Insights

Fresh thinking and actionable insights that address critical issues your organization faces.

Learn more

Resources

Services

KPMG's multi-disciplinary approach and deep, practical industry knowledge help clients meet challenges and respond to opportunities.

Services to meet your business goals

Technology Alliances

KPMG has market-leading alliances with many of the world's leading software and services vendors.

View all Alliances

Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more
Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

Heightened Risk Standards: Focus on Data Management (& BCBS 239)

Intensified scrutiny of risk data management/governance practices

flag flying in front of capital building

KPMG Regulatory Insights

  • Governance: Sufficient involvement across the Board, senior management, and three lines of defense in the risk data aggregation and risk reporting (RDARR) framework (e.g., roles/responsibilities, review/challenge; policies, standards, procedures; metrics, risks, controls).
  • Data universe and tiering: Adequacy of the scope and breadth of data, metrics, models, reports covered by RDARR, including classification and tiering.
  • Data lineage:  Ability to trace and report on the relationship between data outputs and business processes, authoritative sources, systems of record, and systems of origin.
  • Data management and quality: Standardized processes and controls around access, authorization, use, privacy, security, and sharing; accuracy of data and controls to measure and manage risk exposure and reporting. 

 __________________________________________________________________________________________________________________________________________________

February 2024

Regulators are intensifying their scrutiny of financial services companies’ data management and data governance practices over risk management data, from aggregation capabilities to internal risk reporting practices. This focus on RDARR (risk data aggregation and risk reporting) is part of the regulators’ increasing supervisory and enforcement activities in areas of both financial and non-financial risk.

Supervision and Enforcement

Financial service companies are expected to both demonstrate and sustain elements of “Heightened Standards”—regardless of size and complexity. Four areas of heightened supervisory focus relating to risk data aggregation and reporting include:

Area of focus

Description

Governance

  • Involvement of the Board and senior management in ‘business as usual’ processes and the adequate and proper definition of requirements around RDARR and how they align to BCBS 239 principles.
  • Involvement of key internal functions and the adequacy and presence of an independent validation unit within data processes.
  • Clearly defined and formalized documentation of the governance model (i.e., roles, responsibilities, and accountabilities for the board, management, and across all 3 lines of defense (LOD); policies, standards, and procedures), including mapping, ownership, and ongoing testing and monitoring of controls.
  • Assessment of data risks associated with RDARR, with associated data risk taxonomy and minimum control requirements.

Data Universe and Tiering

  • The scope of the “data universe” including types of data and risk reports covered by the RDARR standard (e.g., models; metrics; regulatory, compliance and risk reporting).
  • Data classifications, tiering, and risk ratings based on sensitivity, integrity, availability, and criticality.

Data Lineage

  • Level of process automation and coverage of the entire data flow (e.g., to consolidate data from different business units / subsidiaries) as well as the accuracy and granularity of the data.
  • Ability to trace and report on the relationship between data outputs and business processes, systems of record, and systems of origin.

Data Management and Quality

  • Data management processes and controls (e.g., standardized data controls around access and authorization, quality and integrity, capture and usage, privacy and security, and sharing with third parties; understanding of data sources;) aligned with the data risk taxonomy and shown to be sustainable through a regular and robust control testing function.
  • Data quality issue management and reporting (e.g., measurement of data risk exposures for key RDARR metrics and reporting).

Examples of recent data management-related enforcement actions related to risk management data require:

  • Establishing a data governance framework, operating model and management oversight, policies, procedures and standards, data literacy and training program.
  • Establishing the enterprise-wide adoption of foundational capabilities for data quality, risk aggregation, and reporting.
  • Improving data management and reporting practices to facilitate accurate risk and regulatory reporting.
  • Addressing previously identified deficiencies related to adequate governance, data quality management for risk metrics, and model risk management.

Regulatory Issuances

Recent regulatory issuances related to data management and governance for risk management data include:

Agency

Activity

Description

KPMG Regulatory Alert

BCBS

Progress Report on Principles for effective risk data aggregation and risk reporting

 

A progress report assessing 31 G-SIBs and their adoption of BCBS 239. The report indicates that although banks have made some notable improvements, weaknesses and challenges persist in fragmented IT landscapes and deficient risk data aggregation and reporting capabilities. Further, the report urges FS regulators to increase/intensify their supervision and enforcement in order to promote widespread RDARR compliance.

n/a

FDIC

Proposed guidelines on corporate governance and risk management standards

Proposed new corporate governance and risk management guidelines outlining expectations for board and management responsibilities regarding risk management. Specifically, the proposal sets the expectations for “covered institutions” to implement risk management programs that contain policies and procedures designed to ensure that their risk data aggregation and reporting capabilities are appropriate to their business size, complexity, and risk profile and support supervisory reporting requirements.

Expanded Risk Governance and Management: FDIC Proposed Guidelines

OCC

Policies and procedures

New policies and procedures to implement when considering supervisory and enforcement actions against banks subject to Heighted Standards that exhibit or do not correct “persistent weaknesses”. The Heightened Standards for risk governance frameworks address RDARR expectations for financial institutions to have “policies supported by appropriate procedures and processes, designed to provide risk data aggregation and reporting capabilities appropriate for the size, complexity, and risk profile of the covered bank, and to support supervisory reporting requirements”.

Bank Supervision: OCC “Persistent Weaknesses”

 

Dive into our thinking:

Heightened Risk Standards: Focus on Data Management (& BCBS 239)

Intensified scrutiny of risk data management/governance practices

Download PDF

Explore more

Points of View
Insight
Webcast Replay Webcast Upcoming Listen Now

Points of View

Insights and analyses of emerging regulatory issues and their impact.

Read more
Regulatory Insights View
Insight
Webcast Replay Webcast Upcoming Listen Now

Regulatory Insights View

Series covering regulatory trends and emerging topics

Read more
Insight
Webcast Replay Webcast Upcoming Listen Now

Regulatory Alerts

Quick hitting summaries of specific regulatory developments and their impact.

Read more

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.

Subscribe

Meet our team

Image of Amy S. Matsuo
Amy S. Matsuo
Principal, U.S. Regulatory Insights & Compliance Transformation Lead, KPMG LLP
Read bio
Image of Robert S. Westbrook
Robert S. Westbrook
Principal, Financial Services Solutions, KPMG US
Read bio
Image of Pedro Calado
Pedro Calado
Managing Director, Advisory, C&O Financial Services, KPMG US
Read bio
Image of Amy S. Matsuo
Amy S. Matsuo
Principal, U.S. Regulatory Insights & Compliance Transformation Lead, KPMG LLP
Read bio
Image of Robert S. Westbrook
Robert S. Westbrook
Principal, Financial Services Solutions, KPMG US
Read bio
Image of Pedro Calado
Pedro Calado
Managing Director, Advisory, C&O Financial Services, KPMG US
Read bio

Thank you

Thank you for signing up to receive Regulatory Insights thought leadership content. You will receive our next issue when we publish.

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments. Get the latest perspectives on evolving supervisory, regulatory, and enforcement trends. 

To receive ongoing KPMG Regulatory Insights, please submit your information below:
(*required field)

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2024 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline