Sound risk data reporting: key to better decision-making and resilience

19 February 2025

Sufficiently robust risk data aggregation and risk reporting (RDARR) capabilities are crucial for sound decision making and effective risk management. Banks that manage to unlock the full potential of these capabilities can also enhance their operational efficiency and increase their resilience.

Banks with robust RDARR capabilities can more easily exploit digital tools and solutions to develop new products and services, enabling them to better respond to market changes and to realise their growth potential. Furthermore, they can reduce their operational and IT costs through automation and IT architecture modernisation. Robust RDARR capabilities support informed and timely decision making, particularly during sudden market disruptions. They help to mitigate losses by improving the accuracy of risk exposure calculations, the effectiveness of risk management and the accuracy of financial and regulatory reporting. Moreover, high-quality data is a prerequisite for exploiting innovative technologies such as AI and advanced analytics, which can significantly improve efficiency.

Robust risk data aggregation capabilities as a strength

Strong internal governance and strategic steering are crucial for banks to adequately navigate periods of crisis or market turbulence. During such periods, robust RDARR capabilities support risk monitoring and decision making in banks.

• During the COVID-19 pandemic, banks with robust RDARR capabilities were able to enhance their risk appetite frameworks by refining indicators and recalibrating limits to steer the exposure to the most affected sectors. Examples include newly developed risk dashboards to manage and monitor pandemic-related impacts, such as the phasing-out of moratoria on loan repayments.
• The Russian war in Ukraine required banks with exposures in the region to swiftly adapt their tools to assess country risk exposures amid newly imposed sanctions, particularly for their affected subsidiaries. This included increasing the frequency of reporting and additional risk indicators.
• Recent periods of market turmoil, which have led to bank failures in the United States and Switzerland, have highlighted the critical role of sound internal governance and risk management. A report by the Swiss financial market supervisory authority suggests that weak data aggregation often leaves a bank’s management without timely and accurate information, impairing decision making at crucial moments. Conversely, strong data aggregation capabilities enhance resilience during market volatility. For example, one bank successfully closed its portfolio under stress without substantial losses by applying a conservative margining approach for flexible adjustments and by implementing a proactive stress-testing framework for early risk identification and adequate follow-up.

Robust RDARR capabilities can support banks’ risk management and decision-making also in the area of climate-related and environmental (C&E) risk. While more needs to be done, banks have already made significant progress, including mapping out what data they need for risk management, disclosure and strategic steering. They have implemented various good practices for the central collection of data, quality assurance and management of data sources, as well as for determining key performance and key risk indicators. Notably, banks with stronger capabilities in this area are better equipped to capture and assess C&E risks, enabling them to respond in a more targeted manner. They face fewer challenges in ensuring consistency across disclosures, risk management and strategic steering procedures. Ultimately, enhanced capabilities help banks reduce costs and facilitate a more efficient allocation of resources to areas of material risk, and it allows these banks to better position themselves for reaping the opportunities of the climate transition.

Another area where developed RDARR capabilities have proven beneficial is private credit, an asset class that is worth more than €1 trillion globally and has grown significantly. Exposures to private credit funds are very diverse and involve many different business lines. Therefore, there is concern that banks are not able to capture and evaluate risks holistically across debtors (investors, funds, portfolio companies), instrument types and business units. This means that management reporting may not permit the bank to fully assess the credit and counterparty risks to which it is exposed, including under stress scenarios. A qualitative survey highlighted the following.

• Risk data aggregation is key for monitoring exposures holistically across business units, instrument types and legal entities. It also enables banks to have an overview of their overall exposure to a financial sponsor across funds and portfolio companies.
• In order to manage concentration risks, it is necessary to aggregate exposures both “vertically” across product types and “horizontally” across the same investors but for different funds. This is important, as exposures can be managed by different business lines but still be economically correlated.

Implementing a comprehensive work programme for RDARR supervision

Despite the positive effects of proper risk data aggregation, supervisors have observed long-standing deficiencies in this area. Banks have been slow to remediate these RDARR deficiencies for multiple reasons, such as shortcomings in their governance frameworks, fragmented IT infrastructures and high numbers of manual aggregation processes. Moreover, remediation of RDARR deficiencies is often costly, carries significant risk and takes time.

The ECB began to implement a targeted supervisory strategy in 2022 to address this vulnerability. The strategy’s aim was to help banks develop effective steering capabilities and risk management practices through robust data governance and strong data quality controls. Where needed, the ECB will use all its supervisory tools to ensure banks take timely and effective corrective action to address long-standing deficiencies.

As part of its continued efforts to enhance banks’ RDARR capabilities, the ECB has implemented an integrated framework for its on- and off-site supervisory activities (see figure below). This framework aims to address key weaknesses identified at individual banks and support improvements in decision-making processes and risk management practices. By addressing key weaknesses and promoting enforceability, the framework will increase adherence to supervisory expectations and drive long-term improvements in banks’ resilience within an increasingly complex economic and financial landscape.

Figure

Integrated framework to improve banks’ RDARR capabilities.

