BCBS 239 is the Basel Committee on Banking Supervision's standard number 239. The subject title of the standard is: "Principles for effective risk data aggregation and risk reporting". The overall objective of the standard is to strengthen banks’ risk data aggregation capabilities and internal risk reporting practices, in turn, enhancing the risk management and decision making processes at banks.
The standard was published in January 2013 and applies from 1st January 2016 for Global Systemically Important_Banks (G-SIBs) who were defined as such no later than November 2012, otherwise three years after their designation as G-SIBs. The standard also recommends that it is, by the national supervisors, applied to Domestic Systemically Important Banks (D-SIBs) three years after their designation as such.
Structure of standard
|BCBS 239 Structure
I. Overarching governance and infrastructure 1. Governance 2. Data architecture and IT infrastructure II. Risk data aggregation capabilities 3. Accuracy and integrity 4. Completeness 5. Timeliness 6. Adaptability III. Risk reporting practices 7. Accuracy 8. Comprehensiveness 9. Clarity and usefulness 10. Frequency 11. Distribution IV. Supervisory review, tools and cooperation 12. Review 13. Remedial actions and supervisory measures 14. Home/host cooperation V. Implementation timeline and transitional arrangements
The standard consists of five sections, as aside, four of which subsume fourteen principles:
The principles of the standard are, in turn, broken down into more detailed paragraphs. It should, however, be noted that even on the lowest level it is a principle based-standard with few clear and defined metrics which can be used to monitor compliance.
A brief description of the 14 basic principles is given below.
Principle 1 Governance – A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee.
Principle 2 Data architecture and IT infrastructure – A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles.
Principle 3 Accuracy and Integrity – A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of errors. A high level explanation for each principle can be found in Annex 2 of the legislation.
Principle 4 Completeness – A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations and emerging risks.
Principle 5 Timeliness – A bank should be able to generate aggregate and up-to-date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. The precise timing will also depend on the bank-specific frequency requirements for risk management reporting, under both normal and stress/crisis situations, set based on the characteristics and overall risk profile of the bank.
Principle 6 Adaptability – A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs and requests to meet supervisory queries.
Principle 7 Accuracy - Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.
Principle 8 Comprehensiveness - Risk management reports should cover all material risk areas within the organisation. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients.
Principle 9 Clarity and usefulness - Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include an appropriate balance between risk data, analysis and interpretation, and qualitative explanations. Reports should include meaningful information tailored to the needs of the recipients.
Principle 10 Frequency - The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision-making across the bank. The frequency of reports should be increased during times of stress/crisis.
Principle 11 Distribution - Risk management reports should be distributed to the relevant parties while ensuring confidentiality is maintained.
Principle 12 Review - Supervisors should periodically review and evaluate a bank’s compliance with the eleven Principles above.
Principle 13 Remedial actions and supervisory measures - Supervisors should have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices. Supervisors should have the ability to use a range of tools, including Pillar 2.
Principle 14 Home/host cooperation - Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the supervision and review of the Principles, and the implementation of any remedial action if necessary.
The standard was to apply from 1st January 2016 for G-SIBs who were defined as such no later than November 2012.
However, a Report on the Thematic Review on effective risk data aggregation and risk reporting published in May 2018 by the European Central Bank. notes that "Thus far, none of those  significant institutions – some of which are classified as global systemically important banks – have fully implemented the BCBS 239 principles", adding that "Weaknesses stem mainly from a lack of clarity regarding responsibility and accountability for data quality". The report concludes, amongst other points, that "Full implementation of the BCBS principles will probably not be achieved any time soon, as several credit institutions’ implementation schedules are set to run until the end of 2019 or beyond."
- "Principles for effective risk data aggregation and risk reporting" (PDF). p. 10, paragraph 9. Retrieved 11 July 2016.
- "Principles for effective risk data aggregation and risk reporting" (PDF). p. 11, paragraphs 14 and 15. Retrieved 11 July 2016.
- "Principles for effective risk data aggregation and risk reporting" (PDF). p. 13-23. Retrieved 11 July 2016.
- "Principles for effective risk data aggregation and risk reporting" (PDF). Annex 2, Summary of the Principles. p. 26. Retrieved 11 July 2016.
- "Principles for effective risk data aggregation and risk reporting" (PDF). p. 26-28. Retrieved 11 July 2016.
- "Report on the Thematic Review on effective risk data aggregation and risk reporting" (PDF). p. 1 and 22. Retrieved 11 September 2018..