrity and availability as well as risk management policies • Operational Risk indicators captured and measured • Risk reports are described with their data & business provenance captured and quality scored • View on process & quality controls with manual interactions ﬂagged • Data Quality metrics integrated into view of data lineage and business context. Roles are reviewed and agreed across all objects • Visibility and governance for desktop applications that are part of the data / process lineage • Service levels and policies captured & grounded in data, system and process reality • Record operational risk indicators and any issues or incidents
© Diaku 2014 13 Aggregated Risk on Demand • A bank should be able to generate aggregate risk data to meet a broad range of on-demand requests: • ad hoc risk management reporting • stress/crisis situation requests • requests due to changing internal needs • Supervisory requests • Supervisors expect banks to be able to generate subsets of data based on requested scenarios or resulting from economic events e.g. country or industry level exposures • End-to-end transparency drives continuous improvement towards a more lean & agile state • Allows for cross functional collaboration and continuous improvement • Integrated view of data and process lineage highlights bottlenecks and drives simpliﬁcation • Capturing controls, manual effort and quality throughout the chain identiﬁes weakness and opportunities for automation
© Diaku 2014 14 for BCBS239 Principles for Effective Risk Data Aggregation and Risk Reporting Deep Dive...for Data Management Dictionaries & Deﬁnitions Data Governance Data Lineage Data Processes Data Quality
© Diaku 2014 15 Dictionary & Deﬁnitions Simply and easily view data dictionaries and their mapping to a central taxonomy Data Reality Capture key data elements for any system or desktop application. Map local terminology to a common taxonomy (Business Glossary) by subject matter experts or automation logic. Map the business terminology to technical meta-data. Capture master source, format & data quality standards in the Business Glossary. All data deﬁnitions integrated in broader business view to give context and meaning to the business audience. As a pre-condition establish data dictionary and ensure consistent use. Establish integrated data taxonomies which includes characteristics of the data i.e. meta-data.
© Diaku 2014 16 Data Governance Data governance grounded in the business reality of today Data Community Assign owners, stewards, supplementary roles to local and central data items. Capture roles against systems, processes, policies etc. to build comprehensive governance around risk data aggregation. Record role acceptance & detail sign-offs. Use workﬂow to manage changes and escalate issues. Allow anyone to follow items and be informed of changes. Use people ﬁnder to view staff and their organisational responsibilities. A strong governance framework should be established. Owners across the business, IT and risk should work in partnership to ensure highest quality of data.
© Diaku 2014 17 Data Lineage Rich business and data lineage including desktop applications Each data type should have a single authoritative source. The provenance of data should be clear to allow for reconciliation. Insight Maps Build up lineage progressively by collaborating with the knowledgeable cross-functional community in each area. Capture strategic master source and expose non-compliance. Generate insight from the interactive lineage maps by zooming, ﬁltering and overlaying lineage with stakeholders, data quality, processes, projects etc. Maps include lineage in and out of desktop applications. Data Quality info visible within data lineage Display master sources
© Diaku 2014 18 Data Processes Rich Process and integrated Data lineage Business Lineage Document processes and connect those up to the data items and systems they draw upon. Capture responsible stakeholders and build knowledgeable community. Classify manual processes and identify control points. Generate insight from the interactive process maps by zooming, ﬁltering and overlaying lineage with stakeholders, data quality, systems, projects etc. Document risk data aggregation processes including manual workarounds and an explanation of the appropriateness of those. Data Quality from a process lens People in context
© Diaku 2014 19 Data Quality Data quality needs to be measured and exceptions managed throughout the data lifecycle while understanding materiality on decision making. Data Quality deﬁned and reported within the business context Business Relevant Capture Data Quality rules and link those to their business context e.g. process, project, regulation etc. Assign data quality stewards and relevant execution or remediation roles. Zoom into a glossary term, system, process, regulatory requirement etc. and view Data Quality dashboard scoped to that context. Capture Data Quality standards and expose non-standard measurement Overlay lineage maps with data quality information
© Diaku 2014 20 for BCBS239 Principles for Effective Risk Data Aggregation and Risk Reporting Deep Dive...for Collaboration Across business disciplines Across regulatory requirements Periodic validation Considering risk data & risk reporting as part of any new initiative
© Diaku 2014 21 Across Business Disciplines Group structure should not hinder aggregation capabilities. Regional, legal entity or business line boundaries must be overcome. Promoting a more transparent and responsible way of working Shared understanding Each area charts their data and business context for all to see and connect into Fully web based, no special training required, no jargon, covers relevant business facets for all. Local terms are automatically matched to your standard glossary to aid terminology translation. Understanding what is already out there and who is using what promotes reuse and alignment Common understanding brings people together and drives cultural change
© Diaku 2014 22 Across Regulatory Requirements All bcbs239 principles need to be met simultaneously. Beyond bcbs239 many more regulatory requirements need to be implemented. Leverage understanding to optimise regulatory delivery Thematic Approach Create inventory of regulatory requirements across programmes Connect requirements to set of common themes (e.g. trade reporting) to create thematic context maps Connect requirements within and across programmes to capture dependencies and conﬂicts. Expose project overlaps and align work packages for those areas that are impacted more than once
© Diaku 2014 23 Periodic Validation The framework and its implementation needs to be fully documented and subject to high standards of validation. Liberate, collate and connect understanding already present in your organisation Distributed effort Leverage stakeholder & knowledge community to instantly get to the right parties to validate information All relevant staff each being responsible for a small number of items Retain audit trail of validations and approvals Scheduled, workﬂow driven validation and recertiﬁcation of roles and content as required
© Diaku 2014 24 Assessing impact on change Must be able to assess impact to risk data aggregation & reporting capability for any new initiatives e.g. acquisitions and/or divestiture, new product developments, process change initiatives, IT change initiatives Leverage corporate memory to change faster, more conﬁdently Interrogable view Interrogable view of the ﬁrm. Intelligent search across inventories returning only the parts of the business that are relevant to you With a standard structure, terminology mapping and the ability to group common objects a sharp picture is available See how items impact and depend on one another through interactive maps and analytic tools Have sight of immediate and extended stakeholder groups
© Diaku 2014 25 for BCBS239 Principles for Effective Risk Data Aggregation and Risk Reporting Self-Assessment Axon Self Assessment against BCBS
© Diaku 2014 26 Axon self-assessment against BCBS239 Axon scores against each of the individual requirements of BCBS 239
Axon for BCBS239 compliance Connecting Risk & Data Management ... Collaborative Understanding with Diaku Axon Risk & Data Perspectives About Diaku 2: Deep Dive
Diaku Axon for BCBS239 compliance. 894 Views. greg.soulsby. ModelDrivers the BCBS239 agile data management framework. 652 Views. greg.soulsby. London ...
Helping Data Quality professionals create career and project ... A Pragmatic guide to BCBS239 compliance: inventorise, ... BCBS239 with Diaku Axon ...
View 18216 Axon posts, presentations, experts, and more. Get the professional knowledge you need on LinkedIn. ... Diaku Axon for BCBS239 compliance. 877 Views.