New ECB guidelines on risk data aggregation and risk reporting

The importance of aggregating risk data became evident during the 2007–2009 financial crisis and has recently been further underscored through the data collection initiatives undertaken by the ECB’s banking supervision amid the pandemic and other stressful scenarios.

Ever since the ECB’s announcement of its supervisory priorities for 2023–2025 in December 2022, followed by Andrea Enria’s keynote speech during the Annual Conference on Banking Supervision in March 2023, it has become clear that banks will have to revisit the compliance gaps in their risk data aggregation and risk reporting processes.
Voiced by Amazon Polly

BCBS 239 snapshot

The Principles for effective risk data aggregation and risk reporting (BCBS 239 Principles) were first established in 2013 by the Basel Committee on Banking Supervision (BCBS), as a response to severe deficiencies in the management information systems of many major global banks exposed during the 2007–2009 financial crisis.

The fundamental objectives of the BCBS 239 Principles were to:

  • enhance the infrastructure for reporting key information, particularly that used by the board and senior management to identify, monitor, and manage risks;
  • improve the decision-making process throughout the banking organization;
  • enhance the management of information across legal entities, while facilitating a comprehensive assessment of risk exposures at the global consolidated level;
  • reduce the probability and severity of losses resulting from risk management weaknesses;
  • improve the speed at which information is available and hence decisions can be made; and
  • improve the organization’s quality of strategic planning and its ability to manage the risk of new products and services.

The fourteen Principles were grouped into four overarching categories: governance and infrastructure, risk data aggregation capabilities, risk reporting practices, and supervisory review.

BCBS 239 Principles: Overview Figure 1: Overview of the BCBS 239 Principles

The ECB’s guidelines

In 2016, the ECB launched a thematic review on effective risk data aggregation and risk reporting (RDARR) guided by the BCBS 239 Principles. The results revealed that none of the inspected banks reached full compliance with the Principles. In 2019, the ECB addressed a letter to all significant institutions within its direct oversight, stressing the urgency of making prompt enhancements to their RDA capabilities and RR practices. Despite continuous calls for action and increased supervisory scrutiny over the last few years, the ECB concluded that adequate levels of RDARR capabilities are still the exception among the G-SIBs. The progress report based on the results of a self-assessment survey among 34 G-SIBs, published by the BCBS in 2020, revealed that none of the banks were fully compliant with the Principles in terms of building up the necessary data architecture, and, for many, IT infrastructure remained a difficult issue.

As a consequence, in July 2023, the ECB released a Guide on effective risk data aggregation and risk reporting, requesting banks to increase their efforts and improve their capabilities in this area in a timely manner. The guide aims to complement the BCBS 239 Principles, specifying and reinforcing supervisory expectations in this area.

BCBS 239 – timeline Figure 2: BCBS 239 – timeline

In the guide, seven major areas have been highlighted by the supervisor:

  1. The responsibility of a bank’s management body
  2. The scope of application of the data governance framework
  3. Key roles and responsibilities for data governance
  4. The implementation of a group-wide integrated data architecture
  5. The effectiveness of data quality controls
  6. The timeliness of internal risk reporting
  7. Effective implementation programs


1. Responsibility of a bank’s management body

The ECB stresses the crucial role that the management body plays in ensuring effective risk identification, management, monitoring, and reporting, as well as adopting suitable internal control mechanisms. Inadequate knowledge, training or experience in RDARR and IT topics, or a lack of awareness of underlying risks can result in insufficient or ineffective improvements. Therefore, including the management body’s understanding of the RDARR topics into the fit and proper assessments is also among the measures considered by the ECB.

ECB guidelines – recommendations: responsibilities of the management body Figure 3: Summary of recommendations – responsibilities of the management body

2. Scope of application of the data governance framework

As per the ECB’s guidelines, banks should create a robust data governance framework to effectively handle risk identification, management, monitoring, and reporting. This framework should be all-encompassing, covering all material legal entities, risk categories, business lines, as well as financial and supervisory reporting processes, spanning the entire data lifecycle from inception and capture to aggregation and reporting.

Banks should clearly outline the scope of application of their data governance framework by explicitly identifying the included reports, models, risk data, and critical data elements. Additionally, they should establish transparent, proportional, and measurable criteria for determining the inclusion of material legal entities.

ECB guidelines – recommendations: sufficient scope of application Figure 4: Summary of recommendations – sufficient scope of application

3. Key roles and responsibilities for data governance

The supervisor outlines the essential components needed to establish an effective data governance framework at both group and subsidiary levels. Banks are urged to clearly define the roles and responsibilities within the data quality area, as well as assign ownership for data quality across business, control, and IT functions.

ECB guidelines – recommendations: effective data governance framework Figure 5: Summary of recommendations – effective data governance framework

4. Implementation of a group-wide integrated data architecture

In order to ensure data quality for the risk, supervisory and financial reporting, the ECB points out the need of implementing an integrated data architecture at the group level. Special focus is put on data dictionaries covering main business concepts. The implementation of data taxonomies should be thoroughly documented and geared towards the provision of essential information required for guiding the institution and overseeing its risk management.

