BCBS 239


BCBS 239 is the Basel Committee's guiding principles for enterprise risk data aggregation and risk reporting. It is intended to set a global best practice benchmark for how banks manage and report risk. BCBS 239 has broad implications for banks that impact their target operating models, especially the convergence of finance, risk and treasury, to agree on streamlined firm-wide policies across silos, processes and technology for risk management, controls, audits, risk data aggregation, accuracy, traceability and regulatory reporting. BCBS 239 requires that banks continue to quantify and report their risk-weighted assets and risk exposure by asset and by product, including calculating enhanced capital, liquidity and leverage ratios. Doing so requires improving operational processes that cut across multiple business units, corporate silos, front to back. Additionally, regulators require transparency and are asking banks to authenticate enterprise risk data through data ownership and tightly controlled data-management processes. This requires tracing transaction and master data back to its original source through all intermediate processes and calculations. The Financial Stability Board and Basel Committee expect the 30 global systemically important banks to comply with the principles by January 1, 2016.


o A bank's risk data aggregation capabilities and risk reporting practices should be subject to strong governance consistent with other principles and guidance established by the Basel Committee.


o A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other principles.


Accuracy and Integrity

o A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimize the probability of errors.


o A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings that permit identifying and reporting risk exposures, concentrations and emerging risks.


o A bank should be able to generate aggregate and up to date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability. This timeliness should meet bank-established frequency requirements for normal and stress/crisis risk management reporting.


o A bank should be able to generate aggregate risk data to meet a broad range of on-demand, adhoc risk management reporting requests, including requests during crisis situations, requests due to changing internal needs and requests to meet supervisory queries.



o Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.


o Risk management reports should cover all material risk areas within the organization. The depth and scope of these reports should be consistent with the size and complexity of the bank's operations and risk profile, as well as the requirements of the recipients.


o Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include an appropriate balance between risk data, analysis and interpretation, and qualitative explanations.


o The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective/efficient decision-making across the bank. The frequency of reports should be increased during times of crisis.


o Risk management reports should be distributed to the relevant parties and includes meaningful information tailored to the needs of the recipients, while ensuring confidentiality is maintained.