BCBS239

The Context

After the 2008 crisis there was a general consensus that banks needed to enhance their ability to aggregate and report risk. BCBS239 – Principles for Effective Risk Data Aggregation & Risk Reporting is a core component of the regulatory effort to address the shortcomings. Compliance for GSIBs is 01-01-16. DSIBs are likely to be held to the same timelines and requirements by their local regulator. 14 principles, grouped into four categories:

Governance & Infrastructure

A bank should have in place a strong governance framework, risk data architecture and IT infrastructure. The board and senior management are called out to understand coverage and limitations.

Risk Data Aggregation Capabilities

Banks must demonstrate the ability to generate accurate and reliable risk data in a timely manner even for ad hoc reports during crisis or at request of the regulator.

Risk Reporting Practices

Ensuring the right information is accurately presented to the right people in a clear & useful manner at the right time..

Supervisory Review

The regulators should ensure they can evaluate & remediate compliance accurately and effectively.

Overriding Requirement - Challenging the Silos

BCBS239 explicitly challenges the silo driven structure of banks today with clear requirements to bring a holistic enterprise understanding of risk data, risk data aggregation & reporting. Holistic refers to both the understanding, which must span many disciplines, and to the community, where business, IT and Risk functions need to collaborate to bring consistency and control across the data life cycle. To satisfy this regulation a more collaborative and integrated approach to data and understanding is necessary.

The Risk Perspective

The BCBS239 text presents some key challenges from a risk perspective. The main ones are outlined below

Management needs to be aware of & understand limitations

A bank’s board and senior management should be fully aware of any limitations that prevent full risk data aggregation – coverage, technical and legal
Make state of risk data aggregation visible & accessible to management so they can steer on gaps and deficiencies

Transparency across the full lifecycle of data aggregation

Processes, controls, roles, data definitions, validations, reports, usage, requirements, errors etc. must be fully documented and subject to high standards of validation.
Inventorise building blocks of risk aggregation and understand how they interact, use and depend on one another

Manage manual processes & desktop apps

Where a bank relies on manual processes and desktop apps it should have effective mitigants and controls in place that are consistently applied
Bring visibility, context & governance to manual processes & desktop applications. Include desktop apps in dictionaries and lineage maps

Span organisational boundaries

Group structure should not hinder aggregation capabilities within the organisation. Regional, legal entity or business line boundaries must be overcome.
Join up data understanding, governance and change efforts across functions,  disciplines and legal entities

Aggregated risk on demand

Banks need to implement a flexible infrastructure and operational environment to quickly produce adaptable ad-hoc reports in line with stressed scenarios
Become agile and flexible by understanding the interplay of your core data and business resources.

Impact of change initiatives

Must be able to assess impact to risk data aggregation & reporting capability for any new initiatives e.g. new products , process change, IT change.
Have a readily available understanding of the environment to facilitate quick impact assessments

The Data Perspective

The BCBS239 text presents some key challenges from a data perspective. The main ones are outlined below

Risk data aggregation is not limited to Risk data

All forms of data consumed by the risk function fall within the scope of the principles. This includes entities & hierarchies, book & trade data, prices, instruments etc.
A capability to describe any data item, its lineage, business usage and stakeholder community

An organisation wide, cross-functional view of data

An organisation wide, cross-functional approach is required to bring visibility & a unified understanding to data, its definitions, ownership, lineage, usage, controls, quality etc.
Understanding data usage, flow, dependency, materiality and governance across functions & disciplines

Enterprise wide data management capability

Organisation wide data taxonomies must be agreed & consistently used by the business. Governance, quality, lineage & data management processes must also be delivered.
Drive an integrated approach to your enterprise data management efforts across definitions, governance, data quality, lineage, IT etc.

Data in desktop applications (EUCs)

Using Excel is not prohibited, but the regulator demands oversight and control. Banks must understand the materiality of those desktop applications.
Ensure one has sight of the EUCs and understands the materiality of those in terms of data, lineage, governance etc.

A driver for cultural change

Requires business side executives to take the lead starting with ownership of data and its issues as well as willingness to drive change in their own organisations.
Drive a new way of working around data. Understanding one’s core data resources and their business context is only a click away.

The business context of data

Data must be connected to the processes and policies that manipulate and control it. The business relevance and materiality of data needs to be captured and governed
Not all data is equal. Understand what are your core data items and their business relevance and materiality