ECB guidelines – recommendations: integrated data architecture Figure 6: Summary of recommendations – integrated data architecture

5. Effectiveness of data quality controls

The ECB highlights that in order to ensure effective and comprehensive data quality controls, as well as the resolution of significant data quality problems, group-wide policies and procedures should be integrated into the broader risk management or data governance framework. This integration enhances transparency in terms of data quality risks within the defined scope.

ECB guidelines – recommendations: group-wide data quality management and standards Figure 7: Summary of recommendations – group-wide data quality management and standards

6. Timeliness of internal risk reporting

The sixth focus point of the regulator accentuates how effective risk management and identification rely on accurate, complete, and timely data. “To manage risks effectively, the right information needs to be presented to the right people at the right time”. The timeliness of risk reporting depends on two factors: how often reports are generated and the time required to create them.

The internal risk reporting frequency should be aligned with the dynamics of potential changes in risk figures. The time it takes to create a report affects risk management similarly. If an institution takes longer to generate risk reports, it prolongs the period during which the risk situation is uncertain and increases the chances of delayed responses. For the first time, a clear expectation of producing monthly and quarterly risk reports within 20 working days is communicated.

ECB guidelines – recommendations: timeliness of internal risk reporting Figure 8: Summary of recommendations – timeliness of internal risk reporting

7. Effective implementation programs

Banks not yet adhering to the best practices outlined in the BCBS 239 Principles are urged to take appropriate steps to implement them. An implementation plan should be developed to address any gaps and weaknesses identified through both internal and external evaluations, which may include on-site inspections conducted by the ECB.

ECB guidelines – recommendations: effective implementation programs Figure 9: Summary of recommendations –effective implementation programs

Expected supervisory activities

In its recent guidelines, the ECB explicitly demands an increase in supervision and points out that the current approaches are insufficient in that regard. During 2023–2025, the supervisor will conduct a horizontal benchmarking of findings with a special focus on the adequate scope of the data governance framework, the responsibilities of the senior management, as well as the data quality of their supervisory reporting. Institution-specific “fire drill” exercises and dedicated inspections on RDARR capabilities are to be expected.

Given the circumstances, zeb recommends the following measures:

  • Close monitoring of ECB activities to ensure timely awareness of any updates or alterations
  • Thorough assessment of the institution’s RDARR capabilities, critically aligning them with regulatory standards and considering the latest ECB expectations, with special attention to the senior management perspective
  • Regular evaluation of the institution’s approach to data quality management and reporting, considering its effectiveness, the improvements achieved, and its overall significance for the risk reporting framework

Investing in BCBS 239 initiatives – an opportunity, rather than a burden

BCBS 239 has evolved into a significant component of the banking sector, influencing how banks approach risk management, data handling, and reporting practices. Although it does not have formal regulatory status in all jurisdictions, it is widely acknowledged and frequently cited by both regulatory bodies and financial institutions.

Despite notable efforts over the last decade towards implementing the Principles, compliance gaps can be identified in the majority of significant institutions. Given the dynamic nature of the environment banks operate in, reaching BCBS 239 compliance requires equally dynamic adjustments.

Successful players leverage the opportunities stemming from the BCBS 239 initiatives by linking them with strategic business objectives. By expanding the scope beyond risk data and including other types of reports (e.g. on sustainability) in their data governance framework, embracing new technologies, and treating data as a strategic asset, banks can leverage their investment to capitalize on strategic opportunities.

Adhering to the BCBS 239 Principles is with no doubt favorable even for banks that are not bound to do so as the business benefits extend further than regulatory compliance. Improved data aggregation and reporting capabilities can, among other things, support strategic decision-making (e.g. in terms of risk appetite), increase cost efficiency through a well-organized and simplified portfolio of data repositories, or improve the cross-selling potential and overall client profitability.


Guide on effective risk data aggregation and risk reporting, ECB, July 2023
Principles for effective risk data aggregation and risk reporting, Basel Committee on Banking Supervision, January 2013
ECB consults on Guide on effective risk data aggregation and risk reporting, press release, July 2023
A new stage for European banking supervision, keynote speech by Andrea Enria, Chair of the Supervisory Board of the ECB, 22nd Handelsblatt Annual Conference on Banking Supervision, March 2023
ECB Banking Supervision: SSM supervisory priorities for 2023-2025, December 2022

Feel free to contact us!

Dr. Frank Mrusek / author BankingHub

Dr. Frank Mrusek

Senior Manager Office Berlin
Dorota Adamus / author BankingHub

Dorota Adamus

Manager Office Warsaw

The news you can look forward to on Mondays

Analyses, articles and interviews about trends & innovation in banking delivered right to your inbox every 2 weeks

Share article


Leave a Reply

Your email address will not be published. Required fields are marked *


Analyses, articles and interviews about trends & innovation in banking delivered right to your inbox every 2 weeks

Send this to a friend