Risk accounting - part 2: The risk data aggregation and risk reporting (BCBS 239) foundation of enterprise risk management (ERM) and risk governance

Abstract

In the period following the global financial crisis, high-profile regulatory breaches and other instances of banks’ misconduct triggered widespread concern that the culture and standards of conduct in banks had declined to a point of unacceptability. The crisis also brought into sharp focus the inability of banks to completely and accurately report the risks they accept in order to create shareholder value. These events and circumstances culminated in a crisis of trust between banks and their stakeholders which include governments, regulators, investors and customers. In this same period, regulators focused on their primary ‘capitalat- risk’ regimes administered through the Basel capital accords, reinforcing additional levels of capital as a bank’s primary protection against unexpected losses. At the same time, Basel introduced ‘firm-at-risk’ mandates that required improvements in banks’ control over risk data and associated technology infrastructure. The most significant game-changing post-crisis regulatory mandate in this regard is the Basel Committee’s principles for effective risk data aggregation and risk reporting, also known as BCBS 239. This new mandate requires banks: to implement controls over risk data that are as robust as those applicable to accounting data; to create accurate and single authoritative sources of risk data; and to ensure the precision, timeliness, comprehensiveness and adaptability of risk reporting. BCBS 239 effectively sets the parameters for enterprise risk management (ERM) and provides the foundation on which risk governance and risk cultures can positively evolve. Whereas BCBS 239 expressly states that a common risk metric for all forms of risk is not required, the authors challenge this thinking and argue that it is only through the adoption of a common risk metric that the objectives of BCBS 239 can be reasonably achieved. Part 1 of this paper, published in Journal of Risk Management in Financial Institutions Volume Nine, Number Two (pp. 130–146), explains why bankers — risk managers and accountants in particular — must view the need for the convergence of finance and risk systems within a common control and reporting framework as an imperative. Part 2 describes the ‘Risk Accounting’ methodology and its introduction of both a common measurement framework for all forms of risk and a common risk metric, the risk unit (RU).