Skip to main content
BlueData - stock illustration

Risk Data Aggregation & Risk Reporting: Navigating BCBS 239 Implementation Progress

Learn where Global Systemically Important Banks (G-SIBs) stand with implementing the BCBS 239 principles and what practical actions financial institutions can take today to accelerate compliance.

Since the global financial crisis that began in 2007, it was evident that many banks were not well positioned to efficiently and accurately aggregate and report their key risk exposures and concentrations at the enterprise, legal entity, or line of business (LOB) level. These ineffective data aggregation and reporting capabilities resulted in the inability to access critical and timely risk information, threatening the safety and soundness of the global financial system. As a result, the Basel Committee on Banking Supervision (BCBS) published a set of principles in 2013 to strengthen banks’ risk data aggregation and risk reporting (RDARR) practices. By effectively implementing these principles, the expectation was that risk management and decision-making processes at banks would ultimately be enhanced.

Since 2013, global systemically important banks (G-SIBs) embarked on the journey to implement 11 non-supervisory Principles for effective risk data aggregation and risk reporting (the Principles) with expectations of adoption and compliance by the end of 2016.1 Although the Principles were initially intended for G-SIBs, the BCBS strongly suggested that national supervisors also apply the Principles to domestic systemically important banks (D-SIBs). Since the Principles were issued, various regulatory bodies across the globe including the Office of the Comptroller of the Currency (OCC) and the Office of the Superintendent of Financial Institutions (OSFI) have communicated expectations of compliance, thereby making BCBS 239 a de facto standard across the financial services industry.2 Acknowledging the important role that supervisors play, three supervisory principles under "Supervisor Review” were also included to determine whether the Principles were achieving their desired outcomes.

Graphic showing 14 different principles under topics such as "Governance & Infrastructure," "Risk Data Aggregation Capabilities," etc.

  • BCBS 239
  • Governance & Infrastructure
    • Principle 1: Governance
    • Principle 2: Data Architecture & IT Infrastructure
  • Risk Data Aggregation Capabilities
    • Principle 3: Accuracy & Integrity
    • Principle 4: Completeness
    • Principle 5: Timeliness
    • Principle 6: Adaptability
  • Risk-Reporting Practices
    • Principle 7: Accuracy
    • Principle 8: Comprehensiveness
    • Principle 9: Clarity & Usefulness
    • Principle 10: Frequency
    • Principle 11: Distribution
  • Supervisory Review
    • Principle 12: Review of 11 Principles
    • Principle 13: Remedial Actions & Supervisory Measures
    • Principle 14: Home/Host Cooperation

2023 BCBS 239 Implementation Progress

In November 2023, the BCBS published its most recent progress report and sixth update since the Principles were issued. The progress report outlines that not a single Principle has reached full compliance across all G-SIBs assessed. Disappointingly, the implementation of six of the 11 Principles have regressed or stalled, whereas all 11 Principles had made progress during the last update (published in 2020). Furthermore, it was highlighted that only two of the 31 G-SIBs assessed are fully compliant with all Principles.

The progress report notes several reasons for the delayed compliance. Lack of prioritization, insufficient ownership by the board and senior management, and various challenges improving the data architecture and IT infrastructure landscape all contributed to the results. Other key highlights include:

  • General improvement in compliance ratings on an aggregated level when compared to 2017
  • Mixed improvements since 2019 with some declines in aggregated compliance
  • Increase in the percentage of banks fully compliant with Principles 1 (governance) and 2 (data architecture and IT infrastructure)
  • Deterioration in the average compliance rating for fundamental Principle 1 (governance) and Principles 5 (timeliness), 7 (accuracy of risk reports), and 9 (clarity) from 2019 to 2022
  • Average compliance ratings for Principles 4 (completeness) and 6 (adaptability) relatively unchanged
  • Fewer banks rated fully compliant for The Principles in 2022 compared to 2019

Graph 1 – G-SIB Ratings by Principle in 2017, 2019, & 2022

This graphic from the Basel Committee on Banking Supervision, “Progress in adopting the Principles for effective risk data aggregation and risk reporting,” shows the assessment results for the banks in the sample for 2022 and compares them with the results of the previous progress reports in 2017 and 2019. The vertical columns in the chart show the relative percentage of banks’ compliance ratings per Principle while the lines with markers show the average compliance rating across all banks per Principle.3

Bar Chart depicting the compliant share of banks across 2017, 2019, and 2022 in areas like Governance, Data Architecture & IT Infrastructure, Accuracy and Integrity, and more

