BCBS 239 presents banks and other financial institutions with a significant challenge and a unique opportunity. There are many pitfalls which will need to be avoided for firms to create lasting value.
BCBS 239 is a set of regulations from the Basel Committee on Banking Supervision entitled “Principles for Effective Risk Data Aggregation and Risk Reporting”. It is aimed at addressing weaknesses in banks’ ability to identify and manage bank-wide risks, catastrophically exposed by the financial crisis that began in 2007. The principles were released in January 2013, with a deadline for implementation by global systematically important banks (G-SIBs) of January 1, 2016. The Financial Stability Board (FSB) has also clearly stated its intention that a time line is set for other firms, particularly systematically important financial institutions (SIFIs), to meet these standards.
The BCBS 239 principles cover four closely related topics:
1. Overarching governance and infrastructure – Firms need to put in place strong governance and ownership for their data aggregation and risk reporting framework. An effective operating model needs to be implemented covering people, policies, process, organisation and infrastructure. The infrastructure must support all reporting requirements. There’s an emphasis throughout the text on building the capability to support effective reporting in crisis and stress situations; with clear implications for data coverage, availability and reporting flexibility.
2. Risk data aggregation capabilities – Robust, high performance systems are needed to ensure risk reports are accurate, timely and complete. The platform also needs to be flexible and adaptable. It needs to meet the evolving internal reporting needs of the firm and external reporting requirements of supervisory bodies. Enterprise data dictionaries need to be documented. Comprehensive controls around data sourcing and quality must be put in place, including reconciliation to all sources and single sourcing of each type of risk where feasible.
3. Risk reporting practices – This set of principles, very closely intertwined with data aggregation capabilities, focuses on making the risk reporting and management process effective and practical. As the BCBS 239 document puts it "data alone does not guarantee that the board and senior management will receive appropriate information to make effective decisions about risk." The scope covers reporting and management of all significant risk areas, with each risk area needing to be broken down into all significant components. Risk reports also need to cover any significant related measures, for example regulatory and economic capital. And it's not just about current and historic reporting. Forward looking assessments of likely trajectory of capital and risk profile need to be part of the solution. The reporting must be useful, clear, comprehensive, timely, produced at an appropriate frequency and supported by an effective operating model.
4. Supervisory review, tools and cooperation - The principles will be backed by regular supervisory review, in addition to the independent review structure that firms are expected to establish. Where implementation is found to be deficient, supervisory bodies will set remedial actions, including capital add-ons, as both a mitigant and an incentive under pillar 2.
In order to comply with the principles firms need to sort out areas of traditional weakness – enterprise level data quality, governance, warehousing, aggregation and reporting processes. It is no longer good enough to say that overall risk management processes at a firm are strong. There’s a need to prove every component part, including data, infrastructure, reporting and operating model are working effectively together over the full coverage of risk types and measures.
There are no quick fixes to these areas, particularly enterprise data management which is often mired in years of silo development, mergers, reorganisations and general neglect. A hard and fast regulatory deadline, with the boards and senior management of firms on the line to ensure compliance, increases the risk that solutions fail to deliver anywhere near their potential value.
With a step change in capability needed, implementation needs to be a top priority and focus for banks. In many cases additional attention and acceleration is required, particularly in three key areas.
- Clear measurable and testable requirements – The BCBS 239 principles are high level, unquantified and non-prescriptive (in terms of how they should be implemented). Firms need to ensure they have translated the principles into a detailed agreed operating model and detailed set of testable, auditable capabilities.
- Data – Firms need to face up to the realities of their data. If your data is broken you just need to fix it. It isn’t just a technology fix. Firms need to understand their data fully, documenting definitions and standards in an enterprise data dictionary. A detailed understanding of data lineage, ownership, temporality and data life-cycle is needed. This definition should in turn drive definition and implementation of an operating model for managing quality and instituting effective data governance. This requires advanced data modelling expertise, proven data management methodologies and practical experience of solving enterprise reporting challenges.
- Architecture – The BCBS 239 principles pose particular challenges due to the scale and coverage of data, the timely manner in which it’s needed and the need to be adaptable and flexible. It is unlikely that one size fits all and that there is a single technology solution for the majority of firms. Expertise in high scale data management architectures, metadata management, data analytics and reporting is needed to navigate to the right solution.
This is not a domain for generalists – specialist skills and practical experience of implementing high performance data and reporting infrastructures are needed to succeed. Proven methodologies, particularly in analysing data requirements and solutions need to be followed. Firms must put the right expertise in place to close these gaps quickly.
By Barney Walker, Head of Banking Practice, Kinaesis