Show me the data! (Part 2)

Last week I published the first post in my ‘Show me the data!’ series, kicking off with an introduction to what risk data aggregation and risk reporting (RDARR) is all about, and introducing the latest guide from the ECB, which highlights 7 areas of concern.

In this post I'll be covering the first area that the ECB delves into, namely the responsibilities of the ‘management body’ in relation to RDARR.

Before diving into more detail, let’s take a quick step back to define what is meant by ‘management body’.

The management body is the group of individuals who "set strategy, objectives and overall direction, and who oversee and monitor management decision-making" (as defined in the Capital Requirements Directive). The management body includes both executive directors (who engage actively in the business) and non-executive directors (who are responsible for overseeing and challenging the management function).

Just as a head chef curates the menu, orchestrates the kitchen, and ensures every dish is impeccable, the management body curates the company's strategy, oversees its operations, and strives for excellence in every aspect, creating a recipe for success. Check out Bradley Cooper in Burnt overseeing and leading his talented team, and eventually earning a Michelin star.

In their latest guide, the ECB sets out several expectations for the management body to ensure appropriate RDARR practices. I’ve summarised and grouped the ECB’s points into 5 components.

1. Overarching responsibilities

• Take full responsibility for risk data quality and governance.

• Make RDARR a key priority and ensure adequate resources are dedicated to it.

• Establish the institution’s own view of what it means to be BCBS 239 compliant, and be aware of any limitations to full compliance. Select at least one member of the management body to exercise this responsibility.

2. Implementation and monitoring

• Approve and implement RDARR frameworks including setting (i) detailed data quality requirements in both normal and stress periods; and (ii) detailed KPIs for data quality monitoring.

• Regularly assess RDARR capabilities and build a kaizen culture, i.e. one of continuous improvement.

• Monitor and oversee data remediation programmes, ensuring all is tracking to agreed plan. Specific expectations around program management will be covered in a later post in this series.

3. Organisational design

• Ensure appropriate organisational and board structure design, with clear roles and RDARR responsibilities for both management and supervisory functions of the management body. Review and bolster data governance structure, with consideration for business working groups/forums, related programme boards and steering committees, executive committees as well as board-level committees. Complex structures generally drive unnecessary overlap and ineffectiveness – so beware and, where necessary, optimise!

• In the context of larger groups, ensure consistent implementation of group-wide policies and standards with appropriate customisation to subsidiary requirements (e.g. jurisdictional requirements), where applicable.

4. Reports and MI

• Regularly confirm that internal risk, supervisory and financial reports are meaningful and well balanced in terms of qualitative and quantitative information and are able to contribute to sound decision-making.

• Challenge the quality of internal MI and ensure that the right level of detail is being communicated to the management body.

• Ensure that there are appropriate structures and controls in place to ensure accurate reporting. With respect to external reporting, ensure consistency across the various regulatory submissions.

5. Knowledge, skills and experience

• Foster a culture of learning and knowledge management, with robust training programmes that ensure members of the management body remain both individually and collectively suitable, to ensure appropriate balance and capabilities to direct the organisation towards continued success.

• Members of the management body (including those heading internal control functions across the three lines of defence, such as CROs and Heads of Compliance) should have sufficient understanding, skills and experience in data management, technology, financial and non-financial risks, as well as, related data and reporting requirements.

• Possessing sufficient skills and experience in these areas allows for individual members to assess the effect of these matters on the institution’s business and to address hot topics such as the challenges posed by digitalisation and climate-related risks.

• Risk profiles continuously evolve as market dynamics shift, therefore, regularly reviewing training programmes is essential to ensure members of the management body are equipped with the latest intelligence to make the best decisions.

1. Members of the management body must take full responsibility for the implementation and regular review of RDARR frameworks that drive risk data quality.

2. Organisational design, including board structures, should incorporate and support data governance to ensure that RDARR is prioritised appropriately. Beware of unnecessarily complex structures!

3. Ensure that members of the management body have the appropriate set of knowledge, skills and experience in data management, technology, risk management as well as related data and reporting requirements. Regular training is a critical component to maintain individual and collective suitability of members of the management body.