Basel article 239: Principles for effective risk data aggregation and risk reporting. Hoe gaat ING hier mee om?

1. Amsterdam • 12 October 2015
BCBS 239
ING Bank
Fabienne Libert
Head of Risk Services

2. 1. About ING
2. BCBS 239
3. Global Data Management
4. Finance Risk integration
Index
2

3. • ING is a global financial institution with a strong European base, offering
banking services through its operating company ING Bank and holding a
significant stake in the listed insurer NN Group N.V. The purpose of ING
Bank is to empower people to stay a step ahead in life and in business.
ING Bank’s more than 52,000 employees offer retail and commercial
banking services to customers in over 40 countries.
• ING Group shares are listed (in the form of depositary receipts) on the
exchanges of Amsterdam (INGA NA, ING.AS), Brussels and on the New
York Stock Exchange (ADRs: ING US, ING.N).
About ING
3
• Sustainability forms an integral part of ING’s corporate strategy,
which is demonstrated by the inclusion of ING Group shares in the
FTSE4Good index and the Dow Jones Sustainability Index (Europe
and World), in which ING is the industry leader in the diversified
financials group.

4. Our purpose
4

5. BCBS 239
Principles for effective risk data aggregation and risk reporting
5

6. Background (1/2)
BCBS 239 Principles
6
Overarching Governance and
Infrastructure
Risk Data Aggregation Capabilities
P1: Governance
P2: Data Architecture
and IT infrastructure
Governance – A bank’s risk data aggregation capabilities and risk reporting practices should be subject to
strong governance arrangements consistent with other principles and guidance established by the Basel
Committee.
Data architecture and IT infrastructure – A bank should design, build and maintain data architecture and IT
infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only
in normal times but also during times of stress or crisis, while still meeting the other Principles.
P3: Accuracy and Integrity Accuracy and Integrity – A bank should be able to generate accurate and reliable risk data to meet
normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely
automated basis so as to minimise the probability of errors.
P4: Completeness
P5: Timeliness
P6: Adaptability
Completeness – A bank should be able to capture and aggregate all material risk data across the
banking group. Data should be available by business line, legal entity, asset type, industry, region and
other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures,
concentrations and emerging risks.
Timeliness – A bank should be able to generate aggregate and up-to-date risk data in a timely manner
while also meeting the principles relating to accuracy and integrity, completeness and adaptability. The
precise timing will depend upon the nature and potential volatility of the risk being measured as well as
its criticality to the overall risk profile of the bank. The precise timing will also depend on the bank-
specific frequency requirements for risk management reporting, under both normal and stress/crisis
situations, set based on the characteristics and overall risk profile of the bank.
Category Principle Summary
Adaptability – A bank should be able to generate aggregate risk data to meet a broad range of on-
demand, ad hoc risk management reporting requests, including requests during stress/crisis situations,
requests due to changing internal needs and requests to meet supervisory queries.

7. 7
Risk Reporting Practices
Supervisory Review, tools and
cooperation *
P7: Accuracy
P8: Comprehensiveness
Accuracy - Risk management reports should accurately and precisely convey aggregated risk data and
reflect risk in an exact manner. Reports should be reconciled and validated.
Comprehensiveness - Risk management reports should cover all material risk areas within the
organisation. The depth and scope of these reports should be consistent with the size and complexity of
the bank’s operations and risk profile, as well as the requirements of the recipients. .
P9: Clarity and usefulness Accuracy and Integrity – A bank should be able to generate accurate and reliable risk data to meet
normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely
automated basis so as to minimize the probability of errors.
P10: Frequency
P11: Distribution
Frequency – The board and senior management (or other recipients as appropriate) should set the
frequency of risk management report production and distribution. Frequency requirements should
reflect the needs of the recipients, the nature of the risk reported, and the speed, at which the risk can
change, as well as the importance of reports in contributing to sound risk management and effective
and efficient decision-making across the bank. The frequency of reports should be increased during
times of stress/crisis.
Distribution - Risk management reports should be distributed to the relevant parties while ensuring
confidentiality is maintained.
Category Principle Summary
Principles 1 to 11 are the guidelines for Banks, while the principles 12-14 (*) describe the role the supervisors play in monitoring ongoing
compliance.
Background (2/2)
BCBS 239 Principles

8. BCBS 239 principles
8

9. 9
BCBS239: Executive Summary
14 Principles for effective risk data aggregation and risk reporting were issued by the Basel
Committee in January 2013 under the BCBS 239 paper)
Effective implementation of the Principles is expected to enhance the risk management as well
as the decision-making processes and further improve the resolvability of the banks in order to
avoid another 2008 crisis.
External:
• Moving from a template-driven reporting to data-driven reporting (AQR lessons learned)
• Achieving compliance towards the BCBS 239 principles
Internal:
• ING colleagues to treat data as a valuable asset
• ING colleagues to improve the effectiveness of the reporting process as they should be
enabled to put more time to gain insight and make sense of data instead of effort in the
creation of the reports
• Management to take decisions based on reliable and trustable data, in time of “business-as-
usual” or in time of crisis
• Embed BCBS 239 principles in policies and procedures
Strategic Fit
BCBS 239, although a regulatory program, is a key foundation underlying the CRO vision to
empower a state of the art risk management as well as the COO vision to become the 2020 next
generation digital bank, in support of the thinkforward strategy.
Time lines
The deadline has been set @ Jan 1, 2016 as so far G-SIB are concerned while for the D-SIB a 3
years compliance deadline is foreseen.

10. ING BCBS 239 Program
10

11. Getting ING’s data management right across the entire bank is essential
11
Global data management
World is changing fast
Regulation
and Risk
culture
Digital
revolution
Client’s
behaviour
change
New
competitors
Multispeed
world
COO response “In line with the Think Forward strategy, the long long-term vision for the COO domain is
to be the Next Generation Digital Bank”
Building blocks
Uniform & easy
processes
Reliable & modern
banking systems
Global data
management
Enabled people with
right skills
Collaborative
performance culture
Uniform data
governance
across the bank
Trustable data:
one single source
of truth
Foundation for
predictive data
analytics
Operational
excellence in
data exchange
Global Data Management

12. Key components of ING´s global data management strategy
12
We implement a uniform data
governance throughout ING
We drive a culture change
that radiates data is a valued
asset
We harmonise the definitions
of data that we exchange
across ING
We implement a standard
reference architecture for
data
We uniformly measure the
quality of data
We use uniform policies
and processes around data
across ING
1 2
3 4
5 6
Brief abstract on next slides

13. Key components of 4Sight: Finance Risk integration
13
Common data foundation for
Finance and Risk
1
2
5
Reconciliation by Design
Simplify (Finance / Risk) IT process;
standardise and optimise, while being compliant
with all regulations

14. Questions on BCBS 239
14
1. Which percentage of G-Sibs plan to be compliant by January 2016? More or less than 70%?
2. How much are banking investing to achieve compliance? (GSIBs industry average)
More or less than 100 metrics?3. Scope: Are most banks (roughly 80%) scoping more or less than 100 metrics?
More or less than USD 200 million?
(Based on McKinsey paper July 2015)
4. On average how much could a typical G-SIB extract of annual benefits with
strategically targeted and run Risk and Finance Data and technology programs?
More or less than 500 million?