BCBS 239

Principles for Effective Risk Data Aggregation and Risk

. Reporting
Analysis and Insight

Submitted By:
Mohi Shukla
Consultant- BFSI
Mohi.shukla@wipro.com
BCBS 239 - Principles for effective risk data aggregation and risk reporting:
Analysis and Insight

Post the banking crisis in 2008 triggered by failure in Real State Sector in USA, new sets of Rules and
Regulations were imposed by Basel Committee on Banking Supervision. This new set of norms were
called Basel 3 Norms.

Basel III is an international regulatory accord that introduced a set of reforms designed to improve the
regulation, supervision and risk management within the banking sector. The Basel Committee on
Banking Supervision published the first version of Basel III in late 2009, giving banks approximately three
years to satisfy all requirements. Largely in response to the credit crisis, banks are required to maintain
proper leverage ratios and meet certain minimum capital requirements.

BCBS 239 came into picture in January 2013. The subject title of the regulation is: Principles for effective
risk data aggregation and risk reporting. One of the key lessons learned from the financial crisis of 2008
was that banks’ information technology (IT) and data architectures were truly inadequate to support the
broad management of financial risks. Many banks lacked the ability to aggregate risk exposures and
identify concentrations quickly and accurately at the bank group level, across lines of business and
between legal entities. Several were unable to manage their risks properly because of weak risk data
aggregation capabilities and risk reporting practices. In the end, it led to severe consequences for the
banks and, unfortunately, the global financial system as a whole.

BCBS 239 was established to strengthen a bank’s Risk Data aggregation capabilities and internal risk
reporting practices, enhance its risk management, and decision making processes.
Principles of BCBS 239

Overreaching
governance and
infrstructure

Implementation
Risk Daata
timeline and
Aggregation
transitional
Capabilities
arrangements

Principles

Supervisory
Risk Reporting
Review, tools
Prctices
and cooperation

Basic Principles to be followed are mentioned below:

1. Governance
A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong
governance consistent with other principles and guidance established by the Basel Committee.

2. Data architecture and IT infrastructure

A bank should design, build and maintain data architecture and IT infrastructure, which fully supports its
risk data aggregation capabilities, and risk reporting practices not only in normal times but also during
times of stress or crisis, while still meeting the other principles.

3. Accuracy and Integrity

A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis
reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to
minimize the probability of errors.

4. Completeness
A bank should be able to capture and aggregate all material risk data across the banking group. Data
should be available by business line, legal entity, asset type, industry, region and other groupings that
permit identifying and reporting risk exposures, concentrations and emerging risks.

5. Timeliness
A bank should be able to generate aggregate and up to date risk data in a timely manner while also
meeting the principles relating to accuracy and integrity, completeness and adaptability. This timeliness
should meet bank-established frequency requirements for normal and stress/crisis risk management
reporting.

6. Adaptability
A bank should be able to generate aggregate risk data to meet a broad range of on-demand, adhoc risk
management reporting requests, including requests during crisis situations, requests due to changing
internal needs and requests to meet supervisory queries.

7. Accuracy
Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in
an exact manner. Reports should be reconciled and validated.

8. Comprehensiveness
Risk management reports should cover all material risk areas within the organization. The depth and
scope of these reports should be consistent with the size and complexity of the bank’s operations and
risk profile, as well as the requirements of the recipients.

9. Clarity
Risk management reports should communicate information in a clear and concise manner. Reports
should be easy to understand yet comprehensive enough to facilitate informed decision-making.
Reports should include an appropriate balance between risk data, analysis and interpretation, and
qualitative explanations.

10. Frequency
The board and senior management (or other recipients as appropriate) should set the frequency of risk
management report production and distribution. Frequency requirements should reflect the needs of
the recipients, the nature of the risk reported, and the speed at which the risk can change, as well as the
importance of reports in contributing to sound risk management and effective/efficient decision-making
across the bank. The frequency of reports should be increased during times of crisis.

11. Distribution
Risk management reports should be distributed to the relevant parties and includes meaningful
information tailored to the needs of the recipients, while ensuring confidentiality is maintained.

All the G-SIB’s( mainly Globally Systematic Important Banks) which are termed “too big to fail”, need to
comply to above mentioned set of norms.
BCBS IMPLICATIONS ON BANKING SECTOR

The introduction of new regulation and principles for risk-data aggregation impacts the majority of
banks. The main difference between the BCBS 239 standard and previous standards is its overarching
objective and the fact that compliance is required and assessed by the supervisor. A self-assessment will
show the strengths and weaknesses of a bank’s current data aggregation capabilities and risk-reporting
practices. By approaching the topic proactively, banks can identify the intersections between the
standard and their own business and operating model, and develop an adaptable solution that meets
the current regulation while embracing technological advances.

