Perspectives

It is time to reprioritize BCBS 239 compliance

A roadmap for financial institutions

As regulators refocus their attention and increase the level of scrutiny over Risk Data Aggregation and Risk Reporting (RDARR), it is more important than ever for financial institutions to address structural deficiencies and strengthen adherence with the Basel Committee on Banking Supervision (BCBS) 239 principles. By acting now, your organization can preempt potential regulatory inquiries, prepare for regulatory exams, and strengthen its overall risk data management posture and capabilities.

Strengthening risk data management through BCBS 239 compliance

In January 2013, the Basel Committee issued guidance on the Principles for effective risk data aggregation and risk reporting (RDARR), also referred to as Basel Committee on Banking Supervision (BCBS) 239 principles. According to these principles, “risk data aggregation” means defining, gathering, and processing risk data according to the bank’s risk reporting requirements to enable the bank to measure its performance against its risk appetite. BCBS 239 was established because of the deficiencies in reporting and management information systems (MIS) of major global banks during the 2007–2009 global financial crisis.

Recent developments in the regulatory landscape

Continued challenges with the current BCBS 239 state of implementation have led to increased regulatory scrutiny and onsite inspection (OSI) campaigns, resulting in numerous high-severity findings. RDARR is now one of the areas of focus for the European Supervisory Examination Programme (ESEP) under operational and financial resilience priorities.

In July 2023, the European Central Bank (ECB) published a draft guide explicitly outlining expectations for BCBS 239 adherence. Firms should consider taking actions now to prioritize adherence with RDARR principles to preempt potential intense regulatory inquiries, prepare for regulatory exams, and strengthen their overall risk data management posture and capabilities.

Thematic observations from regulatory reviews

Recent ECB regulatory reviews highlighted unsatisfactory overarching RDARR governance and practices, emphasized in the following thematic observations:

Policies and standards require enhancements to establish clear data ownership, effective governance framework, data aggregation, reporting, and groupwide data quality standards.
Lack of comprehensive material risk and legal entity coverage in risk data aggregation report definition and scoping, without proper consideration for inclusion of financial, regulatory, and supervisory reports.
Data architecture does not clearly establish a single source of truth for each risk type with full documentation of requirements, data flows, data catalogs, risk metadata, and data controls.
Use of manual data and processes, as well as inadequate data controls in a fragmented IT environment, increases risk of accuracy errors in risk reporting.
Lack of independent review of adherence with BCBS 239 principles through second and third lines of defense.
Gaps in governance, oversight, and implementation of risk data aggregation and risk reporting due to lack of effective management oversight.
Formal processes for reviewing and providing input into clarity and usefulness of risk reporting are not established.

‘Building blocks’ for effective risk data aggregation and risk reporting program

Deloitte has designed an RDARR framework consisting of six “building blocks” to help financial institutions establish and/or strengthen their capabilities related to achieving BCBS 239 principles:

Three primary enterprise service delivery goals

${column1-large-text}

Definition and scope

Defining RDARR scope incorporating coverage across risk types, legal entities, and regulatory reports. Maintaining transparency through firmwide RDA report inventory.

${column1-button-text}

${column2-large-text}

Policy and standards

Publishing RDARR policies and standards with consideration for roles and responsibilities, ownership, data aggregation, data quality, controls, and governance.

${column2-button-text}

${column3-large-text}

${column3-title}

${column3-text}

${column3-button-text}

${column4-large-text}

${column4-title}

${column4-text}

${column4-button-text}

Three primary enterprise service delivery goals

${column1-large-text}

Governance and supervisory framework

Establishing an effective oversight framework with clear expectations, roles, and accountabilities for BCBS 239 adherence, governance, change management, issue escalation, and reporting.

${column1-button-text}

${column2-large-text}

Data and technology architecture

Designing data and technology architecture guidelines outlining a strategy for data catalogs, data taxonomy, data controls, data quality repository, and authorized data sourcing.

${column2-button-text}

${column3-large-text}

${column3-title}

${column3-text}

${column3-button-text}

${column4-large-text}

${column4-title}

${column4-text}

${column4-button-text}

Three primary enterprise service delivery goals

${column1-large-text}

Risk reporting and aggregation practices

Outlining framework for reporting process standardization, reporting controls implementation, and report distribution.

