LISTEN TO AUDIO VERSION:
BCBS 239 snapshot
The Principles for effective risk data aggregation and risk reporting (BCBS 239 Principles) were first established in 2013 by the Basel Committee on Banking Supervision (BCBS), as a response to severe deficiencies in the management information systems of many major global banks exposed during the 2007–2009 financial crisis.
The fundamental objectives of the BCBS 239 Principles were to:
- enhance the infrastructure for reporting key information, particularly that used by the board and senior management to identify, monitor, and manage risks;
- improve the decision-making process throughout the banking organization;
- enhance the management of information across legal entities, while facilitating a comprehensive assessment of risk exposures at the global consolidated level;
- reduce the probability and severity of losses resulting from risk management weaknesses;
- improve the speed at which information is available and hence decisions can be made; and
- improve the organization’s quality of strategic planning and its ability to manage the risk of new products and services.
The fourteen Principles were grouped into four overarching categories: governance and infrastructure, risk data aggregation capabilities, risk reporting practices, and supervisory review.
The ECB’s guidelines
In 2016, the ECB launched a thematic review on effective risk data aggregation and risk reporting (RDARR) guided by the BCBS 239 Principles. The results revealed that none of the inspected banks reached full compliance with the Principles. In 2019, the ECB addressed a letter to all significant institutions within its direct oversight, stressing the urgency of making prompt enhancements to their RDA capabilities and RR practices. Despite continuous calls for action and increased supervisory scrutiny over the last few years, the ECB concluded that adequate levels of RDARR capabilities are still the exception among the G-SIBs. The progress report based on the results of a self-assessment survey among 34 G-SIBs, published by the BCBS in 2020, revealed that none of the banks were fully compliant with the Principles in terms of building up the necessary data architecture, and, for many, IT infrastructure remained a difficult issue.
As a consequence, in July 2023, the ECB released a Guide on effective risk data aggregation and risk reporting, requesting banks to increase their efforts and improve their capabilities in this area in a timely manner. The guide aims to complement the BCBS 239 Principles, specifying and reinforcing supervisory expectations in this area.
In the guide, seven major areas have been highlighted by the supervisor:
- The responsibility of a bank’s management body
- The scope of application of the data governance framework
- Key roles and responsibilities for data governance
- The implementation of a group-wide integrated data architecture
- The effectiveness of data quality controls
- The timeliness of internal risk reporting
- Effective implementation programs
The ECB stresses the crucial role that the management body plays in ensuring effective risk identification, management, monitoring, and reporting, as well as adopting suitable internal control mechanisms. Inadequate knowledge, training or experience in RDARR and IT topics, or a lack of awareness of underlying risks can result in insufficient or ineffective improvements. Therefore, including the management body’s understanding of the RDARR topics into the fit and proper assessments is also among the measures considered by the ECB.
As per the ECB’s guidelines, banks should create a robust data governance framework to effectively handle risk identification, management, monitoring, and reporting. This framework should be all-encompassing, covering all material legal entities, risk categories, business lines, as well as financial and supervisory reporting processes, spanning the entire data lifecycle from inception and capture to aggregation and reporting.
Banks should clearly outline the scope of application of their data governance framework by explicitly identifying the included reports, models, risk data, and critical data elements. Additionally, they should establish transparent, proportional, and measurable criteria for determining the inclusion of material legal entities.
The supervisor outlines the essential components needed to establish an effective data governance framework at both group and subsidiary levels. Banks are urged to clearly define the roles and responsibilities within the data quality area, as well as assign ownership for data quality across business, control, and IT functions.
In order to ensure data quality for the risk, supervisory and financial reporting, the ECB points out the need of implementing an integrated data architecture at the group level. Special focus is put on data dictionaries covering main business concepts. The implementation of data taxonomies should be thoroughly documented and geared towards the provision of essential information required for guiding the institution and overseeing its risk management.
The ECB highlights that in order to ensure effective and comprehensive data quality controls, as well as the resolution of significant data quality problems, group-wide policies and procedures should be integrated into the broader risk management or data governance framework. This integration enhances transparency in terms of data quality risks within the defined scope.
The sixth focus point of the regulator accentuates how effective risk management and identification rely on accurate, complete, and timely data. “To manage risks effectively, the right information needs to be presented to the right people at the right time”. The timeliness of risk reporting depends on two factors: how often reports are generated and the time required to create them.
The internal risk reporting frequency should be aligned with the dynamics of potential changes in risk figures. The time it takes to create a report affects risk management similarly. If an institution takes longer to generate risk reports, it prolongs the period during which the risk situation is uncertain and increases the chances of delayed responses. For the first time, a clear expectation of producing monthly and quarterly risk reports within 20 working days is communicated.
Banks not yet adhering to the best practices outlined in the BCBS 239 Principles are urged to take appropriate steps to implement them. An implementation plan should be developed to address any gaps and weaknesses identified through both internal and external evaluations, which may include on-site inspections conducted by the ECB.
Expected supervisory activities
In its recent guidelines, the ECB explicitly demands an increase in supervision and points out that the current approaches are insufficient in that regard. During 2023–2025, the supervisor will conduct a horizontal benchmarking of findings with a special focus on the adequate scope of the data governance framework, the responsibilities of the senior management, as well as the data quality of their supervisory reporting. Institution-specific “fire drill” exercises and dedicated inspections on RDARR capabilities are to be expected.
Given the circumstances, zeb recommends the following measures:
- Close monitoring of ECB activities to ensure timely awareness of any updates or alterations
- Thorough assessment of the institution’s RDARR capabilities, critically aligning them with regulatory standards and considering the latest ECB expectations, with special attention to the senior management perspective
- Regular evaluation of the institution’s approach to data quality management and reporting, considering its effectiveness, the improvements achieved, and its overall significance for the risk reporting framework
Investing in BCBS 239 initiatives – an opportunity, rather than a burden
BCBS 239 has evolved into a significant component of the banking sector, influencing how banks approach risk management, data handling, and reporting practices. Although it does not have formal regulatory status in all jurisdictions, it is widely acknowledged and frequently cited by both regulatory bodies and financial institutions.
Despite notable efforts over the last decade towards implementing the Principles, compliance gaps can be identified in the majority of significant institutions. Given the dynamic nature of the environment banks operate in, reaching BCBS 239 compliance requires equally dynamic adjustments.
Successful players leverage the opportunities stemming from the BCBS 239 initiatives by linking them with strategic business objectives. By expanding the scope beyond risk data and including other types of reports (e.g. on sustainability) in their data governance framework, embracing new technologies, and treating data as a strategic asset, banks can leverage their investment to capitalize on strategic opportunities.
Adhering to the BCBS 239 Principles is with no doubt favorable even for banks that are not bound to do so as the business benefits extend further than regulatory compliance. Improved data aggregation and reporting capabilities can, among other things, support strategic decision-making (e.g. in terms of risk appetite), increase cost efficiency through a well-organized and simplified portfolio of data repositories, or improve the cross-selling potential and overall client profitability.