Posted: 27 May 2019 05 min. read

Building resilience in Australian banks with effective finance and risk data management

Compliance with BCBS

Post-GFC, much of the focus on strengthening the Australian banking sector centred on increasing capital reserves, extending loss-absorbing capacity, and driving improvements in liquidity practices.

Having raised significant capital recently, and achieved the ‘unquestionably strong’ tick from our regulator, the banking sector is well secure. However, even the best run and capitalised banks are not immune from internal and/or external shocks.

With a renewed focus on the ability of banks to manage themselves through points of financial stress, APRA is now resurfacing better management of data as essential in providing banks and the regulators, with the information needed to make the best risk management decisions.

Compliance with BCBS 239 provides an assessment criteria that determines a bank’s ability to meet this important risk management capability.  


With this increasing focus on banks’ data management capabilities, the gaps that exist in both financial and risk data are now under scrutiny. During the GFC, gaps were identified in data provided to regulators and subsequent investigation revealed numerous weaknesses in data capabilities. These gaps existed in both financial and risk data used to manage risk, provide business insights, and comply with regulatory requirements. The increased focus on data capabilities makes data management across the enterprise a necessity.

In response the Basel Committee on Banking Supervision (BCBS) originally published its BCBS 239 (Principles for effective risk data aggregation and risk reporting) in 2013 to focus on the volume of structured and unstructured data that banks work with that had increased exponentially.

BCBS 239 provides for ‘Principles for effective risk data aggregation and risk reporting’. Its objective is to strengthen banks’ risk data aggregation capabilities, and their internal risk reporting practices, and so enhance the risk management and decision-making processes at banks.

Compliance with BCBS 239 principles

Internationally the regulators expected banks to meet the BCBS 239 principles. Having lifted its gaze from capital adequacy and liquidity, it is now our turn to build resilience in data standards, and APRA is focusing on it.

The key points of focus include a holistic approach to governance, infrastructure, aggregation capabilities, and reporting practices.

The set of principles in the paper provide a framework to address and help resolve critical weaknesses that banks have in understanding and accurately describing their overall exposures and key risk factors. BCBS 239 sets out four major categories and fourteen principles (eleven of which are applicable to banks; the remaining three are applicable to regulators).

The core focus areas for banks include:

  • Holistic governance and infrastructure
  • Risk data aggregation capability
  • Risk reporting practices

Assessing compliance with BCBS 239

The assessment of BCBS 239 is aligned to eleven principles for banks established in the paper.

Progress to Date

The BCBS published a progress report in June 2018 on the adoption of the BCPS 239 principles by global systemically important banks (G-SIBs). Some of the key items highlighted included

  • No principle is fully complied with by all banks;
  • Banks had only made marginal progress with Principle 1 (Governance) and Principle 2 (Data and IT infrastructure). These are considered foundational capabilities and this therefore serves as a significant barrier to full adoption of BCBS 239; and
  • On Principle 4 (Distribution), Principle 7 (Accuracy), Principle 9 (Clarity and usefulness), Principle 11 (Distribution), banks were deemed to have ‘reversed course’ – perhaps recognising there is an increase level of transparency, scrutiny and public disclosure required.

Gaps and challenges faced by banks

Clearly Australian and international banks continue to struggle to meet these principles due to complexities including:

  • Updating and improving legacy systems
  • Complex and time consuming integration across multiple systems 
  • Questionable quality and accuracy of data
  • Processing complexity including the availability, lineage and aggregation

Next steps

Focus on some of the fundamental building blocks at some banks which remain immature including a strong data framework (data quality rules, controls and processes), data governance (clarity of ownership and accountability) and data taxonomies (consistency of practice). 

Related articles


Meet our authors

Sean Moore

Sean Moore

Partner, Risk Advisory

Sean has over 20 years’ experience within institutional and investment banking. At Deloitte, Sean is focused on providing his in-depth experience and expertise to financial institutions on Risk, Technology and Business Transformation. Previously, as a Managing Director at some of the largest global banks, he held key roles including Global Head of Operational Risk, APAC Head of Product Control, COO of European Equity Trading, Head of Finance for Continental Europe and COO Australia. His international career has seen him live and work in Australia, New York, London, Zurich, Frankfurt, Singapore and Hong Kong.

Melissa  Ferrer

Melissa  Ferrer

Partner, Consulting

Melissa is a partner in the Sydney Data practice in Deloitte Consulting with over 25 years’ experience in data and information management. She joined Deloitte in Jan 2014. Her role prior to that was Executive Manager, Data Services at CBA, where she worked from 2007 to 2013. Prior to CBA she worked in consulting roles in the US and Australia.

Ally MacLeod

Ally MacLeod

Partner, Risk Advisory

Ally is a partner in the Financial Services Risk Advisory team and has 16 years’ experience providing risk advice and assurance services to Financial Services companies in both Australia and the UK. Ally re-joined Deloitte in 2016 after spending two years with Westpac’s Operational Risk team and leads our Digital and Technology risk services to Financial Services clients in Sydney.