Are banks taking full advantage of their BCBS239 opportunity?

In this article, we take a closer look at the key trends and identify success factors for banks to navigate BCBS239 from 2023 onward.

In brief:

• Since its publication in 2013, banks have faced ongoing challenges around the adoption of the BCBS239 Principles for effective risk data aggregation and risk reporting.
• Several external and internal factors, including technological developments and the evolving role of the CDO, have changed the environment banks are operating in.
• We identify five key areas banks must focus to sustain BCBS239 compliance and build the foundation for treating data as a strategic asset.

Since its publication a decade ago, BCBS239 has significantly influenced the banking sector. Initially centered on identifying and managing financial risks, the scope has progressively expanded to encompass non-financial risks, supervisory and statistical reporting, as well as other domains, including finance and ESG. Given that a robust data foundation is crucial for managing a future-proof bank, one could take the view that the Principles should be viewed as a guiding compass throughout the whole organization. The BCBS239 principles are divided into four key categories:

• Overarching governance and infrastructure
  Banks should have a strong governance framework, sufficient board and senior management involvement, and a solid data foundation which fully supports risk data aggregation and reporting practices.
• Risk data aggregation capabilities
  Strong risk data aggregation capabilities should ensure complete, accurate and reliable risk data in a timely manner in all business scenarios across the banking group.
• Risk Reporting practices
  Ensuring the right information is presented to the right people at the right time. The reports should be accurate, clear, concise, useful and complete for decision making.
• Supervisory review & measures
  This category allows for supervisors to monitor, review and enforce compliance with the Principles. In 2023 we see a clear trend in increased on-site inspection activity by the ECB and resulting remedial actions required by banks.

BCBS239 has become an integral part of the banking landscape, shaping the way banks approach their risk management, data management, and reporting practices. While not having the enforceability of a formal regulation across all jurisdictions, it is commonly acknowledged and referenced to by both regulators and banks.
Despite notable improvements in the implementation of the Principles in recent years, it is worth noting that banks with adequate risk data aggregation and reporting capabilities are still the exception and full adherence to the BCBS239 Principles has yet to be achieved. This is primarily because BCBS239 compliance is not a one-time accomplishment, but rather an ongoing program that requires continuous effort. This continuous effort stems from the ever-changing internal and external environment that banks operate in. Factors such as technology advances, the rise of data-driven banking and supervision, new regulations, and evolving risk landscapes demand constant adjustments and fine-tuning.

Trends since the initial publication

1. Data becoming a strategic asset

One of the key developments since the introduction of BCBS239 within banking is the growing opportunity to recognise data as a strategic asset.
Traditionally, data has been viewed as a byproduct of business operations, generated as a result of transactions or other business processes. By treating data as a strategic asset, banks recognize that data is a valuable resource that can drive business value. This means that data requires investment, management, and protection, just like any other asset. Banks are allocating significant resources to data management initiatives, including operationalizing data governance frameworks, acquiring of new technologies, spinning up innovation cycles and training & hiring of skilled personnel. It also led to an increase in senior management buy-in to data related initiatives, putting it on the board’s agenda.

Opportunities: Data as a strategic asset clearly aligns with BCBS239 and solid data management practices. This also supports banks in becoming more data literate and embedding the right mindset, positively impacting progress of BCBS239 compliancy.

Challenges: Taking a more offensive, business value driven approach to data can prove difficult when the organization struggles to move beyond viewing data as a mere compliance issue.

2. Evolving role of the CDO

While BCBS239 was one of the driving forces behind banks appointing a CDO, the role of the CDO in leading banks has evolved to become more focused on driving business value. CDOs are increasingly being tasked with identifying new revenue streams and business opportunities using data analytics. For instance, a CDO may work with the marketing team to identify new customer segments or develop new products and services based on customer behavior data.
To fully realize the benefits of treating data as an asset, successful firms adopt a strategic approach to their data initiatives which is aligned with business objectives and key priorities. This also means balancing defensive and offensive use-cases in an agile way.
The governance and organization of the data domain is also evolving. While many organizations recognize the need for a (partially) decentralized data organization, some have come to the conclusion that a centralized setup is needed as intermediary step. Centralization enables the organization to fix the most pressing issues such as governance, building a solid data foundation and growing a data culture. As organizations mature and capabilities are acquired, some organizations find that data mesh architectures and hub-spoke organizational setups are better suited to balance governance with innovation and agility.

Opportunities: Dedicated CDOs and data offices have been appointed to streamline data initiatives and help institutions become more data-driven.

Challenges: Effective collaboration between the CDO office and other departments proves to be challenging, especially in cases of unclear roles & responsibilities. This requires clarity on the mandate of the CDO within the organization. Is the CDO responsible only for data governance & management, or for data & analytics products and initiatives in a broader context?