What BANKS should OFFER?

Banks should seek an established and experienced enterprise content provider able to offer:

 High-quality, timely and comprehensive front-to-back content coverage to meet business

activity, risk, regulatory, compliance and audit needs
 Consistent content across feeds, applications and desktops
 Experience in real-time and non-streaming content provision
 Commercials geared towards enterprise usage
 Deep understanding of the regulations and a proven ability to provide content ready for
regulatory reporting
 Responsive service and support models

What BCBS 239 has to Offer?

The benefits of being able to slice and dice risk data across the firm are relatively untapped due to the
complexity of banking systems and databases. In addition, aggregating data for risk reporting will open
up opportunities to proactively use this data to drive better business decisions to better manage risk,
allocate capital or identify fresh business opportunities.

The key is to use the mandate as an opportunity to build a business infrastructure to serve the future.
Having access to the full spectrum of data representing business activity across the corporation will
allow organizations to gain insights never available to them before.

By seeing BCBS 239 as the starting line, banks will not only be better prepared to handle future market
events, but will be able to do business differently. Some of the benefits are better decision making,
improved performance, enhanced customer service, capital efficiency, the ability to streamline multiple
compliance projects and increased company value.
What WIPRO Can do?

Wipro can play a major role in two big principles of BCBS 239 norms namely:

Data architecture and IT infrastructure: A bank should design, build and maintain data architecture and
IT infrastructure, which fully supports its risk data aggregation capabilities, and risk reporting practices
not only in normal times but also during times of stress or crisis, while still meeting the other principles.
Accuracy: Risk management reports should accurately and precisely convey aggregated risk data and
reflect risk in an exact manner. Reports should be reconciled and validated.

It is advisable for all the big banks apart from those mentioned, as G-SIB’s to follow these set of norms.
This comes as a big opportunity for IT organization with huge technical capabilities to develop in the
areas of Data architecture, IT infrastructure and validation tools.

WIPRO can help in the development of robust infrastructure and tools to properly manage and
accurately report the new risk measures to be included in the Risk reports.

Customer base for these solution offering’s from WIPRO are not just G-SIB’s but also banks with not so
good Risk Aggregation Capabilities as Banks with some aggregation capabilities are still at a better place
than those with very limited capabilities in this area.

A key focus is establishing a taxonomy and dictionary of risk data. All models of risk data should be
derived from these standards, unified or reconciled across the group or business lines using standard
naming conventions leading to maintainable and adaptable logical and physical data models. Risk and
accounting data should be aligned and reconciled. The level of detail of data across the organization
must be consistent to allow for aggregation and enable flexible reporting. A bank should consolidate
data sources and strive towards a single authoritative, golden (data) source per risk type and a high
degree of automation. Desktop and end-user computing should be reduced and phased out where
possible. In addition, the bank must establish data-quality management, including data profiling, data
lineage, monitoring, and reporting and escalation procedures. Comprehensive data governance must be
established, including identifying data owners and creating service-level agreements (SLAs) between
units within the bank and with external parties regarding processes related to risk data. Risk reporting
and reconsolidation should be documented and automatic (or manual) quality checks for risk-reporting
practices implemented. These are the areas where WIPRO can effectively utilize this opportunity for its
benefit.

Below we can see a SWOT Analysis of the current situation wrt WIPRO:
 STRENGTH WEAKNESS OPPORTUNITY THREATS

• Technical • Low prior • 30 G-SIB's • Competitive

Expertise experience in • Several other firms to
• Finance Market Risk institutions develop
Expertise capabilities • Risk capabilities
Mitigation • Banks to use
expertise their own
development resource

THE WAY FORWARD

As can be seen above, BCBS 239 can be a tedious set of regulations and may create short term issues for
banks, its long-term effects are very positive. Meeting the minimum regulatory requirements should be
seen merely as a starting point. Banks that take a longer-term, strategic approach – by leveraging a
strong data architecture fed by high-quality data from trusted sources – will be well-placed to optimize
their capital usage and operating efficiencies, improve their stability, uncover opportunities for
enhancing their business and customer service, and drive future growth and profitability.

In this regulation, lies a big opportunity for IT firms with technical expertise where customized solutions
can be offered to different banks for not just Risk aggregation capabilities but also for the validation and
monitoring purposes, hence increasing our hold not just in Market Risk capabilities but in Banking sector
as a whole.

REFERENCES:
1. http://www.bis.org/publ/bcbs239.pdf
2. https://blog.knowledgent.com/14-principles-bcbs-239/
3. https://blogs.thomsonreuters.com/answerson/implementing-bcbs-239/
4. https://www.compact.nl/en/articles/bcbs-239-banking-on-data/