diaku axon for bcbs239 compliance
DESCRIPTION
A two part presentation outlining a software driven compliance solution for BCBS239 with the Diaku Axon platform. The first part summarises the regulation from the risk & data perspectives. The second part is a deep-dive into the solution within each of those areas, and also how enterprise-wide collaboration can be fostered. BCBS239 represents an extraordinary challenge for the financial services sector, but it also represents a real opportunity for competitive advantage.TRANSCRIPT
Axon for BCBS239 compliance Connecting Risk & Data Management
© Diaku 2014 2
for BCBS239 Principles for Effective Risk Data Aggregation and Risk Reporting
Contents
1: Summary Context Collaborative Understanding with Diaku Axon Risk & Data Perspectives About Diaku 2: Deep Dive Diaku Axon & BCBS239 ...for Risk ...for Data Management ...for Collaboration ...Diaku Self-Assessment Against BCBS239
© Diaku 2014 3
Context After the 2008 crisis there was a general consensus that banks needed to enhance their ability to aggregate and report risk.
BCBS239 - Principles for Effective Risk Data Aggregation & Risk Reporting is a core component of the regulatory effort to address the shortcomings.
Compliance for GSIBs is 01-01-16. DSIBs are likely to be held to the same timelines and requirements by their local regulator.
14 principles, grouped into four categories:
Governance & Infrastructure A bank should have in place a strong governance framework, risk data architecture and IT infrastructure. The board and senior management are called out to understand coverage and limitations.
Risk Data Aggregation Capabilities
Banks must demonstrate the ability to generate accurate and reliable risk data in a timely manner even for ad hoc reports during crisis or at request of the regulator.
Risk Reporting Practices Ensuring the right information is accurately presented to the right people in a clear & useful manner at the right time.
Supervisory Review, Tools & Co-Operation
The regulators should ensure they can evaluate & remediate compliance accurately and effectively.
© Diaku 2014 4
A new way of working
BCBS239 mandates collaborative enterprise understanding
BCBS239 explicitly challenges the silo driven structure of banks today with clear requirements to bring a holistic enterprise understanding of risk data, risk data aggregation & reporting.
Holistic refers to both the understanding, which must span many disciplines, and to the community, where business, IT and Risk functions need to collaborate to bring consistency and control across the data life cycle.
The BCBS268 progress report showed the industry’s worst rated principles reflect today’s inability to have connected documentation, adaptability and control.
To satisfy this regulation a new approach is necessary.
© Diaku 2014 5
Collaborative enterprise understanding with Diaku Axon
Inventorise Connect Explore
Collate inventories describing the building blocks of risk data
aggregation
Collaborate
Connect business & data together to provide context, relevance &
lineage
Share, filter & analyse a cross-functional, cross-discipline view of
the business
Combine ownership with a knowledgeable community at your
fingertips Community
Leverage
Combine understanding & community to manage risk data aggregation
throughout the enterprise
A governed, controlled and shared view of your business with data and people at its heart
© Diaku 2014 6
BCBS239 : the Risk Perspective
A bank’s board and senior management should be fully aware of any limitations that prevent full risk data aggregation – coverage, technical and legal
Management needs to be aware of & understand limitations Visualise & inspect risk data aggregation methods regardless of business lens or seniority
Processes, controls, roles, data definitions, validations, reports, usage, requirements, errors etc. must be fully documented and subject to high standards of validation.
Transparency across the full lifecycle of data aggregation Capture all aggregation building blocks along with interconnectedness, lineage & governance
Where a bank relies on manual processes and desktop apps it should have effective mitigants and controls in place that are consistently applied
Manage manual processes & desktop apps Bring visibility, context & governance to manual processes & desktop applications
Group structure should not hinder aggregation capabilities within the organisation. Regional, legal entity or business line boundaries must be overcome
Span organisational boundaries Central knowledge repository with built-in glossary to bridge organisational boundaries
Banks need to implement a flexible infrastructure and operational environment to quickly produce adaptable ad-hoc reports in line with stressed scenarios
Aggregated risk on demand End-to-end transparency drives continuous improvement towards a more lean & agile state
Must be able to assess impact to risk data aggregation & reporting capability for any new initiatives e.g. new products , process change, IT change
Impact of change initiatives Built-in capabilities to efficiently assess & manage impact of change
Governance / Oversight / Documentation / Validation / Control
© Diaku 2014 7
BCBS239 : the Data Perspective
All forms of data consumed by the risk function fall within the scope of the principles. This includes entities & hierarchies, book & trade data, prices, instruments, static data etc.
Risk data aggregation is not limited to ‘Risk’ data A capability to describe any data item, its lineage & its business context
An organisation wide, cross-functional approach is required to bring visibility & a unified understanding to data, its definitions, ownership, lineage, usage, controls, quality etc.
An organisation wide, cross-functional view of data Requires no specialist knowledge to use, makes data accessible to all functions & disciplines
Data must be connected to the processes and policies that manipulate and control it. Manual movement of data and data in excel, access etc. must be visible and controlled
Data in context, data in desktop applications (EUCs) Map data to systems & desktop applications, process, project, report, policy, regulation etc.
