In 2016, the European Central Bank (ECB) launched a thematic review to assess compliance with the BCBS 239 principles at 25 significant institutions. These on-site inspections revealed serious deficiencies in RDARR practices that were followed up as part of targeted on-site inspections and under the SREP. However, progress stalled on some of the key weaknesses, such as the effectiveness of governance arrangements, risk data architectures and supporting IT infrastructures.
In 2019, the ECB sent a letter to all significant institutions under its supervision, urging them to make substantial and timely improvements to implement the integrated reporting solutions. Despite this, many of the structural deficiencies identified by the Supervisor remain unresolved.
ECB - Guide on RDARR
The ECB has identified deficiencies in risk data aggregation and risk reporting (RDARR) as a key vulnerability in its supervisory priorities for the period 2023-2025 and has developed a comprehensive and targeted strategy for the upcoming years, with the objective that significant institutions make substantial progress in remediating the identified structural shortcomings.
To facilitate this work, the ECB has launched for consultation a Guide to help banks strengthen their RDARR capabilities, based on good practices observed in the industry, as well as to specify and reinforce supervisory expectations in this area, taking the BCBS 239 principles into account.
This Technical Note provides a summary of the ECB’s supervisory expectations:
- Responsibilities of the management body. The management body should exercise full responsibility for data quality and governance as part of the overall risk management framework and make it a key priority.
- Sufficient scope of application in terms of internal risk reports, financial and supervisory reports, internal models and related risk data.
- Effective data governance framework, highlighting the roles of the three lines of defence: data owners, a central data governance function, validation and internal audit.
- Group-wide integrated data architecture. This includes having a dictionary with the main business concepts defined and a metadata repository covering all material legal entities, business lines, material risks and related risk indicators, reports and models within the scope of application.
- Data quality management and standards. Quality controls should be implemented throughout the process to assess and ensure the accuracy of critical data, with a focus on manual activities until they can be integrated into an IT-controlled environment. Data quality risks should be adequately considered by introducing a margin of conservatism (MoC) in the capital (ICAAP) and liquidity (ILAAP) assessment processes.
- Timeliness of internal risk reporting. An institution is expected to ensure that the combination of reporting frequency and production time is calibrated in such a manner as to allow for timely reactions to changes in its risk situation.
- Effective implementation programs with well-defined objectives, milestones, roles, responsibilities and risks, and with adequate financial and human resources. At least one member of the management body should be responsible for programme execution. In addition, the management body should request and receive regular feedback on the progress of the programme.
Download the technical note on Guide on effective risk data aggregation and risk reporting (RDARR) (only available in Spanish).