3. Technology advances

Since the publication of BCBS239, there have been significant technological developments that have enabled banks to become more data driven. These have pushed many banks to embark on ambitious multi-year digital transformation projects, phasing out legacy systems, digitizing core operations and introducing state-of-the-art scalable data platforms. This in turn has provided opportunities to take a more innovative approach to BCBS239 compliance, as compliancy is often impeded by a host of legacy system limitations.

Cloud technologies have allowed firms to store and process vast amounts of data in a secure and scalable way, while best-of-breed data management solutions have emerged which provide a harmonized approach to data governance, data quality, and lineage.

Hyper-automation, machine learning techniques and artificial intelligence are increasingly used to automate processes, increase efficiency and reduce errors. These technologies help banks to analyze large volumes of data quickly, identifying patterns and extracting value that would be difficult or impossible for humans to do.

Finally, the increased use of streaming data strengthens the capability to provide real-time insights on key risk indicators. Together with agile data modeling techniques, (near) real-time risk data aggregation can become a reality. Recent events in liquidity risk management show the added benefit of these technologies as banks embark on their digital transformation journeys.

Opportunities: By leveraging these technology advances, firms can improve their data management capabilities, supporting BCBS239 compliance while unlocking the full potential of their data.

Challenges: With the advent of new technologies comes the phasing out legacy systems, related architectures and ways of working upon much of the current processes are dependent. This consumes significant resources within the organization and slows down progress made.

4. Expanding scope

Since its initial publication, the scope of application for the BCBS239 principles has steadily expanded beyond internal risk management reporting to include external regulatory reporting and other data domains such as finance. Furthermore, there has been a notable shift towards expanding system scope to include both upstream and downstream systems (see figure above). Looking ahead, we expect this expansion to continue to encompass almost the entire data landscape, as well as additional non-standard data sets, such as ESG and climate risk data.

This increased system scope is reflective of a growing focus on operational resilience amongst CROs and regulatory bodies alike. According to a recent EY survey, 76% of CROs expect operational resilience to be a higher priority over the next three years. This trend is also reflected in the publication of the BCBS Principles of Operational Resilience in 2021 and the recent adoption of the Digital Operational Resilience Act (DORA) in the EU.

DORA will require companies to prioritize a Digital Resilience Strategy and Framework and take an end-to-end view of the entire ICT landscape supporting critical business functions. It also demands a mature approach to business continuity, incident management, and third-party risk. Going forward, we anticipate that regulators will take a holistic view of both BCBS239 principles and operational resilience frameworks during on-site inspections.

Opportunities: The expanding scope of BCBS239 provides an opportunity to take a holistic view of your data landscape, reduce costs through platform / system rationalization and increase revenues due to (for example) better customer data.

Challenges: Expanding the scope beyond risk data and risk systems can lead to increased complexity and the need to invest additional resources.

5. Data-driven supervision

Regulators are increasingly leveraging technology and data & analytics to monitor and supervise the financial sector. This will enable regulatory bodies to identify potential risks and issues early on, strengthening the financial system. For example, supervisors are moving towards granular data driven reporting through initiatives such as IReF, requesting more granular and ad-hoc reports during times of stress (e.g. COVID-19 reporting), and placing more emphasis on a banks’ ability to provide (risk) metrics in a timely and governed fashion during on-site inspections.

As of late 2022, we observed increased ECB on-site inspections focusing on BCBS239 among our clients. Expectations have risen significantly in the Eurozone, though not uniformly across all jurisdictions, with examples including:

• Significant involvement of board members and senior management, from setting expectations & requirements, to monitoring progress via measurable KPI’s and making available sufficient change capacity.
• Significant second line (i.e. independent validation) and third line involvement on progress monitoring & reviewing compliance.
  Automation considered the norm and end-user-computing (EUC) is further scrutinized. While some proportionality applies, this is subject to strict EUC policy expectations.
• Timeliness, adaptability and accuracy in times of stress, with timeliness-stress-tests performed during on-site inspections which test a banks’ ad-hoc capabilities.
• High standards surrounding (process) documentation, related controls, data lineage, metadata management (e.g. data definitions) and the data quality management lifecycle.
• Beyond-risk mindset, with the expectation of the regulator that BCBS239 is applied broadly across the organization in a comprehensive manner, both in terms of processes and domains.

Opportunities: Data-driven supervision and the increased expectations prove to be an accelerator for BCBS239 compliance within banks. Banks can use this momentum to further align data management policies and standards across the value chains.

Challenges: Most banks have defined multi-year IT and data & analytics roadmaps and have allocated resources and budget to these initiatives. Increased regulatory expectations and remedial actions may require banks to revisit existing roadmaps, apply additional focus on most pressing issues or make (partial) investments in legacy architectures and infrastructure.

A special thanks to the following authors who have contributed to this article: Fredrik Gyllenswärd, Stuart Wallace, Billy FitzGerald and Caitlin A Williamson.