${column1-button-text}

${column2-large-text}

Independent validation

Defining second (compliance) and third (internal audit) lines of defense roles and coverage model for independent BCBS 239 adherence assessments, ongoing monitoring, testing, and validation.

${column2-button-text}

${column3-large-text}

${column3-title}

${column3-text}

${column3-button-text}

${column4-large-text}

${column4-title}

${column4-text}

${column4-button-text}

The time to act is now

Many banks examined by the ECB had findings around governance related to board of directors’ responsibility, monitoring and validation, and scope of application. To prepare, financial institutions should proactively address structural deficiencies related to adherence with BCBS 239 principles. Depending on your current level of maturity, we recommend taking the following steps to get started:

Perform RDARR assessment to gauge adherence with BCBS 239 principles.
Establish material risks and legal entity coverage within your RDARR inventory.
Review policies and standards for comprehensive BCBS 239 alignment.
Evaluate your governance framework with a legal entity management oversight lens.
Develop an integrated RDARR story across global and legal entity teams.

The time is now to take action in assessing your RDARR programs, executing remedial activities, and preparing global and local teams for regulatory exams.

Deloitte can help

Deloitte has extensive experience leading RDARR programs and initiatives at large financial institutions. With a global network of member firms spanning more than 150 territories and countries and a breadth of capabilities, Deloitte’s subject-matter specialists can jump-start BCBS 239 rapid assessments and the overall maturity journey.

Download the report to learn more about Deloitte’s RDARR approach.

Contact us

First name*

Last name*

Email*

Company*

Title*

Location*

I agree to receive emailed reports, articles, event invitations and other information related to Deloitte products and services. I understand I may unsubscribe at any time by clicking the link included in emails.*

Yes No

The submission of personal information through this page is subject to Deloitte's Privacy Statement and Legal Terms. I have read and accept the terms of use.*

*Required

Get in touch

Dinesh Patel
Managing Director
Deloitte & Touche LLP
dineshpatel@deloitte.com

Cory Liepold
Principal
Deloitte & Touche LLP
cliepold@deloitte.com

Satish Iyengar
Managing Director
Deloitte & Touche LLP
siyengar@deloitte.com

Ryan Hughes
Manager
Deloitte & Touche LLP
ryahughes@deloitte.com

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Insert Custom HTML fragment. Do not delete! This box/component contains code that is needed on this page. This message will not be visible when page is activated.
+++ DO NOT USE THIS FRAGMENT WITHOUT EXPLICIT APPROVAL FROM THE CREATIVE STUDIO DEVELOPMENT TEAM +++

Viewing offline content

It is time to reprioritize BCBS 239 compliance

A roadmap for financial institutions

Strengthening risk data management through BCBS 239 compliance

Recent developments in the regulatory landscape

Thematic observations from regulatory reviews

‘Building blocks’ for effective risk data aggregation and risk reporting program

Three primary enterprise service delivery goals

${column1-large-text}

Definition and scope

${column2-large-text}

Policy and standards

${column3-large-text}

${column3-title}

${column4-large-text}

${column4-title}

Three primary enterprise service delivery goals

${column1-large-text}

Governance and supervisory framework

${column2-large-text}

Data and technology architecture

${column3-large-text}

${column3-title}

${column4-large-text}

${column4-title}

Three primary enterprise service delivery goals

${column1-large-text}

Risk reporting and aggregation practices

${column2-large-text}

Independent validation

${column3-large-text}

${column3-title}

${column4-large-text}

${column4-title}

The time to act is now

Deloitte can help

Contact us

Get in touch

Recommendations

Link your accounts

You previously joined My Deloitte using the same email. Log in here with your My Deloitte password to link accounts. | | Deloitte users: Log in here one time only with the password you have been using for Dbriefs/My Deloitte.

You've previously logged into My Deloitte with a different account. Link your accounts by re-verifying below, or by logging in with a social media account.

Looks like you've logged in with your email address, and with your social media. Link your accounts by signing in with your email or social account.