Compliance Driven Business Value

The Basel Committee on Banking Supervision (BCBS) issued Regulation 239 in 2013. This regulation on risk aggregation and reporting establishes a framework of principles designed to make risk aggregation and reporting more timely, accurate, comprehensive, and granular. While the elements of the BCBS framework are obviously sensible, they will not by themselves improve the ability of financial organizations to diagnose and react to areas of risk exposure. The framework does not define the criteria for evaluating capability, maturity or competency.

BCBS Regulation 239 includes fourteen principles that are split into four sections: general principles, principles for risk data aggregation, principles for risk data reporting, and principles for regulatory supervision. The general principles speak broadly to the governance and infrastructure around risk management. They call for risk governance to encompass risk-data aggregation and reporting, and that systems designed for risk aggregation and reporting should function well under stress or crisis. Here we will focus primarily on the principles for risk data aggregation and risk data reporting.

Principles 3-6: Risk Data Aggregation

This section of the regulation stipulates that risk data should be aggregated across the business in a way that results in the following qualities.
Accuracy & Reliability
Here the BCBS is seeking for financial institutions to treat their risk data with a similar level of care and scrutiny as their financial data. A similar level of controls and rigor needs to be applied in order to improve the confidence in the quality of data used in the risk management process. Wherever possible manual aggregation methods should be automated in order to maximize the efficiency and reliability of controls.
Missing data will only be tolerated if the bank can prove that the missing data will have no material impact on the ability of the bank to manage it’s risk effectively. Manual processes allow for an increased likelihood of missing data being swept up into the aggregation process so again automation is critical.
Risk aggregation systems must be able to react to both the different requirements to display risk exposures at different levels in the organization and to changes in the bank’s operating environment such as regulatory changes or M&A activity.
Due to the volatility of risk exposures faced by banks, the BCBS has mandated that the data aggregation in a bank can produce a timely view of current exposure, during times of normal operations and during times of crisis.
What Principles 3-6 do not provide financial services organizations is a methodology for evaluating capabilities within the data aggregation processes.
It is our experience that a standard framework is called or in these situations, a readily available standard has been developed by the Enterprise Data Management Council, in conjunction with Carnegie Mellon University, called the Data Management Maturity (DMM) model. The use of this model will enable organizations to have a baseline against which to measure performance of data management processes related to data aggregation.

Principles 7-10: Risk Data Reporting

This section of the regulation establishes four principles of risk data reporting that are designed to get the right data to the right people so that internal and external parties can more effectively make decisions about the risks facing an organization.
Accuracy & Reliability
Similar to the aggregation standard, this principle dictates that banks should have the necessary processes in place to ensure that the data in their risk reports are accurate, reconciled, validated, and complete to such an extent that there could be no material impact on decision-making.
Reports must reflect the full range of current risk exposure faced by the bank.Reports should include information on asset classes, lines of business, and organization-wide risks like concentrations/exposures to certain countries and industries. Reports should also include future scenario analysis as well.
Clarity & Usefulness
Reports should cover all relevant risk areas but also be readily understandable by different types of users who will use them for decision making.
Reports should be produced at an appropriate frequency to meet the needs of internal decision-makers not just external reporting deadlines.

Deriving Business Value

The objective of the BCBS framework is to enable improved data interoperability and comparability which will over the long term improve our understanding of risk across the industry sector. While it is important to note that the improved focus on data infrastructure will not by itself improve risk management, the principles will likely lead to higher quality output from risk models and improved alignment of risk exposure with your organizations risk appetite. The benefits of effectively adopting these principles go far beyond regulatory compliance and go directly to the bottom line. Examples include:


While building an integrated data infrastructure should be an objective that all organizations strive to achieve regardless of the regulatory environment, the reality is that it is time consuming, expensive and difficult to achieve. In the past, many organizations did not have ability to commit to an extended project horizon to achieve this objective. Data aggregation is a mandate that will provide many organizations with the intestinal fortitude required to revamp the data factory in order to provide a capability that is repeatable, controlled and also efficient. Organizations that achieve this objective will not only be able to meet regulatory requirements but will also drive improved overall performance.
Share this page: