Risk and Reward: Why Getting Your Risk Data into Shape Will Lead to Business RewardsMay 10, 2015

A Survey Report on Risk and Data Governance by Oracle and the Center for Financial Professionals

2

The 2007 Global Financial Crisis (GFC) was exacerbated by the failure of the banks and other key institutions to grasp the hidden balance-sheet risks brought about by exposure to new financial products. When the crisis hit, events moved so quickly that they lost even that tenuous grip on their risk exposure. This not only jeopardized the survival of individual financial institutions (FIs) but also created systemic risks that threatened to overwhelm the financial structure of the developed world.

One of the key causes of the crisis was a weakness in financial institutions’ IT and data architecture, which had prevented them from understanding the true nature of their exposure to adverse events. Bank systems were incapable of providing rapid access to comprehensive information covering the whole enterprise. And even when they could get it, the reliability of the data was questionable, undermining decisions based on the numbers.

The Basel Committee on Banking Supervision’s response to the crisis, embodied in the legislation known as BCBS 239, was a set of rules to strengthen risk-aggregation and risk-reporting practices at banks. There are two overarching principles.

Firstly, that a financial institution’s data architecture and IT infrastructure should support risk-data-aggregation capabilities in normal times and times of crisis.

Secondly, that risk-aggregation and reporting practices should have strong governance.

But in practice, adhering to these principles fully is a big challenge for financial institutions. The Oracle and Center for Financial Professionals survey shows that significant work remains to be done even at the larger global systemically important banks (G-SIBs). Inconsistent data resulting from siloed systems and poor data quality due to multiple sources are two of the barriers impeding FIs’ attaining true compliance with BCBS 239.

In our survey of Center for Financial Professionals members, we analyze the current state of financial institutions’ preparedness for regulatory requirements, and examine their data-management initiatives. Through our survey, we also aim to understand the key challenges affecting FIs with respect to regulatory reporting; the key factors governing success of the risk-management processes; and the importance of data governance.

The other key principles can be summarized as follows:

• Accuracy and integrity: Banks should be able to generate accurate, reliable data and be capable of reconciling and validating numbers from different sources.

• Completeness: Banks should capture and aggregate all material risk data across the entire enterprise.

INTRODUCTION

• Timeliness and frequency: Banks should be able to generate aggregate and up-to-date risk data in a timely fashion and whenever required.

• Adaptability: Aggregate risk data should be available in response to ad hoc requirements.

• Clarity: Risk-management reports should communicate information clearly and concisely.

3

RESEARCH METHODOLOGYThe research for the Risk & Data Governance survey was undertaken by the Center for Financial Professionals, an impartial and independent financial research and events organizer. The Center for Financial Professionals carried out the research in two stages. The first stage consisted of an online questionnaire targeted at financial risk- and data-management professionals, which generated close to 300 responses. The process also included a number of screener questions to ensure that the most appropriate professionals were targeted. The second stage consisted of a number of one-on-one targeted interviews with C-level executives. The questions for part two were based on the online questionnaire results.

Both sets of raw-data results were supplied for analysis and interpretation. In addition, the Center for Financial Professionals provided a set of correlations and key findings from the initial online questionnaire, to better understand the topic of risk & data governance.

QuestionnaireThe Center for Financial Professionals received 272 responses to the questionnaire between February 1, 2015 and April 17, 2015.

The responses were collected online using an e-mail campaign and also at the Stress Testing USA and Risk EMEA 2015 Congresses.

InterviewsSurvey respondents were then sampled based on criteria provided by Oracle, and appropriate respondents from the sample were engaged in one-on-one interviews.

SURVEY RESULTS AND ANALYSISProfile of RespondentsThe majority of respondents were from commercial/retail banking or bank holding companies at senior level and in risk-management roles.

Type of Banking/Financial Institution

Bank Holding CompanyCommercial/Retail Banking

Community BankCredit Card Affiliate of a Bank

Foreign BankInvestment Bank

Private BankTrust Company

Other

27%19%4%1%4%11%2%2%30%

Primary Area of Functional Responsibility

RiskData Management

Finance/AccountingGeneral Management

Information TechnologyLegal

Operations/ProcessingStrategy/DevelopmentOther (please specify)

66%2%12%1%3%1%1%2%12%

Job Title or Position

President, Chairman, CEOCFO/CDO/CRO/CIO/CTO

Other C-level ExecutivePartner/Managing Partner

Vice ChairmanSenior Business Unit Executive

Assistant Vice PresidentDirector

Data Stewards/AnalystsOther

1%11%2%1%1%26%8%10%13%27%

Institution’s Total Deposits(or estimated total deposits) in Fiscal Year 2011

US$100 billion or moreUS$50 billion to less than

US$100 billionUS$25 billion to less than

US$50 billionUS$10 billion to less than

US$25 billionUS$1 billion to less than

US$10 billionLess than US$1 billion

48%

11%

7%

10%

15%

9%

4

Findings of the Survey

Almost all respondents were familiar with their institution’s data-management practices, programs or technology solutions. The majority of the respondents claimed they were prepared for the regulatory requirements i.e. BCBS 239, stress-testing and liquidity reporting. But an interesting finding emerged with regards to the preparedness response for BCBS 239; a significant 38 percent of respondents said they were slightly prepared for BCBS 239 and about 7 percent said they were not prepared at all for BCBS 239, which was higher in comparison to the other two regulations i.e. liquidity reporting and stress-testing.

Very unprepared Slightly unprepared Prepared Very prepared

Regulatory Requirements Preparedness

BCBS 239

Liquidity reporting

Stress testing

7%38%49%7%5%23%56%16%3%22%52%22%

0 1 2 3 4 5

Challenges to the Success of Organization’sRisk Management Processes

Management Reporting

Regulatory Reporting

Quantitative Capabilities

Auditability/transparency

Data Quality

Data Collection/Aggregation

Data quality emerged as the topmost challenging factor determining the success of the risk-management processes, followed by data collection or risk-data aggregation.

The majority of respondents claimed that their institutions are more effective today in their ability to view and manage risk data compared with the 2008 financial crisis. The reasons that were attributed to the increased effectiveness included more awareness towards risk data; increased support from senior management; better infrastructure or completely overhauled infrastructure to manage data; and implementation of better policies and controls.

5

Data Usage

Consistent Data Usage Across the Organization

Managed in Silos

Some areas of data are consistent, but not entire organization

Others

17.35%

25.51%

55.10%

2.04%

Use a Data Platform to Represent the“Single Point of Truth”

No60%

Yes40%

60 percent of respondents don’t use a data platform to represent the single point of truth; the major reason that emerged was multiple platforms or siloed data usage which inhibited a single point of truth.

The majority of respondents (76.53 percent) claimed that their organization has a designated Data Management Office, or a team specifically designated to manage enterprise data assets. It was also revealed that the DMO or team were closely linked to the Finance, Risk or IT departments in many organizations.

Only 17.35 percent of respondents claimed that data usage was consistent across the organization, the remainder claiming they were managing data in silos or did not have consistent data usage across the entire organization.

6

8.16%

34.69%

53.06%

4.08%

Data is Defined, Harmonized, and Appropriately Aligned to Critical Business and Risk Operation

Very Confident

Confident

Slightly Unconfident

Very Unconfident

Key Challenges in Addressing Regulatory Reporting Requirements

Managing Changes to Reporting Templates

Calculations

Data Availability

Tight Turn-around Times

0 0.5 1 1.5 2 2.5 3 3.5

5.83%

56.31%

32.04%

5.83%

Current IT/DataInfrastructure Effectiveness in Supporting the

New Risk Management Requirements

Very Effective

Effective

Not Effective

Really Not Effective

The majority of respondents (approx. 57 percent) were not confident that their data is defined, harmonized, and appropriately aligned to critical business and risk operation.

Data governance was seen more as an organizational strategy and an effective business tool for the majority of respondents. An overwhelming majority claimed that their data initiatives are supported actively by senior management. The majority of respondents claimed that data was monitored with proper access and controls. The majority of respondents claimed that they can identify data-quality issues at the element-source level. Data availability emerged as the top challenge in addressing regulatory reporting requirements.

While a good 62 percent claimed their IT/data infrastructure was effective in supporting the new risk-management requirements set by the regulators, a worrying 38 percent claimed that the infrastructure was ineffective.

The majority of respondents (83.63 percent) agreed that a common scenario-management framework was used across the organization. The majority of respondents (86.73 percent) agreed that their organization does manage regulator-specified scenarios.

7

The survey revealed a lot of positives with respect to the financial institutions’ data initiatives but it also showed that not everything is perfect. Financial institutions claimed that they are more effective today in viewing risk data; they have a data management office; have a good support from senior management for data initiatives; data is monitored with proper access and controls; they can identify data-quality issues at the element-source level; and that they had a good IT infrastructure in place to meet the regulatory requirements. Many of the financial institutions are moving forward for consistent data across their organization. One of the biggest positives that emerged was that data governance is not seen just as a mandate, but more as an organizational strategy and an effective business tool.

These findings confirmed that most of them are prepared in principle for the three regulatory requirements. But there were some red flags that emerged from the survey.

Financial institutions claimed that data availability was one of the biggest challenges they face while addressing regulatory reporting requirements; data quality and data collection/aggregation, and data consistency across the organization were the other big issues that were revealed in the survey. These issues should be the first to be addressed by financial institutions while preparing for BCBS 239 compliance. These are against the two overarching principles of BCBS 239. There is a significant gap between what financial institutions are claiming and what they are practicing.

• 53 percent of FIs who said they are prepared for BCBS 239 are not confident that the data is defined, harmonized, and appropriately aligned to critical business and risk operation in their organization.

• 61 percent of FIs who said they are prepared for BCBS 239 and 61 percent of FIs who said they were more effective in viewing and managing risk since 2008 do not use a data platform to represent the single point of truth.

• 25 percent of FIs who said they are prepared for BCBS 239 do not have an effective IT/data infrastructure to support the new risk-management requirements set by regulators.

• 64 percent of FIs who claimed they are more effective since the 2008 crisis at managing risk rate data availability as the biggest challenge.

• Only 20 percent of FIs prepared for BCBS 239 have consistent data usage across the organization.

• All is still not well post the 2008 financial crisis; approx. 83 percent of FIs who claimed better viewing and managing risk have inconsistent data and siloed data.

These are alarming findings that financial institutions should look at addressing soon—or end up facing more issues later.

8

Data availability emerges as the biggest challenge for 47 percent of FIs who said they are prepared for BCBS 239.

Data quality is an important aspect of regulatory reporting, but 40 percent of FIs who claimed to have an effective data infrastructure in place for reporting listed data quality as the top challenge for their organization’s risk-management processes.

81 percent of FIs who don’t have consistent data and are managing in silos are not confident that their data is defined, harmonized, and appropriately aligned to critical business and risk operation in their organization.

43 percent of FIs who ranked data collection/aggregation as a top challenge have inconsistent data, or it is managed in silos.

48 percent of FIs who said they do not use a data platform to represent the “single point of truth” do not currently have an effective IT/data infrastructure to support the new regulations.

Data quality and data collection/aggregation were the top challenges (63 percent) for FIs who have a Data Management Office in place or have a team.

While each organization has its own unique characteristics, several common themes emerged.

Siloed data: Perhaps the most common barrier to integrated data reporting is that FI data is, by default, held in multiple different data warehouses—for Risk, Finance, Marketing and Compliance, amongst others. A strong link was found between defined, harmonized data that is appropriately aligned to critical business and risk operation, and data being managed in silos. 81 percent of respondents who had data usage in silos were not confident of the alignment. All the FIs surveyed still have these diversified data repositories and there is little evidence of the widespread use of central data warehouses so far.

Legacy systems: The fact that data is originating from multiple sources, often employing different technology and a variety of practices, is a huge challenge when it comes to data integrity and integration. One of the largest global banks summarizes the issue:

“Accessing data across multiple platforms is a challenge; remediation of inconsistency across data systems, for example. If you have three people who type in the same thing but two do not agree with the inputted data, either inputting wrong data or different formats, that can cause all kinds of data challenges going forward.”

Organizational inertia: Because the data issue is one that crosses boundaries of function and geography, creating the single source of truth becomes more important now more than ever. This appears most challenging.

Solution: A strong business sponsorship is very important. Someone needs to understand what “bad data” is.

What’s clear is that data readiness at this point is very much a mixed bag—both in general terms and specifically in relation to the demands of BCBS 239. One of the largest global banks is unequivocal on the subject:

“If anyone says that they are ready for implementation they are not being completely honest.

Expect full compliance over the rest of the decade, as it is a significant undertaking. As for the immediate deadline, the target is a bit hit-and-miss.”

Even the banks that claim to be prepared (and most admit they aren’t) still face major issues. The problems then are clear. But the survey does show that the big FIs take this issue very seriously. Moreover, they see this as a longer-term opportunity to change core data processes and derive business benefits. This is something that should make the organizations outside the group that is subject to the BCBS 239 regulations sit up and take notice.

DO CURRENT FI DATA SYSTEMS STACK UP AGAINST THE IDEAL MODEL?The survey findings revealed there is much to be done:

9

One large insurance company whose business doesn’t fall under BCBS 239 has already engaged an external consultant to assess current data-management practices and to identify gaps relative to those standards. BCBS 239 is being used as a proxy, suggesting it is relevant even to those who don’t have to comply.

