Here's a scenario that most people involved in the running of a financial institution will be more than familiar with. A business or economic crisis occurs followed eventually by one or more new pieces of regulation, implementing lessons drawn from the experience.
An individual financial firm will then elect one or more trusted individuals to analyze the contents of the new regulation. The chief requirement from this piece of work is often "What do we have to do to be compliant with this new regulation?" The answer to this question determines what system the firm will actually build . Once this is understood and explained, the institution will form project plans, gather and allocate resources. This is followed by an intense period of effort and work where the solution is constructed from a combination of internally built and externally sourced systems. Alongside this effort and after, the solution is tested and adjusted until finally accepted into business as usual. It often around this point those working on the project will explain in depth to those most impacted the changes and what the new regulatory compliant world will look like.
I believe as effective as this model has been when it was the case that regulatory monitoring could be considered to be an extension of balance sheet monitoring, in today's environment this approach is damaging. The whole approach encourages firm to consider only one regulatory development at a time, in a world where prudential regulatory rules are interlinked, and increasingly so. This may create new silos, repeating some of our old mistakes.
Consideration about what will need to be reported starts with the information needed to be given to the regulator to satisfy the prime objective to demonstrate compliance. The next reporting requirement would relate to what is needed to prove that the reporting produced is true and accurate. Finally the process is concerned with what information it can give to those managing the related activities to ensure that the monitoring requirements are fulfilled.
But the prime objective of any regulatory rule change is never merely the measurement of a new or different metric. The objective is always to instigate a change in the financial institutions' actions and the workings of the market. Looked at from this perspective the considerations above are in reality completely the wrong way round! The internal reporting to those making decisions within the firm is the most important and should be considered above other considerations. The reporting needed to elicit user acceptance, or to prove truth and accuracy is useful, but it is not necessarily the same that is required by the internal decision makers. (Internal decision makers are all those people who can make decisions that will impact on the firm's compliance to the regulatory rules under consideration. This will be more than just the management or policy making team). The reporting to the regulator should be a by-product of a good strong internal management reporting system. This way round the focus can be seen to be to drive compliant behavior rather than reporting.
Let us consider some of the prudential regulatory developments that is currently of concern in the financial sector. These include BCBS 239 Principles for Effective Risk Data Aggregation and Risk Reporting, which require firms to have a unified risk and reporting management framework for a wide number of risk classes. We also have BCBS D352 Minimum capital requirements for market risk, where the role of netting, hedging and diversification play a much bigger part. One of the effect of this will be that the results will be a lot less intuitive, and the impact of specific positions more difficult to identify. This will mean the quality and depth of information to management will need to adapted accordingly. Similarly we have BCBS 279 The Standardized Approach for Measuring Counterparty Credit Risk Exposures, which will present similar reporting challenges. We should also mention BCBS 319 Interest Rate in the Banking Book and BCBS 347 Standardized Approach for Credit Risk.
These changes will mean that internal decision makers will lose much of the feel for the numbers they currently have, and so will need to be given new reports that they find meaningful. Reporters will face a tsunami of requests for explanations once the new regulations start to come into force. Much of the current thinking around these regulatory initiatives does not properly consider the potential internal reporting requirements.
In order to deliver what is needed firms need to consider the role and purpose of the management reporting process and infrastructure which can be summarized as
- Providing the correct information
- To the correct person
- At the correct time
- The information received, is well understood
The proof that the management reporting process is working will be that the recipient acts on the information received.
In order to achieve such a system we need to complete the following steps
- Identify those who need to be informed
- Identify the minimum information each recipient will need to fulfill their role
- Decide on the most effective method of presenting the information to the recipient
- Identify the best timing and frequency for the delivery of reporting
- Be clear on what the minimum data quality requirements for each report are
Each of these point need to be considered as fully as possible. Who needs to be informed is a function of the active role played by that person, not seniority of position. Firms may wish to break roles down to idealized persona, e.g. board members, senior management, line managers, control functions etc. and then define information requirements for each. The most effective method of delivery may include not only paper reports or spreadsheets, it can also include SMS texts, key figures on cards to fit into a wallet, town hall type presentations, video messages etc.
It is only after fully considering and having answers to these points the can a firm properly consider what process and therefore which systems it wishes to implement.
The result will be a process that puts informing the decision makers and hence control at the heart of the process. It is this context that a "single version of the truth" makes sense, as the information is tailored to fit the requirements of those that need most to use it.
Without such analysis as part of the regulatory change programme, firms will continue to have cases where it is difficult to see the woods for the trees. Let's not miss a golden opportunity to deliver better.