  • P1 Governance
    • 2017
      • 3% Non-Compliant
      • 28% Materially Non-Compliant
      • 45% Largely Compliant
      • 24% Fully Compliant
    • 2019
      • 3% Materially Non-Compliant
      • 67% Largely Compliant
      • 30% Fully Compliant
    • 2022
      • 3% Non-Compliant
      • 13% Materially Non-Compliant
      • 48% Largely Compliant
      • 35% Fully Compliant
  • P2 Data Architecture & IT Infrastructure
    • 2017
      • 45% Materially Non-Compliant
      • 41% Largely Compliant
      • 14% Fully Compliant
    • 2019
      • 30% Materially Non-Compliant
      • 60% Largely Compliant
      • 10% Fully Compliant
    • 2022
      • 23% Materially Non-Compliant
      • 65% Largely Compliant
      • 13% Fully Compliant
  • P3 Accuracy and Integrity
    • 2017
      • 7% Non-Compliant
      • 41% Materially Non-Compliant
      • 31% Largely Compliant
      • 21% Fully Compliant
    • 2019
      • 23% Materially Non-Compliant
      • 63% Largely Compliant
      • 13% Fully Compliant
    • 2022
      • 23% Materially Non-Compliant
      • 58% Largely Compliant
      • 19% Fully Compliant
  • P4 Completeness
    • 2017
      • 31% Materially Non-Compliant
      • 52% Largely Compliant
      • 17% Fully Compliant
    • 2019
      • 13% Materially Non-Compliant
      • 60% Largely Compliant
      • 27% Fully Compliant
    • 2022
      • 19% Materially Non-Compliant
      • 48% Largely Compliant
      • 32% Fully Compliant
  • P5 Timeliness
    • 2017
      • 3% Non-Compliant
      • 21% Materially Non-Compliant
      • 55% Largely Compliant
      • 21% Fully Compliant
    • 2019
      • 17% Materially Non-Compliant
      • 60% Largely Compliant
      • 23% Fully Compliant
    • 2022
      • 19% Materially Non-Compliant
      • 61% Largely Compliant
      • 19% Fully Compliant
  • P6 Adaptability
    • 2017
      • 34% Materially Non-Compliant
      • 41% Largely Compliant
      • 24% Fully Compliant
    • 2019
      • 23% Materially Non-Compliant
      • 50% Largely Compliant
      • 27% Fully Compliant
    • 2022
      • 19% Materially Non-Compliant
      • 58% Largely Compliant
      • 23% Fully Compliant
  • P7 Accuracy
    • 2017
      • 48% Materially Non-Compliant
      • 34% Largely Compliant
      • 17% Fully Compliant
    • 2019
      • 20% Materially Non-Compliant
      • 63% Largely Compliant
      • 17% Fully Compliant
    • 2022
      • 23% Materially Non-Compliant
      • 65% Largely Compliant
      • 13% Fully Compliant
  • P8 Comprehensiveness
    • 2017
      • 28% Materially Non-Compliant
      • 45% Largely Compliant
      • 28% Fully Compliant
    • 2019
      • 10% Materially Non-Compliant
      • 57% Largely Compliant
      • 33% Fully Compliant
    • 2022
      • 16% Materially Non-Compliant
      • 35% Largely Compliant
      • 48% Fully Compliant
  • P9 Clarity and Usefulness
    • 2017
      • 24% Materially Non-Compliant
      • 52% Largely Compliant
      • 24% Fully Compliant
    • 2019
      • 3% Materially Non-Compliant
      • 50% Largely Compliant
      • 47% Fully Compliant
    • 2022
      • 16% Materially Non-Compliant
      • 32% Largely Compliant
      • 52% Fully Compliant
  • P10 Frequency
    • 2017
      • 3% Non-Compliant
      • 24% Materially Non-Compliant
      • 48% Largely Compliant
      • 24% Fully Compliant
    • 2019
      • 10% Materially Non-Compliant
      • 63% Largely Compliant
      • 27% Fully Compliant
    • 2022
      • 10% Materially Non-Compliant
      • 35% Largely Compliant
      • 55% Fully Compliant
  • P11 Distribution
    • 2017
      • 14% Materially Non-Compliant
      • 41% Largely Compliant
      • 45% Fully Compliant
    • 2019
      • 3% Materially Non-Compliant
      • 43% Largely Compliant
      • 53% Fully Compliant
    • 2022
      • 39% Largely Compliant
      • 61% Fully Compliant

Key Improvements & Adoption Challenges

Since 2019, notable improvements in the share of banks achieving full compliance in Principle 1 (governance) implementation occurred via the development of enterprise data management frameworks, committee oversight, and end-to-end ownership demonstrated throughout the data life cycle. Some banks have harmonized and simplified their IT landscape while making use of central data repositories, resulting in continued improvement in the implementation of Principle 2 (data architecture and IT infrastructure). Additional improvement areas mentioned are the following:

  • Development of well-documented policies and procedures related to data quality and controls, metadata management, and data models
  • Assessment and independent validation of data management processes
  • Implementation of automated reporting platforms and business intelligence for on-demand and customized reporting and analysis
  • Increased use of data-quality dashboards globally

