Why BCBS 239 matters to everybody – not just Financial Services
In my role as Product Manager in the compliance space, I am very fortunate to have a number of colleagues in different disciplines that I regularly have ‘water cooler’ conversations with (or more often on the comfy chairs in the coffee break out area as I am a sucker for good coffee). One such person I regularly touch base with is data governance expert Malcom Chisolm. Malcom is well known as an independent consultant with over 25 years of experience in data-related disciplines, and has worked in a variety of sectors including finance, manufacturing, government, pharmaceuticals, telecoms. He asked me a simple question, “What are you doing around BCBS 239”?
I must admit my first answer was, not a lot, still immersed in FATCA, 4EU and KYC. His immediate response, “this has the potential to be way bigger”. It did not take much research to see what Malcom meant. As Ajit Tripathi of Accenture stated earlier this year “The principles laid out in BCBS 239 set a high standard for risk data aggregation and reporting as well as a rather challenging timeline for implementation. At a minimum, BCBS 239 raises the standard for risk data quality to the level of the prevailing standard for P&L data quality”.
What is BCBS 239?
In January 2013, The Basel Committee released a document entitled “Principles for effective risk data aggregation and risk reporting”. BCBS 239 contains 14 principles about data governance. Here are just a few:
1. Governance – A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee.
2. Accuracy and Integrity – A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of errors.
3. Completeness – A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations and emerging risks.
4. Timeliness – A bank should be able to generate aggregate and up-to-date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. The precise timing will also depend on the bank-specific frequency requirements for risk management reporting, under both normal and stress/crisis situations, set based on the characteristics and overall risk profile of the bank.
5. Accuracy – Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.
6. Comprehensiveness – Risk management reports should cover all material risk areas within the organisation. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients.
7. Distribution – Risk management reports should be distributed to the relevant parties while ensuring confidentiality is maintained.
As is always the case, Malcom sees the bigger picture. The significance, he commented, is that “principles for risk data can just as easily work for master data, or marketing data, or any other class of data”. Could and should these principles be adopted in many industries to support the multitude of needs that are put on data in an organisation today?
Perhaps data governance is the answer to support tricky issues in particularly around the mitigation of brand and reputational risk.