Another FI, a large US bank, is in a similar position and is being equally proactive:

“We are standing up the enterprise data governance operating model, assessing high-risk data, inventorying reports and CDEs, establishing Data Management tools and assessing how to bring business value with data. We have hired a CDO, put in place an enterprise data governance committee with a reporting structure up to exec management, and established a lead in technology to drive forth our enterprise data architecture, tools, standards and practices.”

So even those who are not yet in the “compliance net” recognize that they may fall into it in the future. That makes the experiences of the larger FIs, who have been forced to go through the exercise already, highly relevant to the domestic systemically important banks (D-SIBs) as well.

Secondly, and perhaps most importantly, the new compliance regime should be seen as an opportunity as well as a challenge. One of the most interesting conclusions of the survey of the large FIs is that most of them are not seeking to comply with BCBS 239 because they are obliged to from a regulatory perspective, but rather, because it makes good business sense.

This applies to all FIs—large and small. Tackling the issues around data accessibility is important not just from a regulatory perspective but also because there are significant business opportunities from rationalizing data into a single source of truth that is accurate, clear and complete.

A large US bank says that its work goes far beyond the deadline to comply with new regulations:

“This is a long-term investment. Obviously there are going to be some short-term gains… but we are looking at this as a means to invest strategically. So some of the programs we have started for 239 are actually going to go above and beyond the 2015 deadline even.”

Another large bank commented that:

“You cannot run this (compliance) as a standalone project, but rather it has to be part of a strategic overview and a significant change in mindset and shift in strategy.”

And finally, another US bank, which is currently not obliged to comply with BCBS 239, puts it like this:

“One could construe that it is ‘regulatory’ as the regulators are helping organizations appreciate the importance of doing this.”

This encapsulates the essence of the issue. The regulations are merely nudging organizations towards something to which they should be aspiring in any case. The hazards of failing to achieve that “single source of truth” goal listed earlier makes it clear that regardless of legislation, banks need to start tackling the data issues. In short, banks should do this, not just because they have to, but also because they are missing an opportunity to improve their businesses if they don’t.

Potential benefits include lower costs, reduced revenue loss, and the ability to take an enterprisewide view of risk exposure.

WHY SHOULD BANKS OUTSIDE THE GROUP OF GSIBS CARE?

10

What do FIs need to do to achieve data integration?

FIs will only achieve the desired level of data integration with a unified platform that eliminates the separate silos which are the main barrier to the creation of a “single source of truth”. BCBS 239 compels FIs to create a data architecture that will allow all key stakeholders to get a comprehensive view of a financial institution’s global risk exposure.

A High-Level Solution: Unified Enterprise Risk-Management PlatformThe main challenge is how to prepare the existing data, moving from a fragmented and siloed data environment, driven by disparate systems, to a unified data foundation that yields clean and reconciled data that is accurate and actionable.

This is best achieved by the creation of a unified enterprise risk-management and reporting platform that goes beyond the integration approach common today in many FIs.

A Practical Solution: Organizational Change Is KeyWithout organizational change, the practical implementation of these solutions will be difficult. Organizational inertia was identified earlier as a significant barrier to progress, and large FIs are starting to recognize that this is something that needs to be tackled from the top down. That requires installing an executive with a powerful voice and the ability to wield influence across departments and geographies.

The survey revealed that many large FIs have already gone down this road, appointing a Chief Data Officer (CDO) or equivalent with responsibility for oversight and governance, liaising with different business lines and across geographical areas.

One large investment management company describes the role thus:

“The CDO is tasked with a heavy workload and amalgamation of legacy systems, flows and so on. The challenges are immense.”

Meanwhile, a global investment bank now has:

“…a data management office and…a Chief Data Officer across the whole bank and covering all lines of business. Now we are setting up data management offices in all lines of the business with responsibility for [the entire] lifecycle of the data, starting from origination, …review of the data on an ongoing basis, the definition of the data domain, the data dictionaries, [to] defining metrics for the quality of data across the organization.”

They have gone a step further, replicating that structure across all key functions:

“We have a Chief Data Officer, one… firm-wide and [one] for each of the lines of the business, and they each have their data-management offices that propagate down to the organization.”

