LO 39.6: Explain the challenges and best practices related to data aggregation at an organization.
The existence of several IT systems being operated simultaneously within a firm results in a lack of integrated IT systems. This, in turn, requires a significant amount of manual data entry to allow for proper aggregation of risk data. Best practices related to data aggregation at an organization are explained as follows: To increase efficiency and accuracy, minimize the amount of manual intervention and manual data manipulation (i.e., spreadsheets) by automating the risk data aggregation process.
Aggregated risk data needs to be accurate, timely, and comprehensive in order to have
value. Therefore, there must be standards, cutoff times, and timelines regarding the production of internal risk reports. Single platform centralized databases with single identifiers and/or consistent naming conventions could allow for the timely retrieval of multiple records of risk data across the firm. They also permit data segmentation when required to produce specific data (i.e., risk concentrations).
Create data warehouses that will take information from various subsystems and store
them in a warehouse. The data is then filtered and reorganized so that customized reports can be created using specific data from the warehouse.
Automated reconciliation will reduce the risk of manual errors and incomplete
information. For example, off-balance sheet data should not be omitted.
Periodic reconciliation of risk and financial data will ensure the accuracy and proper
operation of the IT system.
For merger and acquisition transactions, ensuring that legacy IT systems are integrated
into the chosen IT system as soon as possible.
When obtaining approvals for new IT purchases, involve the appropriate technical staff to ensure that the existing systems can process and aggregate data from these new items.
Page 30
2018 Kaplan, Inc.
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
Ke y C o n c e pt s
LO 39.1 A risk appetite framework (RAF) sets in place a clear, future-oriented perspective of the firms target risk profile in a number of different scenarios and maps out a strategy for achieving that risk profile. An RAF should start with a risk appetite statement that is essentially a mission statement from a risk perspective. Benefits of a well-developed RAF include assisting firms in preparing for the unexpected and greatly improving a firms strategic planning and tactical decision-making.
LO 39.2 The chief risk officer (CRO) should be easily available to the board of directors (board) and there should be a strong alliance between the CRO and the chief financial officer (CFO).
The chief executive officer (CEO) should strongly support the RAF and give the CRO the final word on risk decisions.
The board should: be willing to challenge management to operate the firm consistent with the RAF, actively work with senior management to continually revise the RAF, have sufficient technical and business understanding of the risks facing the firm, be proactive in stating the nature and frequency of the information they need, and set up a reputational risk committee.
LO 39.3 The RAF helps to ensure that each business lines strategies are congruent with the firms desired risk profile. It also considers the integrated nature of the business lines within the firm.
Many metrics can be monitored as part of an effective RAF. Risk metrics should be divided into classes, depending on who is receiving the information within the firm.
LO 39.4 A robust data infrastructure results in management being able to make proper decisions regarding a firms strategy, risk appetite, and risk management. Additionally, it allows for the ability to sufficiently document and convey the firms risk reporting requirements.
Key elements of an effective IT risk management policy include: clearly defined standards and internal risk reporting requirements, sufficient funding to develop IT systems, assessing IT infrastructure and capacity prior to approving new products, timely post implementation reviews of IT systems, and sufficient governance for outsourced IT activities.
2018 Kaplan, Inc.
Page 31
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
LO 39.3 Poor or fragmented IT infrastructures result from a lack of common understanding of long term business strategies between business lines and IT management, managers thinking only about short-term profits, significant turnover in IT roles, insufficient data governance, and merger and acquisition activities.
LO 39.6 The lack of integrated IT systems is the major challenge related to data aggregations. Many best practices regarding data aggregations exist including: minimizing the amount of manual data processes, using single platform centralized databases, creating data warehouses, automated and periodic data reconciliations, and timely integration of legacy IT systems.
Page 32
2018 Kaplan, Inc.
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
C o n c e pt C h e c k e r s
1.
2.
3.
4.
3.
Which of the following statements regarding the risk appetite framework (RAF) is correct? A. The RAF represents the firms core risk strategy. B. The RAF should be amended to take advantage of all profitable opportunities. C. The RAF focuses on which risks the firm is willing to take and under what
conditions.
D. The RAF begins with the risk appetite statement that contains many elements,
including examining the composition of the income statement.
As a best practice, which of the following members of senior management should have the final word on significant risk decisions at a firm? A. Chief executive officer. B. Chief financial officer. C. Chief operating officer. D. Chief risk officer.
