Principle 3:
Accuracy and Integrity – A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimize the probability of errors.
It seems logical that banks would want accurate, reliable data for day-to-day decisions and regulatory compliance, but what is accurate data? How do you define it, and what steps do you need to take to ensure that your data is accurate?
Data management, data quality and data governance are key themes in the 14 Principles of BCBS 239. Today’s post in our BCBS 239 series covers data accuracy and integrity. Take a couple of minutes to go back and read the previous posts in this series covering data governance and consistency. You should also stick with us as my colleagues and I cover the other 11 Principles.
Principle 3 sets the basis for risk data aggregation guidelines. The expectations are that aggregated data are accurate, reliable and reconciled with accounting data. Any differences after reconciliation ought to be explained. In addition, banks should strive for a single, authoritative source for risk data per risk type, recognition of the disparate systems employed across the enterprise and in many cases, the impracticality of developing a Holy Grail “Single Source of Truth.” This, however, does not negate the requirements of having a firm-wide view of all exposures across all risk areas.
Also important are the technologies employed in the process. The BCBS makes mention of spreadsheets because of the special risk they pose when used in lieu of suitable enterprise systems. Proper computing policies and procedures must be in place to mitigate spreadsheet risk. And care must be taken to have controls to archive spread sheets for audit purposes. As mentioned in Principle 2, the answers to who, what, when and why will be needed by regulators as well as internal and external auditors.
It quickly becomes apparent what a poor substitute spreadsheets are when you consider the totality of the principle. It encompasses:
- Data dictionaries.
- Controls.
- Access.
- Authoritative sources.
- Automation coupled with expert judgment.
- Firm-wide aggregation across risk types, processes and procedures.
These can be daunting requirements – even for firms that have invested heavily in modernizing their IT systems. This is why IT and strategic decisions should not be made independently from one another. Several point solution acquisitions made in a vacuum without a planned firm-wide strategic and architectural roadmap will undoubtedly prove costly during integration.
Systems with documented mechanisms for inter-platform communication will ultimately prove the most flexible. Configurable workflows to allow control, reconciliation and escalation are critical. To best leverage existing investments, a holistic offering will be modular enough to incorporate preexisting technologies rather than having to “rip & replace.”
SAS offers an intuitive platform that addresses each of the issues. SAS’ risk engine can aggregate data from disparate platforms; provide workflow for control; detail audit histories; and document risk data dictionaries of all terms, hierarchies and related resources and allow ease of exploration and search. And SAS® Master Data Management integrates all of it. The SAS platform uses business rules to produce metrics showing the level of completeness of all areas of risk. SAS’s platform integrates with the most prevalent competing platforms.
Learn more about how SAS can help you address BCBS 239 compliance.