On-site inspection campaign to identify fundamental deficiencies

In 2022 the ECB launched a dedicated on-site inspection campaign to assess the implementation of the Basel Committee’s principles for effective risk data aggregation and risk reporting (BCBS 239) in supervised entities in more depth, and to further encourage remediation and progress in this area where needed. These on-site inspections were centrally coordinated to ensure that the same procedure was carried out across all on-site inspections and banks, and they covered around one-third of the entities directly supervised by the ECB. The campaign was planned to last three years, and it is currently nearing completion following the launch of the last on-site inspections towards the end of 2024. However, the ECB will continue conducting targeted on-site inspections to assess banks’ RDARR capabilities after the campaign has finished.

The ECB Guide on RDARR: a common benchmark for assessing progress

The ECB and national supervisory authorities used the experience and insight from the on-site campaign to refine the ECB Guide on effective risk data aggregation and risk reporting, which was published in May 2024 to clarify the minimum supervisory expectations of institutions’ RDARR capabilities. The primary rationale behind the Guide was to ensure a level playing field among supervised banks by providing a common reference point. As such, the Guide consolidates prior communications on RDARR and incorporates industry best practices for achieving sound RDARR capabilities. It prioritises areas that were identified as root causes of the insufficient progress in implementing remediation plans, such as management body shortcomings and a lack of effective implementation programmes. Finally, while not imposing new requirements, the Guide ensures consistency in supervisory expectations across on-site inspections, targeted reviews and other supervisory activities. Going forward, the ECB will assess adherence to these expectations on a case-by-case basis.

Dedicated targeted reviews launched in 2024

As part of the comprehensive work programme to improve RDARR capabilities, a series of targeted reviews on RDARR was carried out on a representative sample of banks with diverse business models over the course of 2024. The ECB Guide played a key role in the design of the review by providing a comprehensive benchmark for evaluating banks’ RDARR capabilities.

These reviews revealed significant gaps in meeting supervisory expectations, highlighting the need for banks to increase efforts in this area. Specifically, many banks do not provide proper recent or regular gap analyses where they compare against the BCBS 239 and relevant supervisory expectations. Even when such analyses have been conducted, their relevance for effective steering often remains unclear. Furthermore, banks repeatedly fail to provide credible target end dates for implementation.

Although all sampled banks have implemented a data governance framework, significant gaps remain. Common issues included unclear criteria for defining material legal entities, exclusion of some entities even when criteria were established and failure to include key decision-making or supervisory reports. Furthermore, many frameworks do not cover the entire data aggregation process, from data capture to final reporting (Charts 1 and 2).

Chart 1

Scope of application of supervised entities’ data governance frameworks

Chart 2

Roles and responsibilities

Conclusions from the 2024 Management Report on Data Governance and Data Quality

In 2023, as part of its supervisory reporting strategy, the ECB launched its Management Report on data governance and data quality. This annual exercise consists of a formal signature by the management body of significant banks, in response to a list of prepopulated data quality metrics and indicators, and answers to a questionnaire intended to collect qualitative information on data governance. The Management Report aims to (i) define supervisory expectations of banks’ management bodies in the production and transmission of supervisory data, (ii) ensure the accountability of banks’ management bodies regarding the submission of supervisory data, and (iii) identify possible weaknesses in banks’ data aggregation capabilities.

The results for the 105 banks who took part in the 2024 exercise reveal that although there was an increase from the previous year’s pilot exercise in the awareness of management body members about matters related to data governance and data quality, some critical deficiencies remain. Overall, banks’ self-assessments indicate that they do not yet view themselves as fully aligned with supervisory expectations, highlighting many areas for further improvement of their RDARR capabilities.

The outcome of the Management Report feeds into SREP scores, because banks’ answers to the questionnaire provide supervisors with information on the root causes behind data quality issues and on the adherence to BCBS 239 principles. This qualitative evidence is complemented by the quantitative perspective provided by two additional tools: (i) the Data Quality Indicator score, which is also part of the SREP and gives supervisors a uniform way of assessing the quality of banks’ supervisory data in terms of accuracy, completeness, and punctuality; and (ii) the Composite Indicator on Reliability score, a proxy for data reliability based on revisions at module, template and datapoint level.

Next steps

Despite the supervisory efforts and actions taken by banks, the number of institutions without fully adequate RDARR capabilities is still too high. The ECB is committed to driving concrete and meaningful improvements. This is also reflected in the overarching approach recently approved by the Supervisory Board. The plan/work programme aims to closely monitor the development of the RDARR capabilities of all banks and to identify and follow up on deficiencies. A key element of this approach is a clearly defined escalation process, providing banks with clear timelines and interim milestones to remediate identified shortcomings and eliminate their root causes. When initial measures fail to achieve timely results, more intrusive tools are employed to ensure effective remediation. These tools are based on the binding supervisory measures laid down in Article 16 of the SSM Regulation, which also include periodic penalty payments as potential enforcement measures.

Together, these efforts aim to ensure consistent supervisory follow-up, facilitating the tracking of tangible improvements and the timely implementation of measures.