Which of the following statements regarding the role of a risk appetite framework (RAF) in managing the risk of individual business lines within a firm is correct? A. Individual business lines may collectively cause the firms RAF to drift when
market conditions change.
B. Sensitivity analysis is a robust tool to assist senior management and/or the board
to determine consistency with the RAF.
C. Each individual business lines risk appetite allotment according to the RAF is
independent of the others to ensure objectivity in the process.
D. The business line managers submit long-term business plans to senior
management and/or the board to determine if they are consistent with the RAF.
Which of the following statements is incorrect regarding the key elements of an effective IT risk management policy? A. Having a single person in charge of the project management office. B. Comparable funding for IT projects and revenue-generating projects. C. Post-implementation reviews of IT systems at least 24 months after
D. Outsourced and in-house IT activities being subjected to the same level of
implementation.
monitoring.
Which of the following items is a best practice related to data aggregation at an organization? A. Integrating legacy IT systems into the new IT system immediately. B. The use of one master spreadsheet to accumulate all of the data in one place. C. Periodic manual reconciliations to reduce the risk of errors and incomplete
information.
D. Allowing individual departments as much time as they require to produce
internal reports that are accurate, timely, and comprehensive.
2018 Kaplan, Inc.
Page 33
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
C o n c e pt Ch e c k e r A n s w e r s
1. A The RAF represents the firms core risk strategy. The RAF does not necessarily need to be
amended every time there is a profitable opportunity; doing so would cause the RAF to lose its value. The RAF also focuses on which risks the firm is unwilling to take. The risk appetite statement would not likely include an examination of the composition of the income statement; it would more likely be the balance sheet (i.e., debt, equity).
2. D The willingness of the CEO to give the CRO the final word on many risk decisions is a best
practice, which has strengthened the importance of the risk management function.
3. A
Individual business lines may collectively cause the firms RAF to drift when market conditions change. Sensitivity analysis only examines one change in a variable at a time. More robust tools would be stress tests and scenario analyses, for example. Each business lines risk appetite allotment according to the RAF may be amended if another business line encounters an opportunity that requires more capital. The business line managers submit medium-term business plans to senior management and/or the board.
4. C Post-implementation reviews should be performed 618 months after implementation;
24 months or more would likely be too long. Having one person in charge of the project management office seems to have resulted in stronger coordination and communication between project staff.
5. A For merger and acquisition transactions, it is best that legacy IT systems are integrated into the chosen IT system as soon as possible. Spreadsheets are a form of manual data manipulation and, because they are not automated, they would not be a best practice. Automated reconciliations should be performed, not manual. One of the key points about internal risk reports is that they should be produced on a timely basis, therefore, there must be standards, cutoff times, and timelines regarding their production.
Page 34
2018 Kaplan, Inc.
The following is a review of the Operational and Integrated Risk Management principles designed to address the learning objectives set forth by GARP. This topic is also covered in:
In f o r ma t i o n Ri s k a n d Da t a Q u a l i t y Ma n a g e me n t
E x a m F o c u s
This topic is a qualitative examination of data quality issues. Organizations must understand the risks involved with data issues and be able to identify ways to protect one of their most valuable resources, their data. For the exam, focus on the important features of acceptable data as well as details surrounding data quality scorecards.
Topic 40
P o o r D a t a Q u a l
i t y
The following is a list of negative impacts on a business from poor data quality.
Financial impacts: Businesses may experience lower revenues (e.g., lost sales), higher expenses
(e.g., penalties, re-work costs), and lower cash flows as a result of inaccurate or incomplete data.
Confidence-based impacts: Managers may make incorrect business decisions based on faulty data. Poor forecasting may result due to input errors.
Satisfaction impacts: Customers may become dissatisfied when the business processes faulty data (e.g., billing
Inaccurate internal reporting may occur with unreliable information.
Employees may become dissatisfied when they are unable to properly perform their job
errors).
due to flawed data.
Productivity impacts: Additional (corrective) work may be required, thereby reducing production output. Delays or increases in processing time. Risk impacts: Underestimating credit risks due to inaccurate documentation, thereby exposing a lender
to potential losses (e.g., Basel II Accords for quantifying credit risk).
Underestimating investment risk, thereby exposing an investor to potential losses. Compliance impacts: A business may no longer be in compliance with regulations (e.g., Sarbanes-Oxley) if
financial reports are inaccurate.
2018 Kaplan, Inc.
Page 35
Topic 40 Cross Reference to GARP Assigned Reading – Tarantino and Cernauskas, Chapter 3
D a t a E r r o r s