1. Basis Reference: "Principles for effective risk data aggregation and risk reporting, Basel Committee on Banking Supervision, Jan 2013 (http://www.bis.org/publ/bcbs239.pdf).
  2. Risk Reporting Practices
    1. Risk management reports (RMR) should be accurate, precisely conveyed, exactly reflective of conditions, reconciled, and validated.
    2. RMRs should cover all material risk areas, and scope and depth should be consistent with operations, risk profile, and recipients' requirements.
    3. RMRs should communicate information in a clear and concise manner, easy to understand, and sufficiently extensive to enable decision-making. RMRs should include a balance among risk data, analysis and interpretation, and qualitative explanations. RMRs should include information tailored to the recipients.
    4. The executive board and senior management (and others as appropriate) should set the frequency of production and distribution of the RMRs. Frequency requirements should reflect the recipients' needs, nature of risk reported, the speed at which the risk can change, and importance of reports in contributing to sound risk management and effective and efficient decision-making.
    5. RMRs should be distributed to relevant parties while ensuring essential confidentiality is maintained.
  3. Supervisory review, tools and cooperation
    1. Supervisors should periodically review and evaluate compliance with Principles 1 through 12.
    2. Supervisors should have and use appropriate tools and resources to require effective and timely action to address deficiencies in "Risk Data Aggregation Capabilities" and/or "Reporting Practices."
    3. Supervisors should coordinate with relevant peers in other jurisdictions regarding supervision and review of Principles and/or necessary remedial action.
  4. Risk Data Aggregation Capabilities
    1. Enterprises should be able to precisely generate reliable risk data, aggregated with largely--if not entirely--automated processing.
    2. Enterprises should be able to capture and aggregate material risk data across its groups, and available by meaningful dimensions (e.g., business line, org., legal entity, asset type, industry, region) relevant for the subject risk, permitting identification of risk exposures, concentrations, and emerging risks.
    3. Enterprises should be able to generate aggregate risk data to meet a broad range of requests (e.g., on-demand, ad-hoc, due to changing internal needs to meet supervisory queries)
    4. Enterprises should be able to generate current risk data quickly while also meeting principles "Accuracy and Integrity," "Availability and Completeness," and "Adaptability."
      1. Specific timing depends on
        1. Risk nature
        2. Risk potential volatility
        3. Risk criticality to the risk profile
        4. Organization-specific reporting frequency requirements
  5. Overarching governance and infrastructure
    1. Enterprises should be subject to strong arrangements following the rest of the Principles.
    2. Enterprise should design, build and fully support capabilities and reporting practices under normal and stressful/crisis conditions while meeting all the other Principles.