February 2016

Introduction

During the latest global financial crisis, many major institutions had difficulty disclosing their risk data, which was often required with little lead time by regulators or other market participants such as rating agencies. The inadequacy of the information technology used by systemically important financial institutionsA financial institution whose failure might trigger a financial crisis. with respect to the financial risks they faced, as well as the capability of said institutions to incorporate all the information on risks from the various activity sectors, was seriously questioned. As a result, the viability of some of these institutions and the stability of their markets were jeopardized.

In response to this crisis, the Basel Committee on Banking Supervision (the “Basel Committee”) undertook a series of reforms so as to optimize the industry’s regulatory, monitoring and risk management practices.

Among the objectives of these reforms is strengthening the transparency and disclosure of institutions. In this context, the Basel Committee published a document titled Principles for effective risk data aggregation and risk reportingBasel Committee on Banking Supervision. Principles for effective risk data aggregation and risk reporting, January 2013. so as to strengthen the capability of systemically important institutions to aggregate and disclose their risk data. The document presents fourteen principles covering the following topics: governance and infrastructure, risk data aggregation capabilities, risk disclosure practices and supervisor’s role.

From this perspective, as outlined in the Integrated Risk Management Guideline,Autorité des marchés financiers. Integrated Risk Management Guideline it is important for the AMF and the various market participants to be able to access integrated reports on the major risks to which institutions are exposed, especially those for which any threat to their viability could provoke a systemic crisis.

The AMF adheres to the principles of the main international regulatory bodies, including those of the Basel Committee and of the International Association of Insurance Supervisors (IAIS), which foster enhanced integration and disclosure of information on risks, enabling financial institutions to better anticipate issues likely to affect their viability.

In an effort to adapt the Basel Committee document to federations of credit unions, the AMF therefore considers it essential to establish guidance as to the governance and infrastructure required for the optimization of processes, as well as ad hoc guidance on risk data aggregation capabilities and practices for disclosing these risks.

Pursuant to the authority conferred upon it under An Act respecting financial services cooperativesA legal person in which persons with common economic needs unite to form a deposit and financial services institution to meet those needs. (FSCA)Act respecting financial services cooperatives, CQLR, c. C-67.3, s. 565.1. See also the Deposit institution and deposit protection Act, CQLR, c. I-13.2.2, section 42.2, the AMF is issuing this guidelineA document that describes the steps that financial institutions can take to satisfy their legal obligation to follow sound and prudent management practices and sound commercial practices. expressly to inform federations of credit unions and its group, where applicable, of its expectations regarding risk data aggregation and the disclosure of these risks.

General guidance

The AMF expects the information on risks that is disclosed by institutions to be effectively aggregated, for all business sectors in which they operate. This information must be communicated to decision-making bodiesThe board of directors, senior management and persons in charge of oversight functions. and market participants in a timely manner, in accordance with the nature of the risks they face and their impact on the institution’s risk profileA financial institution’s overall level of risk exposure that is based on an evaluation of the risks inherent in the financial institution’s significant activities, its ability to manage risks, its financial condition and its commercial practices. .
Risk data aggregation and disclosure must be possible at any time, in particular in times of crisis or of major organizational change, such as mergers and acquisitions. The board of directors and senior management could, for instance, use such aggregation and disclosure to make sure new products and services do not adversely affect the institution’s risk profile.

The AMF also expects financial institutions to optimize their control procedureA set series of tasks to be performed. It is generally the result of imperatives that cannot be negotiated by the individual who applies it. as regards the quality of information disclosed so as to present the most accurate information possible on aggregated risk exposure. This procedure must be adapted to the various entities that are part of the institution, even those arising, for example, from a merger transaction.

Furthermore, the AMF expects the risk data aggregation and disclosure process to be able to adapt on an ongoing basis, so that financial institutions can produce ad hoc reports based on the available risk information infrastructure. This adaptation capability is also required in order to assess the impact of emerging risks.

The implementation of this guidelineA document that describes the steps that financial institutions can take to satisfy their legal obligation to follow sound and prudent management practices and sound commercial practices. should ultimately help to optimize integrated risk management and serve as an important strategic decision-making tool.

