It is time to reprioritize BCBS 239 compliance

Strengthening risk data management through BCBS 239 compliance

In January 2013, the Basel Committee issued guidance on the Principles for effective risk data aggregation and risk reporting (RDARR), also referred to as Basel Committee on Banking Supervision (BCBS) 239 principles. According to these principles, “risk data aggregation” means defining, gathering, and processing risk data according to the bank’s risk reporting requirements to enable the bank to measure its performance against its risk appetite. BCBS 239 was established because of the deficiencies in reporting and management information systems (MIS) of major global banks during the 2007–2009 global financial crisis.

Recent developments in the regulatory landscape

Continued challenges with the current BCBS 239 state of implementation have led to increased regulatory scrutiny and onsite inspection (OSI) campaigns, resulting in numerous high-severity findings. RDARR is now one of the areas of focus for the European Supervisory Examination Programme (ESEP) under operational and financial resilience priorities.

In July 2023, the European Central Bank (ECB) published a draft guide explicitly outlining expectations for BCBS 239 adherence. Firms should consider taking actions now to prioritize adherence with RDARR principles to preempt potential intense regulatory inquiries, prepare for regulatory exams, and strengthen their overall risk data management posture and capabilities.

Thematic observations from regulatory reviews

Recent ECB regulatory reviews highlighted unsatisfactory overarching RDARR governance and practices, emphasized in the following thematic observations:

• Policies and standards require enhancements to establish clear data ownership, effective governance framework, data aggregation, reporting, and groupwide data quality standards.
• Lack of comprehensive material risk and legal entity coverage in risk data aggregation report definition and scoping, without proper consideration for inclusion of financial, regulatory, and supervisory reports.
• Data architecture does not clearly establish a single source of truth for each risk type with full documentation of requirements, data flows, data catalogs, risk metadata, and data controls.
• Use of manual data and processes, as well as inadequate data controls in a fragmented IT environment, increases risk of accuracy errors in risk reporting.
• Lack of independent review of adherence with BCBS 239 principles through second and third lines of defense.
• Gaps in governance, oversight, and implementation of risk data aggregation and risk reporting due to lack of effective management oversight.
• Formal processes for reviewing and providing input into clarity and usefulness of risk reporting are not established.
  

The time to act is now

Many banks examined by the ECB had findings around governance related to board of directors’ responsibility, monitoring and validation, and scope of application. To prepare, financial institutions should proactively address structural deficiencies related to adherence with BCBS 239 principles. Depending on your current level of maturity, we recommend taking the following steps to get started:

• Perform RDARR assessment to gauge adherence with BCBS 239 principles.
• Establish material risks and legal entity coverage within your RDARR inventory.
• Review policies and standards for comprehensive BCBS 239 alignment.
• Evaluate your governance framework with a legal entity management oversight lens.
• Develop an integrated RDARR story across global and legal entity teams.

The time is now to take action in assessing your RDARR programs, executing remedial activities, and preparing global and local teams for regulatory exams.

Deloitte can help

Deloitte has extensive experience leading RDARR programs and initiatives at large financial institutions. With a global network of member firms spanning more than 150 territories and countries and a breadth of capabilities, Deloitte’s subject-matter specialists can jump-start BCBS 239 rapid assessments and the overall maturity journey.

Get in touch