The ECB’s revised expectations on risk data aggregation and risk reporting (RDARR)

The European Central Bank (ECB) has re-stated and formalised their minimum supervisory expectations for risk data aggregation and risk reporting (RDARR) into a “Guide on effective risk data aggregation and risk reporting.” 

This aims to accompany rather than replace the guidance provided in 2016 through public communications and institution-specific supervisory activities. Although these are not regulatory requirements, they are in the scope of relevant European and local laws.

The guide states prerequisites for effective RDARR, based on best practices observed in the industry and adjacent sectors, focusing on seven key areas:

• Responsibility of a bank’s management body.
• Scope of application of the data governance framework.
• Key roles and responsibilities for data governance.
• Implementation of a group-wide integrated data architecture.
• Timeliness of internal risk reporting.
• Implementation programs.
• Effectiveness of data quality controls.

Group-wide policies and processes, established within the overall group risk management framework or the data governance framework, are a key part of the effectiveness of data quality controls. It is expected these are in place to ensure data quality controls are also complete and allow for material data quality issues to be remediated on time.

These policies and processes should also make limitations transparent and improve accountability for data quality risks by stating clearly::

1. Definition and implementation controls for accuracy, integrity, completeness, and timeliness of key risk indicators and critical data elements, covering from the front office to the reporting layer. These should (as much as possible) be automated with periodic reconciliation against sources and reports.
2. Definition and measurement of data quality indicators, allowing systematic monitoring, and recording of results. These should feed into a comprehensive and (regularly) updated register of data quality issues, including severity assessment, root cause analysis, impact analysis, remediation processes, deadlines, and evidence of effective remediation.
3. Overview of end-user computing or end-user developed applications.
4. Documentation and available controls for any manual processes within the data preparation and reporting steps until they can be embedded in an IT-controlled environment with audit trails.
5. In a holistic view of risk, how data quality risk impacts other risk assessments such as internal capital adequacy assessments processes (ICAAP), internal liquidity adequacy assessment processes (ILAAP) or margin of conservatism (MoC) of type A in internal rating based (IRB) risk parameters.

Finally, there is the expectation that banks will make significant progress in bridging the gap between their current practices and the regulator’s objective. Moreover, it is expected this level of RDARR adequacy will trickle down from global and other systemically important institutions to non-systemically important institutions through national competent authorities. To encourage improvement the ECB has suggested that additional accountability measures could be applied, such as fines, capital add-ons and even review of fit and proper results for responsible board members if vulnerabilities in RDARR are identified and are not appropriately addressed.

Get in touch if you are interested in learning how 4most can support your organisation navigate the evolving regulatory landscape – info@4-most.co.uk.