1. Governance and infrastructure

This guidance should be part of a financial institution’s governance program, as stated in the Governance Guideline.Autorité des marchés financiers. Governance Guideline. Thus, the board of directorsA body of elected or appointed individuals ultimately responsible for the governance and oversight of a financial institution. should see to it that senior managementThe group of individuals responsible for managing a financial institution on a day-to-day basis in accordance with the strategies and policies set by the board of directors. relies on expertise in the management of information technology. Since senior management is responsible for the effectiveness of the organizational structure, it should, in this respect, ensure the coherence between the control measures to be adopted for implementing integrated risk reports and the efficiency being sought for the disclosure of these risks.

A policyA set of general principles adopted by a financial institution for conducting its activities in a given area. to protect data confidentiality, availability and integrityThe quality that an individual has of being honest and having strong moral principles that he or she refuses to change. It is demonstrated through the individual’s actions and through the conduct of the his or her personal and professional business. should be approved by the board of directors, in accordance with its roles and responsibilities under the Governance Guideline. In turn, the institution’s senior management should ensure the implementation of this policy, which will enable the standardizationAccording to the International Standards Organisation (ISO), a standard is a document that provides requirements, specifications, guidelinesA document that describes the steps that financial institutions can take to satisfy their legal obligation to follow sound and prudent management practices and sound commercial practices. or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose. of the risk data aggregation and disclosure processes.

As the implementation of a risk data aggregation and disclosure initiative involves the entire organization, it is important to ensure the participation of all bodies with responsibility for these data, including risk management, compliance, information technology management, finance, capital management and treasury, and control functions.

The institution should also draw on an independent function for the validation of its risk data aggregation and disclosure processes, in accordance with expectations related to the independent oversight of activities set out under the Governance Guideline. This function should be able to confirm that these processes reflect the institution’s risk profileA financial institution’s overall level of risk exposure that is based on an evaluation of the risks inherent in the financial institution’s significant activities, its ability to manage risks, its financial condition and its commercial practices. and that the risk data protection policy is adopted by all interested partiesAny person or organization that may be affected by a decision or activity of another party. , including managers, employees, consultants and third parties. Furthermore, the independent function should co-ordinate its work with that of the chief risk officer or member of senior management in charge of this mandate.

Given that the risk data aggregation capability could be modified by a major organizational change (such as an assignment, acquisition or merger), the board of directors and senior management should take this into account as part of the due diligence review processes. The aggregation capability should be preserved in all business sectors where the institution operates, especially in those that have changed their information technology infrastructure and those that have developed and implemented a new product. Any major limitation detected in this capability will have to be reported to the board of directors and senior management.

As for infrastructure, the AMF expects the institution to appoint a function in charge of monitoring the management of the quality controls in respect of risk data throughout their life cycle. This function could be performed by a member of senior management, in accordance with the above-mentioned independent oversight expectations.

This function should also guarantee the reliability of the technology infrastructure required to manage the data, in periods of normal operation as well as times of crisis. The AMF expects the institution to target architecture integration and data taxonomies at its various business sectors. The standardization of data identifiers (e.g. clients, number of accounts) and the information on the risk data characteristics in all the applications used by the institution should be included in this operation. The progress achieved by this standardization project will have to be documented, validated and made available to the AMF.

Given the importance of a solid technology infrastructure for the successful aggregation and disclosure of risk data, the AMF expects institutions to optimize their information technology infrastructure. The last step in this optimization could be to limit the production of reports manually and facilitate the flow of data between the different business sectors in which the institution operates, as applicable. The evolution of such an operation will have to be validated by the independent function, while making sure the heads of all the business sectors are on board.

The institution’s business continuityThe capability of an organization to continue delivering products or services at acceptable predefined levels following a disruptive incident. plan should consider the potential impact of major incidents on the confidentiality, availability and integrity of risk data.Autorité des marchés financiers. Business Continuity Management Guideline. This impact should be quantified using techniques such as crisis simulations, recovery time objective indicators and update processes.

2. Risk data aggregation capabilities

Institutions should have a strict control framework for the entire risk data production process. This framework should include controls on the data generated by external suppliers, which will have to deliver their services in compliance with the governance principles contained in outsourcing arrangements.Autorité des marchés financiers. Outsourcing Risk Management Guideline.