They also recognize that top-down policies on data quality etc. are needed if the quest to fashion a “single source of truth” solution is to succeed. This can be described as a data-management and governance program. Some organizations have started to make commitments in this area. One bank explains its initiatives as follows:

“We have an enterprise program in place and have applied enterprise-level data-management activities on very prescriptive regulatory driven initiatives… We have a board-approved data-governance policy in place, supporting implementation teams in development, oversight office in development, escalation committees in place, metadata and a data-quality program in design.”

Another points to some of the practical measures in place:

“There’s more to come, as the data-management offices gain more ground, we will establish firm-wide data dictionaries, firm-wide data-quality rules, firm-wide reviews of these metrics.”

A technical solution: Strong analytical platform incorporating BCBS principles A strong analytical platform is needed for CIOs, CTOs, CDOs, and CROs with a unified data taxonomy and architecture across multiple risk areas to ensure enterprise-wide consistency in the capture, storage and usage of data. From reporting onwards, the system should incorporate BCBS principles within a stronger, more reliable, repeatable, and comprehensive framework.

ORGANIZATIONS NEED BUSINESS-LED DATA GOVERNANCE One of the findings of the survey was that majority of the respondents see data governance as a business tool. Today organizations need business-led data governance i.e. linked to strategic business goals and outcomes. Data governance should not be seen as a one-off exercise purely for the purpose of meeting regulatory requirements. As a large investment bank puts it: This process is not going to end with just ticking the box and compliance.

11

Most FIs still have major issues to address if they’re going to comply with an increasingly stringent regulatory environment. They should not only examine their IT infrastructure, but take a holistic approach in mapping out the entire risk-data universe—and have clearly defined policies in place to meet all business needs.

In summary, FIs need to:

Operationalize effective data governance and see it as an ongoing process

Define principles for maximizing data usage, and define data access and controls

Move away from siloed data management and should consider an integrated, unified platform for consistent, clear, transparent, and actionable data

The ideal endpoint is a common data infrastructure, and effective usage of that data which leads to comprehensive/consolidated reporting.

It’s clear that some of the largest FIs are taking this issue very seriously and making big strides, not only to remedy historic deficiencies, but also with a clear eye towards the contribution that a “single source of truth” approach to data can make in strategic planning.

Many of them have taken practical steps—through the creation of executive functions such as the appointment of CDOs, creation of DMOs and a willingness to rethink the siloed approach to data. There is a message here for all FIs, whether currently obliged to meet BCBS 239 regulations or not. Firstly, they should be prepared for the time when they might be caught up in the compliance net. But secondly, and perhaps more importantly, tackling these data issues is just good for their businesses.

CONCLUSION: A WORK IN PROGRESS—BUT THE ENDPOINT WILL BE GOOD FOR BUSINESS

ABOUT ORACLEOracle is the unchallenged leader in financial services, with an integrated, best-in-class, end-to-end solution of intelligent software and powerful hardware designed to meet every financial-services need.

Oracle Financial Services Analytical Applications enable financial institutions to measure and meet risk-adjusted performance objectives, cultivate a risk-management culture, lower the costs of compliance and regulation, and improve customer insight.

For more information about Oracle, visit www.oracle.com/banking

ABOUT CENTER FOR FINANCIAL PROFESSIONALS The Center for Financial Professionals is an international research and business-to-business event organizer. It is the focal point for financial risk professionals to advance the profession through renowned thought leadership, knowledge-sharing, unparalleled networking, industry solutions, and lead generation.

Driven by and dedicated to high-quality and reliable primary market research, the Center for Financial Professionals provides financial institutions, industry professionals and companies with unparalleled knowledge-sharing through research projects and reports, peer-to-peer conferences, exhibitions, news and reports.

Whether your objective is thought leadership and networking at an international conference and exhibition, a focused training course to advance your knowledge and skillsets, or an independent research project on which to base your next thought-leadership report, the Center for Financial Professionals can provide the right service for you.

For more information, visit www.cfp-events.com

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only

and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to

any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions

of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and

no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or

transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective

owners.

AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license

and are trademarks or registered trademarks of SPARC International, Inc. UNIX is a registered trademark licensed through X/Open

Company, Ltd.

Accelerate and Complete Your HR TransformationMarch 2012Author: Oracle Marketing

Oracle CorporationWorld Headquarters500 Oracle ParkwayRedwood Shores, CA 94065U.S.A.

Find your local Oracle contact number here: http://www.oracle.com/us/corporate/contact/global-070511.html

Oracle.com

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and

the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other

warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability

or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations

are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any

means, electronic or mechanical, for any purpose, without our prior written permission.