Organisation wide data taxonomies must be agreed & consistently used by the business. Governance, quality, lineage & data management processes must also be delivered.
Enterprise wide data management capability Integrated features for definitions, governance, data quality reporting, lineage, processes & more
Requires business side executives to take the lead starting with ownership of data and its issues as well as willingness to drive change in their own organisations.
A driver for cultural change Empower a new, responsible way of working with data driven by common understanding
Dictionaries & Definitions / Governance / Lineage / Processes / Data Quality
© Diaku 2014 8
• Diaku is a Data Governance & Enterprise Understanding solution provider since 2007
• Proprietary Axon software with low threshold of adoption and low cost of ownership.
• Successfully implemented solutions for international banks.
• Proven methodology to deliver value quickly.
• Providing evangelists and key personnel to support initiatives.
• Embed seamlessly, working with the organisation, not disrupting business or IT
About Diaku
Diaku. Know your business, know your data
© Diaku 2014 9
for BCBS239 Principles for Effective Risk Data Aggregation and Risk Reporting
Deep Dive...for Risk
Governance & Oversight Documentation & Validation Control Framework Aggregated Risk on Demand
© Diaku 2014 10
Governance & Oversight in
Risk Reporting Inventory Purpose, definition, structure, dimensions, coverage, frequency, distribution, periodic validation
Report Provenance & Quality Quantitative & qualitative assessment of report contents including lineage, data quality, governance etc.
Management
Business Glossary Local terms mapped to defined standards & data master sources
Governance Responsibilities on all objects with acceptance & "sign-offs
Control / Compliance Process controls mapped to policy & regulatory requirements
Macro Quality Data coverage & aggregation weakness in normal & stress conditions
Business Lineage Holistic business flow including manual activities
Data Lineage Business view on origination of data including desktop applications
Business Context Data usage through link up to processes, projects, policies, reg requirements etc.
Local Dictionaries Business definitions of key data, key stakeholders, technical mappings
Data Quality Rules describing when data is fit for purpose, linked to business context
Technical Lineage Link business to technical views e.g. systems, interfaces, data models etc.
• Central Knowledge Repository
• No special training required
• Built up progressively & collaboratively
• Brings detailed and
summary insight from your business lens
• Build up stakeholder & knowledge community
• Periodic validation
• Assess & control change
• Leverage regulatory spend to build up corporate memory on data
Everyone Board
Board and senior management should be fully aware of risk data aggregation capabilities & limitations
Senior Management
© Diaku 2014 11
Documentation & validation
Transparent Connected inventories of the building blocks of risk data aggregation • Key data items • Glossary • Data quality rules • People roles & responsibilities • Systems & desktop apps • Process & controls • Policies • Risk reports
Validated • Acceptance and sign-off from
key stakeholders • Enables independent review of
data aggregation activities • Integrated and aligned with
other review activities in Risk domain
• Ensures validation teams are provided with appropriate IT, data and reporting knowledge
Interrogable Data & Risk capabilities can be easily considered as part of any new initiatives, including acquisitions and/or divestitures, new product development, as well as broader process and IT change initiatives.
Cross Functional Risk metrics are fed by data created and manipulated across many functions. Axon supports business, IT and Risk teams to enable collaboration across the organisation.
Collaboratively build easy-to-maintain, validated documentation
A bank’s risk data aggregation capabilities and risk reporting practices should be fully documented and subject to high standards of validation.
© Diaku 2014 12
Control Framework • The board and senior management should understand
limitations and steer towards resolving those
• Controls surrounding risk data should be as robust as those applicable to accounting data and independently reviewed
• Data quality needs to be measured and exceptions managed throughout the data lifecycle while understanding materiality on decision making
• View on manual processes and desktop applications
• Service level standards on both in-house and outsourced processes
• Policies on data confidentiality, integrity and availability as well as risk management policies
• Operational Risk indicators captured and measured
• Risk reports are described with their data & business provenance captured and quality scored
• View on process & quality controls with manual interactions flagged
• Data Quality metrics integrated into view of data lineage and business context. Roles are reviewed and agreed across all objects
• Visibility and governance for desktop applications that are part of the data / process lineage
• Service levels and policies captured & grounded in data, system and process reality
• Record operational risk indicators and any issues or incidents
© Diaku 2014 13
Aggregated Risk on Demand • A bank should be able to generate aggregate risk data
to meet a broad range of on-demand requests:
• ad hoc risk management reporting • stress/crisis situation requests • requests due to changing internal needs • Supervisory requests
• Supervisors expect banks to be able to generate subsets of data based on requested scenarios or resulting from economic events e.g. country or industry level exposures
• End-to-end transparency drives continuous improvement towards a more lean & agile state
• Allows for cross functional collaboration and continuous improvement
• Integrated view of data and process lineage highlights bottlenecks and drives simplification
• Capturing controls, manual effort and quality throughout the chain identifies weakness and opportunities for automation
© Diaku 2014 14
for BCBS239 Principles for Effective Risk Data Aggregation and Risk Reporting
Deep Dive...for Data Management
Dictionaries & Definitions Data Governance Data Lineage Data Processes Data Quality
© Diaku 2014 15
Dictionary & Definitions
Simply and easily view data dictionaries and their mapping to a central taxonomy
Data Reality Capture key data elements for any system or desktop application. Map local terminology to a common taxonomy (Business Glossary) by subject matter experts or automation logic. Map the business terminology to technical meta-data. Capture master source, format & data quality standards in the Business Glossary. All data definitions integrated in broader business view to give context and meaning to the business audience.
