Implementation of the Principles for effective risk data aggregation and risk reporting (BCBS 239 Principles)

Key takeaways on current issues and challenges

• Accurate, comprehensive and timely data aggregation and reporting capabilities are critical for identifying and managing material risks that could result in financial losses, impacting the safety and soundness of financial institutions.

• The BCBS 239 principles provide a strong framework for bank data and risk management practices, initially targeting systemically important banks (SIBs) and applicable both at the banking group level and on a subsidiary level. Some banks have chosen to include risk data aggregation (RDA) in broader enterprise-wide data governance frameworks to support their various initiatives related to data governance and management.

• The Basel Committee remains committed to fostering dialogue between supervisors and the industry to address ongoing challenges and advance the effective implementation of BCBS 239. 

• Recent industry outreach sessions included information-sharing on current issues and challenges related to banks' data management and risk management practices, including: (i) the continuous need for banks to adapt to evolving business environments, technological advancements and changes in the risk landscape; (ii) governance of RDA activities; (iii) data lineage; (iv) cross-border issues; and (v) RDA implications from leveraging emerging technology and compensating controls.

Adapting to a changing operating environment

Since its publication in 2013, BCBS 239 has become a foundational framework for data management and risk management practices in the banking sector. While its principles still apply, its implementation has evolved over the years, reflecting changes in the business, technology and risk landscape.

For instance, changes in the business environment, such as mergers and acquisitions or the introduction of new products, often involve adjustments to risk data aggregation and reporting practices. At the same time, technological advancements offer new opportunities but also introduce additional complexity and dimensions of risk.

Despite progress, meeting the intended outcomes of the Principles remains a continuous effort due to the complexity of implementation and advancements in broader operational and business transformations.

To ensure that practices remain current and appropriate, some banks find it helpful to conduct periodic assessments of in-scope data to observe alignment with the principles. Supervisors, in turn, often evaluate practices across institutions and incorporate feedback from supervised institutions to track progress, identify common themes or challenges and provide clarity about supervisory assessment.

Governance and data

Bank boards have the responsibility for broad oversight of RDA activities within their banks. This includes gaining assurance from management that processes are sound and ensuring that board members receive appropriate information on RDA. Boards must also remain aware of significant problems or shortcomings that could result in material risks that could lead to financial losses, potentially impacting the safety and soundness of the bank. Management, on the other hand, has the responsibility for day-to-day RDA activities and for keeping the board informed of key developments.

Outreach participants highlighted that a strong data-driven culture and active involvement of senior management are beneficial for overcoming implementation barriers and preserving bank capabilities. While BCBS 239 has elevated data governance to the board level, a data-driven culture within some organisations remains a work in progress. Resistance to change, fragmented responsibilities and insufficient attention from senior management continue to hinder progress at certain banks.

Some banks have applied the principles from BCBS 239 to include broader enterprise-wide data governance frameworks. This evolution reflects the growing recognition of data as a strategic asset that supports regulatory reporting, finance, analytics as well as business activities and can differ depending on a financial institution's size, complexity and risk profile. While this broader application can increase complexity and may involve additional investments in governance, technology and personnel,  it may offer opportunities to rationalise systems, remove silos, reduce costs and improve data quality across domains.

Sustained board-level buy-in, alignment with business and risk objectives, clear governance frameworks, and investments in data literacy (the ability to interpret and use data to inform decisions) were emphasised by industry participants as important contributors to effective governance and, in turn, enhanced data aggregation capabilities. These elements can deliver broader organisational benefits, such as enhanced data quality and operational efficiency.

Addressing data challenges

Data lineage, or the traceability of data from its origin to its final use, is important for confirming data quality. This remains a challenging component of BCBS 239 for banks. Legacy systems, distributed data estates and the dynamic nature of data lineage complicate banks' efforts to confirm end-to-end data traceability. Finding appropriate vendor solutions and the resource-intensive nature of identifying and maintaining data lineage can further hinder progress. However, demonstrating the business benefits of data lineage, such as cost reduction and improved efficiency, can help secure investment in automated tools.

The ability to produce timely, accurate and complete ad-hoc reports remains a significant hurdle for some banks, particularly during crises or in response to regulatory requests in light of an emerging risk. Balancing manual and automated processes across fragmented data estates is resource-intensive but contributes to effective risk data aggregation. Conducting ad hoc reports during good times to test risk data aggregation capabilities can help banks prepare for distributing such reports during times of stress, when access to this information is crucial to decision-making.

Cross-border implementation

Internationally active banks face particular challenges in aligning data management practices across subsidiaries and local affiliates in various countries. Banks with more complex structures, including various subsidiaries or international operations, may face particular challenges associated with aggregating data at the individual entity level and then up to the consolidated parent. Decentralised IT or other systems that could hamper RDA may also present hurdles. 

Industry participants have highlighted the complexity of aligning with principles, expectations and in some cases requirements in different jurisdictions. In response, banks may choose to establish standardised group-level practices that address circumstances in various jurisdictions, applying them consistently across affiliates.

Leveraging emerging technologies and compensating controls

Emerging technologies, such as artificial intelligence (AI) and advanced automation, hold promise for improving risk data aggregation capabilities. However, their adoption is still in the early stages. As the quality of AI-driven outputs depends on high-quality data, robust data management becomes more important for effective implementation.

Banks may benefit from carefully considering whether to apply compensating controls to address identified issues in their risk aggregation practices. These controls can take several different forms and function best when they are risk-based – the general principle being to apply more caution and care to risk data output when there are known shortcomings in data aggregation processes. 

The Basel Committee remains committed to fostering continual dialogue between supervisors and the industry to address ongoing challenges and advance the effective implementation of BCBS 239.