Banks continue to be challenged on several fronts, including the speed of artificial intelligence (AI) adoption, issues resulting from the global pandemic, and recent geopolitical stress events. These risks have brought new obstacles and delays to the implementation process. Outside of these global scenarios, banks continue to be plagued by more persistent, often cultural, challenges such as:

  • Incomplete data lineage and lack of classification of data, causing limitations in identifying data issues
  • Lack of data awareness and attention to data issues from senior management and the board, while inadequately ensuring appropriate budget and resources are in place
  • Increased scope or reassessments in initial adoption plans to account for business changes or known limitations in data and reporting capabilities
  • Overall data quality issues, e.g., source data, causing limitations for banks to explore innovative technologies

Key Expectations From Regulators & Recommendations to Banks

Banks continue to actively address these challenges through internal controls enhancements, policy updates, targeted audits, and automation improvements; however, additional work remains to fully implement the Principles. As a result, the progress report highlighted various recommendations for banks as well as detailed case studies to further encourage sharing of best practices and accelerate the opportunity for cross-pollination within the financial services industry. The progress report also provides recommendations to regulators and supervisors, which could indicate where banks can expect the regulatory community to focus going forward.

Graph

  • What to Expect From Regulators
    • More forceful measures to address long-lasting risk data aggregation and reporting deficiencies
    • Increased expectations to incorporate business model changes into implementation plans
    • Industry collaboration, acceleration, and continued priority towards achievement of the principles
    • More targeted and thorough reviews of data governance oversight processes
    • Fire drills, deep dives, onsite inspections, penalties/fines, and restrictions on capital distributions or business activities
  • Key Recommendation From Banks
    • Focus on recommendations from previous reports by addressing known weakness and conducting periodic reviews
    • Prioritize data governance oversight including effective roles and responsibilities from senior management and the board
    • Establish data quality ownership and accountability while implementing necessary Key Performance Indicator (KPIs)
    • Establish a framework to identify, monitor, and report key risk exposures
    • Implement robust data quality processes around source data before embarking on automation type projects

Practical Actions for Financial Institutions to Take Today

As many hurdles to adopt the Principles continue to persist, focusing on the recommendations and case studies highlighted in the latest report should be a priority. Overcoming these challenges and further progressing toward full adoption will help ensure banks are better prepared to manage their risks, especially considering the likelihood of additional supervisory focus. Financial institutions should view the following actions as critical to achieving maximum benefits of the Principles.

Data Awareness and Accountability: Ensure the board and senior management remain committed to strengthening the data culture along with data quality, risk data aggregation, and risk reporting capabilities. This should involve appropriate budgeting and resources dedicated to implementation, as well as visibility and accountability of key data governance roles, data quality dashboards/KPIs, and risk reporting leveraged by senior management.

Data Governance and Stewardship: Confirm there is a robust culture of data ownership and accountability for data-related issues and remediation processes. This should include transparency in the use of data quality dashboards across the three lines of defense and coordination of issue remediation management, as well as establishing various service-level agreements (SLAs) and operating models across data domains and business functions.

Align Technology Road Maps: Validate that data quality processes and tooling are operating effectively while leveraging automation for data quality monitoring and data lineage capturing. This should include an adequate data traceability process and complete data lineage. Where needed, integrating compensating controls throughout the data life cycle will create flexibility when implementation road maps need time to be reassessed or adjusted. Overall, implementation needs to remain agile and adaptive to the long-term strategic view of the organization, while taking advantage of opportunities to accelerate via the use of emerging technologies.

While BCBS 239 is a standard issued by the BCBS, there are clear business benefits beyond avoiding findings and actions by supervisors. Implementation of the Principles brings business value through streamlined reporting and data processes so organizations can better understand and manage their risks, especially during a time of crisis. Based on this latest assessment and what is expected from regulators moving forward, the time to revive and catalyze BCBS 239 implementation programs is now.

To learn more about actions your institution can take to revive its BCBS implementation, reach out to a Forvis Mazars professional.

Subscribe to Risk Management FORsights™ for more resources and insights.

  • 1Banks identified as G-SIBs in November 2011 or 2012 by the Financial Stability Board (FSB); G-SIBs designated in subsequent annual updates must meet the Principles within three years of their designation.
  • 2See OCC Heightened Standards for Large Financial Institutions https://www.federalregister.gov/documents/2014/09/11/2014-21224/occ-guidelines-establishing-heightened-standards-for-certain-large-insured-national-banks-insured and OSFI’s Operational Risk Capital Data Management Expectations https://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/oprsk23-let.aspx.
  • 3Source: https://www.bis.org/bcbs/publ/d559.pdf

Related FORsights

Like what you see?
Subscribe to receive tailored insights directly to your inbox.