What are the real drivers behind BCBS 239 and the focus on enterprise risk aggregation?
The Reality of Multiple Shifting Risk Dimensions
Banks and asset managers need to quickly assess levels of exposure aggregated across a variety of dimensions to survive economic crises. Risk by portfolio, instrument type, counterparty, currency, country and securities markets are just a few areas where exposures and losses can increase rapidly. Being able to quickly access the data and compute exposures across a variety of dimensions is critical to surviving market, credit and liquidity shocks.
Market volatility can introduce rapid fluctuations in risk factors on a daily and intraday basis. Yesterday’s volatility can suddenly rise or drop and shocks often cascade across risk dimensions. This not only impacts your P&L, valuation models and risk sensitivities. It also impacts your limits, stress testing scenarios, capital buffers and funding requirements. Pre-trade analyses must be updated rapidly to minimize taking further risk, or to take counterbalancing actions such as liquidating assets or hedging.
The reality is markets move fast. From crisis to crisis the points of failure inevitably change — history repeats itself in a different form. Without the ability to rapidly identify risk concentrations and take mitigating actions, the firm and its employees are merely going for a ride in a significant market crisis.
The Way Risk Aggregation Used to Work
The impetus behind enterprise risk aggregation and BCBS 239 came to the forefront after the subprime crisis in 2007-2008. While risk aggregation was always a consideration, the rapidity and depth of market, credit and liquidity shocks during the Credit Crisis and the demise of Lehman Brothers and Bear Stearns was a massive catalyst for rethinking. These events highlighted the huge gaps in responsiveness and accuracy of existing IT risk architectures. This is what drove the Basel Committee to author BCBS 239.
The diagram above describes at a very high level how pre-crises risk reporting used to be done. There were various vertical risk computing silos by business stream. The interest Rate desk, Credit desk, Cash desk, Commodities desk, etc. would all have their specific risk calculation systems within their requisite business streams.
Results from each risk system would be stored in a relational database. That data store was also owned by a particular business stream. Both the business side and the IT team supporting that business stream would focus on a single information silo. Risk aggregation would be done within the relational store for reporting purposes.
Whenever there was a need for risk aggregation to be computed across these vertical silos, you had a requirement for manual intervention. A group of individual analysts with some IT support would scrape the risk numbers from each one of these vertical systems using SQL, Excel or a UI interface.
The scraped data would then be dumped into another aggregation store and manipulated (often manually again) to provide an aggregated report for the desk or management. This process could take days or weeks, depending on the breadth of aggregation requested and the intermediate processes that had been automated (usually in a batch sequence).
Why Investing in Risk Aggregation Technology is Mandatory
In 2007 and 2008, particularly the weekend that Lehman went down, the entire financial industry’s approach to risk aggregation and reporting failed. Risk Managers and IT Specialists worked madly with Front Desk Traders in the credit derivatives market to determine the firm’s exposure to Lehman. Determining the firm’s exposure from both counterparty and issuer perspectives became the defining factor in survival.
This mad frenzy of activity cascaded from the credit business across the organization. Everybody involved in the Capital Markets from New York, London, Tokyo and Singapore to Toronto and Sydney spent the weekend trying to get risk information to the desk and risk managers. The Chief Risk Officer waited hours and even days to understand the firm’s aggregated exposures to Lehman’s collapse and take mitigating action. In some cases it was simply too late.
That exercise showed everybody the importance of having a single risk aggregation platform to capture and compute risk across the organization. Whatever process was working pre-crisis no longer worked. Humans and their machines could no longer keep up with a cascading risk crisis.
The old system worked until it stopped working. The real crisis shot silo-based risk IT architectures full of holes.
Taking steps to modernize your bank’s or fund’s risk aggregation technology is mandatory not only to meet BCBS 239, but to protect the firm’s capital, clients and livelihoods of its employees.