BCBS-239 Compliance: Ensuring Reliable
and Trustworthy Risk Reporting
For Financial Institutions
The Need For The BCBS Reporting Regulation
After the 2007 financial crisis and the collapse of Lehman Brothers the following year, it raised doubts about how well the banking industry was able to do effective risk data aggregation and risk reporting; two topics that are important for any bank but particularly important for G-SIBs (Global Systemically Important Banks) because of their systemic influence in the financial world. With their IT and data architecture being inadequate to deal with financial risks along with weak risk data aggregation capabilities, the events of Lehman Brothers became the climax of the financial crisis.
In response to this, the Basel Committee on Banking Supervision created a global regulatory standard for all G-SIBs called the BCBS-239 to increase banks’ ability to identify and manage risk. The BCBS-239 is a clear framework for effective RDARR (risk data aggregation and risk reporting), involving principles to be put in place to enhance risk management and decision making in banks, with the aim of creating a barrier to what happened in 2007.
Today, banks are making progress in numerous fields, especially on the architecture side of collecting and cataloging data. However, they still need to make progress in other areas such as the reporting side of things which corresponds to Principle 7 of BCBS-239. Yes, we can see that banks are making some progress, which is great, but the regulation clearly states that “implementation of the Principles should be a dynamic or ongoing process” highlighting the need for continuous strategies to increase accuracy in their reports. However, banks are using unverified reports and KPIs such as credit risk exposure, currency risk exposure, etc, generated from Analytics software to do that. They are potentially ignoring an important risk: the fact that the data displayed in those dashboards and reports are wrong or incomplete, and that’s not necessarily because of the data itself. So, just how can they ensure 100% accuracy of their risk reports? This article will help answer this question.
What is BCBS-239?
First of all, let’s understand what exactly is the BCBS-239 regulation. BCBS-239 is a set of 14 RDARR principles to help banks reduce the severity of losses or systemic crises (such as the 2008 financial crisis) due to poor risk management. A regulation primarily aimed at G-SIBs but also strongly recommended for D-SIBs (Domestic Systemically Important Banks) to apply the same principles. The 14 principles can be grouped into 4 categories:
- Governance and Infrastructure
Banks should have a strong governance framework, risk data architecture, and IT infrastructure in place which are preconditions for compliance with the principles.
- Risk Data Aggregation Capabilities
Banks should have effective risk data aggregation capabilities in place to ensure their risk management reports are always reliable.
- Risk Reporting Capabilities
Risk reports must be accurate and precise to ensure a bank’s board and senior management can rely on their reports and make critical decisions about risk.
- Supervision and Cooperation
During the compliance progress, supervisors will assess and monitor the progress taken and cooperate with other banks to determine whether enhancements are required or not within the principles.
By successfully implementing the principles, banks will see several business benefits:
- Increases the value of the bank
- Increases efficiency
- Reduces probability of losses
- Enhances strategic decision-making
- Increases profitability
However, no matter the benefits implementing these principles can bring, when BIS carried out an assessment of the compliance progress for G-SIBs in 2018, results showed that most of the banks were not fully compliant despite notable progress in some areas. Today, banks manage risk data aggregation well through data collection, data storage, data catalog, and data lineage, but it’s the BCBS risk reporting where they lack the expertise. Risk reporting sits on top of Analytics Data which is in the last mile of the data journey. If banks are not implementing strategies to ensure Data Analytics is trustworthy and governed, how can they be sure their risk reports are accurate? Without clear assurance that their reports are accurate and precise, how can regulators and supervisors make trusted decisions?
When we look closely at the different principles, there is one in particular which is the weak link in the BCBS-239 strategy: Principle 7. This one focuses on the accuracy of risk reports and in the next part, you’ll discover how you can ensure full compliance with principle 7 using Wiiisdom.
Ensuring BCBS Reporting Accuracy At All Times
Accuracy: Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.
Banks’ risk data aggregation and risk reporting practices should be subject to high standards of validation to ensure compliance with Principle 7. This requires agility in order to speed up the decision-making process for a bank’s board and senior management. For example, in early 2022 before the Russian/Ukraine crisis, regulators asked banks to report on their risk exposure to a potential war, showing the importance of this whole mechanism which must combine efficiency and reliability. To achieve this, banks must carry out automated reconciliation, and equally be able to document the reconciliation results. Wiiisdom becomes the missing piece of the puzzle in a bank’s BCBS-239 compliance strategy.
Furthermore, and we can’t keep it saying it enough, data quality alone does not guarantee that a bank’s Chief Risk Officer has trusted risk reports to provide to the regulator or to make decisions. Between the data warehouse (storing the aggregate risk data) and the BI and Analytics platform, the data can be transformed in a number of ways thus putting its quality at risk (you can access our guide on Analytics QA here). Wiiisdom ensures each and every risk report is displaying the right information and continues to do so in the future through reconciliation and validation. Equally, our solutions provide banks the ability to review their compliance progress with the BCBS-239 principles by documenting test results over time.
Principle 7 states that banks should maintain, at a minimum, “Automated and manual edit and reasonableness checks, including an inventory of the validation rules that are applied to quantitative information.” To do this, banks must take advantage of automation solutions that use robots to carry out all the necessary checks of their risk reports to ensure the accuracy is never compromised. Manual checks are simply no longer an option for banks due to the risk of human errors that could have disastrous consequences further down the line. Automation is a must.
What’s very important to remember is that it’s an ongoing process, whether you become compliant with this principle, it doesn’t stop there. You need to make sure you’re consistently compliant with BCBS-239 especially when there are significant upstream changes to the data journey or when your risk profiles or strategic initiatives evolve. Furthermore, these principles are now getting widely adopted by other departments in your organization such as the finance department, so applying these principles is not a one-off project but rather a constant effort for compliance and optimization.
How Compliant Are You In BCBS Reporting?
BCBS-239 compliance provides banks the reassurance that their risk data aggregation and risk reports are accurate, reliable, and precise in order to make the best decisions about risk. Ensuring risk report accuracy not only allows banks to be compliant with BCBS-239 but also mitigates an inherent operational/technological risk for them, which is the risk of relying on unverified, ungoverned, untrustworthy reporting.
At Wiiisdom, we help banking organizations ensure all reports are validated at all times – if you are interested in learning more about how we can help you comply with BCBS reporting, get in touch with us today.