In cases where an institution operates in different business sectors, or in multiple jurisdictions, it is advisable to establish common parameters to determine whether risks are material. It is also expected that the institution will adopt a permanent reconciliation procedureA set series of tasks to be performed. It is generally the result of imperatives that cannot be negotiated by the individual who applies it. between the data from different sources and between different types of data, based on expectations for data precision and accuracy and in relation to their risk profileA financial institution’s overall level of risk exposure that is based on an evaluation of the risks inherent in the financial institution’s significant activities, its ability to manage risks, its financial condition and its commercial practices. . This procedure must facilitate the analysis of differences between sources (qualitative and quantitative) in order to proceed with the necessary purging before data aggregation.

The independent function responsible for the validation of the risk data aggregation and disclosure processes mentioned in the previous section will need to have special and permanent access to all the software used for the production of the institution’s risk data. Should compliance breaches be observed, the bodies responsible as well as senior management will have to be promptly informed so that corrective actions can be implemented as soon as possible.

Moreover, the independent function will have to continuously ensure that all risks are aggregated consistently, but without necessarily targeting the standardization of risk measurement units. In addition, the AMF expects the institutions to report any material risk disclosure errors or omissions and to implement a procedure to mitigate the frequency and impact of such errors or omissions.

On an ongoing basis and more specifically during a crisis, the institution will have to make sure it can effectively meet all risk data aggregation requests, which may be made by the AMF or other market participants such as the Bank of Canada or rating agencies.

The integrated risk managementA set of practices and processes, supported by a risk-aware culture and enabling technologies, that improves decision making and performance through a holistic view of a financial institution’s set of risks. framework should allow the institution to quickly generate information on the material risks it is exposed to. To do so, it is advisable to specify beforehand the time required to produce each risk report. However, note that speed in the aggregation capability and in risk data disclosure should never interfere with the accuracy, integrityThe quality that an individual has of being honest and having strong moral principles that he or she refuses to change. It is demonstrated through the individual’s actions and through the conduct of the his or her personal and professional business. , completeness and adaptability of data.

As risk information requests come from various participants and specific needs do not necessarily require the same parameters and timeframes, the institution must make sure its systems and procedures can adapt effectively to enable customized reports (e.g. by business sector, region, and method of distribution). This adaptability is crucial when considering new situations—both internal and external—with the potential to adversely affect the institution’s risk profile.

3. Risk disclosure practices

Given that reports on risks are used by senior management and the board of directors, particularly for strategic decision making, their expectations for reports, especially as regards the granularity required for information on risks as well as the frequency sought and timelines set for their presentation, will have to be clearly disclosed to all institutional stakeholders.

As an institution becomes more complex, the use of manual systems for risk disclosure becomes less accepted. However, regardless of the degree of system automation, all institutions will have to properly document their risk disclosure requirements, including an explanation of the use of manual systems, as applicable, as well as the impact of this choice on the accuracy of the information generated and the actions planned to mitigate the associated inherent risksThe risk existing in the absence of any action or measure that could reduce the risk’s likelihood or impact. . This documentation will have to be validated by the independent function to ensure that any major anomaly is presented to senior management and the board of directors.

These reports must also help track the evolution of each institution’s exposure to risk, as well as assess the effectiveness and efficiency of measures for handling risk. It is essential that the presentation of data showing this evolution be accompanied by an analysis adapted to the various target audiences, including, as applicable, an explanation of the limitations related to the disclosure of risk data and of the measures planned to mitigate them. The board of directors and senior management, as well as any other recipient of these reports, will have to notify the responsible body of those that do not meet expectations or that do not reflect the institution’s risk tolerance and appetite.

Moreover, it is critical that the body responsible for generating these reports check the accuracy of the information to be disclosed. As was previously mentioned, these reports may be issued by a multitude of information sources. Ultimately, the institution is responsible for classifying, aggregating and presenting them clearly in a manner appropriate to the circumstances. To do so, the institution should prepare and implement all the necessary validation rules to guarantee the consistency of the risk data presented. As these rules are necessarily dynamic, due to the constantly changing sources, controls will have to be implemented for these rules, and their effectiveness validated by the independent function. These controls will have to be incorporated into the institution’s internal controlThe set of control mechanisms implemented in a financial institution to give its decision-making bodies reasonable assurance that the objectives relating to operational effectiveness and efficiency, safeguarding of assets, reliability of information and compliance will be met. framework and be supported by rule specifications in effect, using straightforward, realistic conventions.