A Decade of BCBS239 – and We’re Not Done Yet

It has been a decade since the Basel Committee on Banking Supervision issued standard number 239 (BCBS239), entitled "Principles for Effective Risk Data Aggregation and Risk Reporting" (RDARR or RDAR). BCBS239 was born out of the 2008 financial crisis, which illuminated our collective struggle with aggregating risk exposure and identifying risk concentration across products, customer segments, lines of business, and legal entities in a timely fashion. This timing issue is significant, as sound decision-making hinges on having accurate and current information. BCBS239 was created to guide banks toward better risk management through sound data practices.

Global Systemically Important Banks (G-SIBs) and Domestic Systemically Important Banks (D-SIBs) were given a three-year grace period in which to implement their RDAR practices. The thirty-six month clock started when BCBS239 was published, or from the point after that at which a bank was designated as either a G-SIB or a D-SIB. So, let’s call it seven years since RDAR has been a requirement for these large financial institutions.

Assuming RDAR is done well, the net effect is enhanced risk management and decision-making processes at the banks who implement the fourteen principles of BCBS239. Given how intuitive the principles are individually and collectively, I believe it is helping.

However, study after study coming from the European Central Bank (ECB) and the Bank for International Settlements (BIS) shows that few G-SIBs and D-SIBs are done with their RDAR efforts. Stateside, the Fed and OCC increasingly look at data soundness as well. We have seen an increase in consent orders and MRAs citing data deficiencies over the past several years, as explored in this whitepaper.

Through the Supervisory Review and Evaluation Process (SREP), European bank supervisors assess the risks banks face and check that banks are equipped to manage those risks properly. Here is a sampling of findings:

• May 2018: The ECB Report on the Thematic Review on Effective Risk Data Aggregation and Risk Reporting[1] reviewed 25 significant banks. It found, “…the implementation status of the BCBS239 principles within the sample of significant institutions is unsatisfactory… thus far, none of those significant institutions… have fully implemented the BCBS239 principles.” It also highlighted that “several credit institutions’ implementation schedules are set to run until the end of 2019 or beyond.”
  
  Remember – everyone was supposed to be compliant by January 1, 2016.
  
  
• June 2018: BIS reported, “Banks have found it challenging to comply with the Principles, due mainly to the complexity and interdependence of IT improvement projects. As a result, the expected date of compliance has slipped back for many banks… Even though the implementation deadline of 1 January 2016 has passed, only three G-SIBs have been assessed by their supervisors as achieving full compliance with all Principles.”[2]
  
  At this point it is becoming apparent that the impact of IT investment timelines was not fully appreciated when the BCBS239 deadlines were established, and that more time is necessary.
  
  
• April 2020: Two years later, BIS wrote, “As of the end of 2018, none of the banks are fully compliant with the BCBS 239 principles, as attaining the necessary data architecture and IT infrastructure remains a challenge for many. In general, banks require more time to ensure that the Principles are effectively implemented.”[3]
  
  Note that whereas in 2018 3 G-SIBs were considered in compliance, this assessment had changed by 2020. IT infrastructure modernization is the most common source of delays in BCBS239 compliance. This is not surprising, given how many of the G-SIBs and D-SIBs have completed acquisitions over the past decades, introducing duplicate and legacy IT systems.
  
  
• February 2022: “The SREP 2021 findings on internal governance … [include] fragmented and non-harmonised IT landscapes, with negative consequences for data aggregation and reporting, whereby slow progress with the remediation programmes … is continuing to hamper banks’ ability to swiftly produce accurate non‑standardised ad hoc reports.” [4] It continues, “Weaknesses in the functioning of management bodies often lead to shortcomings in internal control functions and risk data aggregation and reporting capabilities.”
  
  IT infrastructure is again cited, with an additional call-out of management structures that may be inadvertently slowing progress toward BCBS239 compliance.
  
  
• February 2023: Regarding the 2022 SREP cycle[5]: “RDAR represented 9%[6] of the qualitative measures relating to internal governance and risk management.” The SREP further observes, “The number of measures addressing risk data aggregation and reporting remained somewhat limited in 2022, despite this being the worst rated subcategory of internal governance.”
  
  Ten years later, RDAR continues to be a challenge for the banks who must adhere to BCBS239.

We understand completely. It requires a tremendous amount of work to migrate entire suites of risk reporting away from manual solutions, while simultaneously shoring up your IT and data environments. You’re likely also managing your DFAST and CCAR requirements, both of which benefit from a stronger data ecosystem. Your technology team may also be working on a strategic cloud migration, as many banks have chosen to do. You have a lot going on with intertwining initiatives in the risk reporting space.

RDAR will not drive direct bottom line benefits, but resources and funding need to be dedicated to this effort … if not by January 2016, then as soon as we can get it done now. Let Spinnaker help you.

Our biggest strengths are contributing with expertise and rolling up our sleeves to deliver real results. In conjunction with its RDAR program, Spinnaker helped a Top 30 bank automate its risk reporting in Tableau, while reducing its need to backfill open staff positions. The client team did not have the data expertise or Tableau skillset in house, allowing Spinnaker to help them meet their imposed regulatory deadlines for sunsetting spreadsheets and other manual solutions. Spinnaker brought the client team along on the learning journey, teaching them how to manage the reporting so they could stand on their own after the engagement concluded.

When you engage Spinnaker, you will experience:

• Tangible, measurable results in the form of automated risk reporting in your platform of choice (Tableau, PowerBI, etc.)
• Better insights into your own data structure and what risks/advantages it holds for your risk organization
• Tight partnership to ensure your team has everything it needs to succeed after we depart, and enjoys the process along the way

Contact me today for an exploratory conversation on how we can help modernize your risk reporting, or review our recent case study on how we helped another client do exactly this.

[1]Report on the Thematic Review on effective risk data aggregation and risk reporting (PDF). p. 1 and 22. Retrieved March 6, 2023

[2] https://www.bis.org/bcbs/publ/d443.pdf, Retrieved March 6, 2023

[3] https://www.bis.org/bcbs/publ/d501.pdf Retrieved March 6, 2023

[4] https://www.bankingsupervision.europa.eu/banking/srep/2022/html/ssm.srepaggregateresults2022.en.html Accessed March 6, 2023

[5] https://www.bankingsupervision.europa.eu/banking/srep/2023/html/ssm.srep202302_aggregateresults2023.en.html, Accessed March 6, 2023

[6] Down from 13% the prior year