In 2016 McKinsey and the Institute of International Finance (IIF) conducted their fourth Global Risk Data and Technology Benchmarking Survey.1The context for the 2016 survey is the regulatory environment for risk data aggregation and reporting defined by the Basel Committee on Banking Supervision regulation 239 (BCBS 239). The compliance deadline of January 2016 came and went, with most G-SIBs engaged in ongoing risk data transformations.
At the top of the list of regulatory-related challenges are the increasing scrutiny that banks expect in the near future and the rising levels of investment needed in data and technology capabilities. The dilemma can be resolved, however, if banks are able to create value from data as they tackle the regulatory agenda. This implies that the data vision and strategy banks deploy to meet regulatory needs and contribute to overall safety and soundness also support business goals. While banks remain primarily focused on risk data compliance, a few have begun to use data strategically to support business growth, through advanced analytics and digitization.
Despite investment, compliance levels are decreasing
In recent years, banks have invested significantly in their data and technology programs. These largely support remediation for regulatory initiatives such as BCBS 239. Survey respondents revealed that the programs are mostly led by the risk and finance functions and run centrally. Two-thirds said that they are aligning their programs with an overarching data vision and strategy. The immediate focus is on getting the basics right: improving operations and IT, enhancing risk management, and better supporting the business. Many banks are also deepening senior-management accountability to improve program governance and data-quality awareness, as these are key topics for regulators. In developing a culture of data-quality awareness in their business and support functions, banks have also begun to tackle the question of data ownership, seeking to harmonize overlapping functions and increase collaboration among risk, finance, and treasury.
Investments in fundamental data capabilities have varied. Value-added efforts such as automation are mostly in the beginning stages or are scheduled for a later date.
- G-SIBs. Most G-SIBs have focused on documentation and selective remediation. About one-third are documenting data lineage up to the level of provisioning data elements and including data transformation—though several are questioning the value of data lineage in the context of broader data controls. Most banks are working on enabling specific IT systems rather than particular use cases or business capabilities. All US and most European and Asian G-SIBs have conducted an independent validation. To ensure an independent perspective on the state of remediation, the validation is usually conducted by an internal team reporting to the chief risk officer. Several banks are complementing their internal validation with external support to build capabilities in their second-line function.
- D-SIBs. European and Asian D-SIBs are accelerating their remediation programs, as evidenced by rising investment levels. Three levels of maturity have been identified. At the highest level are D-SIBs adhering to the G-SIB timeline—such as Canadian banks, due to a stronger push by local regulators. A second group of D-SIBs began working on risk data and technology early on but have not yet finalized their programs. The last group are the late starters, which have only recently begun to work on risk data and technology.
Despite the data and technology investments, however, overall BCBS 239 compliance levels have declined since 2015 (Exhibit 1). Our respondents’ self-assessment is supported by the latest Basel Committee progress report on risk data aggregation and risk reporting, which finds that banks’ overall level of BCBS 239 compliance remains unsatisfactory. In fact, local supervisors have concluded that only one bank can be considered in alignment with the principles. Highlighted in the Basel Committee report is the regulators’ assessment that, based on the current state of BCBS 239 remediation, banks that began the process in 2013 will need an average of five to six years to complete it.
