Achieving compliance with the requirements of BCBS239 is proving to be a real headache for many banks.
As a set of principles laid down by the Basel Committee on Banking Supervision, they are hard to quarrel with. Yet because they are principles, rather than detailed requirements, knowing what to measure and report on and how to present it is far from straightforward.
Although, at its heart, BCBS239 asks for risk reports to be timely, complete and accurate, many banks struggle to understand how they should measure themselves against these headings.
Faced with such a dilemma it is only natural that banks will look to the many consultancy offerings and off-the-shelf solutions that promise a one-size-fits-all compliance with BCBS239.
However tempting such silver bullets may appear, the truth is that there are subtle differences between each institutions business operations and the legacy of IT systems that support them. As a result each bank will need to harness all of its in-house knowledge of the business processes and IT systems that deliver their key risk reports and risk metrics to establish the most effective way of achieving and demonstrating compliance.
With this in mind each organisation needs to define and embed ‘Key Performance Indicators (KPIs) within the processes and IT systems that produce their risk reports. These KPIs can then be monitored and measured, in many cases, using existing investment in monitoring tools that the organisation has already deployed, rather than buying additional monitoring solutions.
This may seem a solution that is too obvious. After all, why is it not possible just to select the information required and show it to the regulator?
This is where so many firms take the wrong turn when confronted with BCBS239. Having engaged external advisers to help them interpret the regulations’ principles and to create large-scale programmes of work to position themselves to achieve compliance, they frequently commit three fundamental errors.
For example, most banks will have daily process for creating Value at Risk (VAR), just as there are processes for risk-weighted assets and other risk reports. The temptation is to define specific KPIs to address the regulation resulting in additional sub-processes, which add little value in achieving the business process outcome.
Rather than create additional KPIs to report on VAR, banks should document their current VAR creation process and align the KPIs to the steps that drive a successful process outcome. The aim should be to retain a sharp focus and to keep things simple – defining what is critical and putting the spotlight on it.
A second common mistake is to treat compliance monitoring as a standalone activity to other service management activities. For example many risk reports rely on the receipt of files to perform a risk calculation. Missing or late files could result in unreliable calculations and an understatement or overstatement of the level of risk exposure. By thinking about compliance monitoring and measurement more holistically organisations can use the same set of KPIs and monitoring and measurement solutions to not only measure and report on compliance but also to proactively identify potential process breaks or IT failures that could result in inaccurate risk reports and potential non-compliance. Taking this a step further providing early warnings of potential breaks or failures could trigger actions to remediate the situation prior to it becoming critical and affecting compliance.
This effective prevention requires considerable expertise in business flow monitoring so that clarity and smart thinking shape the KPIs that are monitored and reported on. If banks succeed in making these KPIs relevant, specific and measurable, immediate action can be taken to prevent process breaks, triggered by proactive early-warning alerts, rather than retrospective red-light compliance indicators.
The third error banks make is simply that of not using what they already have. It is true that such complex institutions have a plethora of monitoring and control systems which generate large volumes of events and alerts but all to often the response to challenges like BCBS239 is to procure more monitoring applications and tools.
Rather than unnecessarily procuring additional solutions to monitor and measure BCBS239 KPIs banks should capitalise on their existing investment in monitoring solutions. For example many banks have invested in ITRS Geneos monitoring suite. Combining Geneos’ ability to monitor systems, applications (including many standard banking IT applications and solutions) and middleware with expertise in banking flow monitoring, meaningful real-time insights can instantly become available without the need to make additional investment in new monitoring tools.
By Marlon Arthur, Client Relationship Manager, Alpha Insight.