Focusing your BCBS 239 effort: 10 considerations in risk and data compliance for banking leaders
Around the world, just two banks are considered fully compliant when it comes to risk data aggregation and reporting. Just two.
This was the finding in the recent progress report by The Basel Committee on ‘Banking Supervision on the adoption of the Principles for Effective Risk Data Aggregation and Risk Reporting’ (BCBS 239).
The report reveals a landscape of progress in key areas such as overarching governance, risk data aggregation capabilities, and reporting practices. However, the progress report emphasised the need for greater commitment from senior leadership in implementing principles for effective risk data aggregation and reporting and there is a clear call to action for regulators to intensify their supervisory activities, including onsite inspections, and deep-dive reviews.
Here, we share 10 ways to help banks ensure their BCBS 239 efforts are effectively focused:
1. Implement effective data governance oversight
Strengthen the Board’s knowledge and commitment through regular reports that highlight challenges with legacy IT, and processes that are not fit for purpose. Reports should outline necessary timelines and budgets for fixes, emphasise complexity and dependencies, and underscore senior ownership of challenges across the Three Lines of Defence (3LoD).
2. Create a multiyear BCBS 239 roadmap with a focus on continual improvement
Regulators expect banks to cover all risk areas across financial and non-financial risk, from source to report. The scope covers most of the bank’s data landscape, so it will be an ongoing programme of work. Prioritise high-risk areas first, ensure funding is in place, and adopt a continuous improvement mindset. Focus on building the scale and competence of teams for ongoing operations, emphasising the journey rather than viewing it as a one-time project.
3. Data quality management
Data quality management should go beyond conventional technical profiling and monitoring of data fields on inputs to risk systems. It needs to include monitoring and controls that consider the completeness of data, and reconciliation of data with golden sources (e.g. finance) and should be applied to all data used in risk processes, i.e. data used for testing risk models as well as risk management systems.
4. Create a practical framework to manage data policy and standards
Too many data management frameworks are conceptual and not well understood. The enterprise data management framework needs to be practical and understandable by business leaders and people who work with data. It needs to describe in business language the minimum expectations around how data should be managed, and the role of data producers, and data consumers. It should be accompanied by training and education as is common with other frameworks and policies in a bank.
5. Clarify data ownership
Develop a clear operating model that embeds end-to-end ownership throughout the data lineage from source to report, with precise roles and responsibilities. This should include the use of data contracts between producers and consumers outlining the content of the data and the quality expectation in a set of accepted service levels.
6. Establish good data habits
Establish and manage a culture that prioritises and ensures the quality of data at both the source and point of ingestion. Without data quality assurance at source or ingestion, banks will never increase their data quality and will remain in a continual cycle of obtaining data not fit for purpose, cleaning, and remediating.
7. Consolidate and rationalise fragmented data architecture
Transition to a risk data architecture that is based on data domains, keeping the data management close to the experts for a given type of data. Implement data management capabilities that focus on making data easy to find, provide transparency into data quality and lineage, share data effectively, and remove unnecessary copying.
8. Automate how you collect, move, and transform data
Standardise and automate processes for gathering key data, incorporating built-in controls to effectively identify and address data anomalies. Focus on reducing rekeying of information and use of End User Computing and mitigate with controls where this cannot be achieved in the short-term.
9. Reporting automation: Ensure detail and traceability
Implement automation of critical reporting, ensuring it includes drill-down granularity and a comprehensive audit trail, while also enhancing the capability for ad-hoc reporting. Consider specialist disclosure reporting packages that include out-of-the-box data models, data quality controls, data lineage, and support for quality reviews.
10. Validation and audit: Embed into 2nd and 3rd line of defence
Ensure independent validation within the second line, including documented operational processes and dedicated resources in two lines of defence, complemented by regular internal audits in 3LoD.
If your bank has primarily been engaged in self-assessments and has yet to undergo an inspection by your local regulator, this presents a valuable opportunity. It's a crucial time to ensure your plans and programmes are thoroughly aligned with BCBS 239’s findings. This will not only prepare you for future regulatory inspections but will also significantly strengthen your bank's overall risk data management and reporting capabilities. By proactively addressing these areas, you can enhance compliance with the BCBS 239 principles and position your bank to effectively manage emerging risks and challenges.