As a pre-condition establish data dictionary and ensure consistent use. Establish integrated data taxonomies which includes characteristics of the data i.e. meta-data.
© Diaku 2014 16
Data Governance
Data governance grounded in the business reality of today
Data Community Assign owners, stewards, supplementary roles to local and central data items. Capture roles against systems, processes, policies etc. to build comprehensive governance around risk data aggregation. Record role acceptance & detail sign-offs. Use workflow to manage changes and escalate issues. Allow anyone to follow items and be informed of changes. Use people finder to view staff and their organisational responsibilities.
A strong governance framework should be established. Owners across the business, IT and risk should work in partnership to ensure highest quality of data.
© Diaku 2014 17
Data Lineage
Rich business and data lineage including desktop applications
Each data type should have a single authoritative source. The provenance of data should be clear to allow for reconciliation. Insight Maps
Build up lineage progressively by collaborating with the knowledgeable cross-functional community in each area. Capture strategic master source and expose non-compliance. Generate insight from the interactive lineage maps by zooming, filtering and overlaying lineage with stakeholders, data quality, processes, projects etc. Maps include lineage in and out of desktop applications.
Data Quality info visible within data lineage Display master sources
© Diaku 2014 18
Data Processes
Rich Process and integrated Data lineage
Business Lineage Document processes and connect those up to the data items and systems they draw upon. Capture responsible stakeholders and build knowledgeable community. Classify manual processes and identify control points. Generate insight from the interactive process maps by zooming, filtering and overlaying lineage with stakeholders, data quality, systems, projects etc.
Document risk data aggregation processes including manual workarounds and an explanation of the appropriateness of those.
Data Quality from a process lens People in context
© Diaku 2014 19
Data Quality Data quality needs to be measured and exceptions managed throughout the data lifecycle while understanding materiality on decision making.
Data Quality defined and reported within the business context
Business Relevant Capture Data Quality rules and link those to their business context e.g. process, project, regulation etc. Assign data quality stewards and relevant execution or remediation roles. Zoom into a glossary term, system, process, regulatory requirement etc. and view Data Quality dashboard scoped to that context. Capture Data Quality standards and expose non-standard measurement Overlay lineage maps with data quality information
© Diaku 2014 20
for BCBS239 Principles for Effective Risk Data Aggregation and Risk Reporting
Deep Dive...for Collaboration
Across business disciplines Across regulatory requirements Periodic validation Considering risk data & risk reporting as part of any new initiative
© Diaku 2014 21
Across Business Disciplines Group structure should not hinder aggregation capabilities. Regional, legal entity or business line boundaries must be overcome.
Promoting a more transparent and responsible way of working
Shared understanding Each area charts their data and business context for all to see and connect into Fully web based, no special training required, no jargon, covers relevant business facets for all. Local terms are automatically matched to your standard glossary to aid terminology translation. Understanding what is already out there and who is using what promotes reuse and alignment Common understanding brings people together and drives cultural change
© Diaku 2014 22
Across Regulatory Requirements All bcbs239 principles need to be met simultaneously. Beyond bcbs239 many more regulatory requirements need to be implemented.
Leverage understanding to optimise regulatory delivery
Thematic Approach Create inventory of regulatory requirements across programmes Connect requirements to set of common themes (e.g. trade reporting) to create thematic context maps Connect requirements within and across programmes to capture dependencies and conflicts. Expose project overlaps and align work packages for those areas that are impacted more than once
© Diaku 2014 23
Periodic Validation The framework and its implementation needs to be fully documented and subject to high standards of validation.
Liberate, collate and connect understanding already present in your organisation
Distributed effort Leverage stakeholder & knowledge community to instantly get to the right parties to validate information All relevant staff each being responsible for a small number of items Retain audit trail of validations and approvals Scheduled, workflow driven validation and recertification of roles and content as required
© Diaku 2014 24
Assessing impact on change Must be able to assess impact to risk data aggregation & reporting capability for any new initiatives e.g. acquisitions and/or divestiture, new product developments, process change initiatives, IT change initiatives
Leverage corporate memory to change faster, more confidently
Interrogable view Interrogable view of the firm. Intelligent search across inventories returning only the parts of the business that are relevant to you With a standard structure, terminology mapping and the ability to group common objects a sharp picture is available See how items impact and depend on one another through interactive maps and analytic tools Have sight of immediate and extended stakeholder groups
© Diaku 2014 25
for BCBS239 Principles for Effective Risk Data Aggregation and Risk Reporting
Self-Assessment
Axon Self Assessment against BCBS
© Diaku 2014 26
Axon self-assessment against BCBS239
Axon scores against each of the individual requirements of BCBS 239