BCBS 239: Risk data aggregation and reporting


Francois van Dyk (PhD, PRM, CHP, FIFM), Department of Finance, Risk Management and Banking, University of South Africa

francoisIn June 2012, the Basel Committee on Banking Supervision (BCBS) (otherwise known as the Basel Committee) published a consultative paper entitled, “Principles for effective risk data aggregation and risk reporting”, that adds yet another regulatory requirement to the already overwhelmed realm of regulation and raises also a number of concerns to those affected. The aim of this writing piece is to provide a brief, high-level overview of the BCBS 239 fundamentals as this topic is currently rather a relevant and debated one.

The Essence of BCBS 239

In short, BCBS 239 defines vigorous requirements in terms of data management, specifically risk (management) data, (from a regulatory perspective). BCBS 239 also greatly focuses on “risk data aggregation”, which is defined as gathering and processing risk data according to the bank’s or financial institution’s risk reporting requirements.

Three major reasons exist for aggregating risk data, and these are also the three high level purposes why risk data would be consolidated by financial institutions:

  • To satisfy the risk regulatory reporting requirements.
  • To assist or support measurement of (portfolio) performance against risk tolerances/appetites.
  • To enable the analysis of a firm’s risk data – sorting/merging/breaking down.

BCBS 239, that is the data aggregation and reporting regulation, requires compliance with 14 principle requirements – and as the regulation is principle based it doesn’t offer many clear metrics to measure the effectiveness of compliance.

Background on BCBS 239

January 2013 saw the release of the final version of “Principles for effective risk data aggregation and risk reporting” by the Basel Committee with the aim of enhancing banks’ ability to identify and manage bank-wide risks.

According to the Basel Committee, the following contributed to the development of BCBS 239 and the principles behind it:1

  • One of the most important lessons learned from the recent global financial crisis was that banks’ information technology and data architectures were inadequate to support the broad management of financial risks.
  • Many banks lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately at the group level, across business lines and between legal entities.
  • Some banks were unable to manage their risks appropriately due to weak risk data aggregation capabilities and risk reporting practices, which had stark consequences to both the banks themselves and the stability of the financial system as a whole.

In response to the above, yet before the development of BCBS 239, the Basel Committee issued supplemental (Basel Accord) Pillar 2 (supervisory review process) guidance2 to improve banks’ ability to identify and manage bank-wide risks – specifically the Basel Committee stressed that a sound risk management system should have appropriate (risk) management information systems at both the business and bank-wide level. Also, the Committee incorporated mentions to data aggregation (as part of its guidance on corporate governance).3

Table 1: Direct quotes from BCBS 239 document1

  • “Improving banks’ ability to aggregate risk data will improve their resolvability.”
  • “A robust data framework will help banks and supervisors anticipate problems ahead. It will also improve the prospects of finding alternative options to restore financial strength and viability when the firm comes under severe stress.”
  • “Many in the banking industry recognise the benefits of improving their risk data aggregation capabilities and are working towards this goal. They see the improvements in terms of strengthening the capability and the status of the risk function to make judgements. This leads to gains in efficiency, reduced probability of losses and enhanced strategic decision making, and ultimately increased profitability.”

Scope & Timeline

Although BCBS 239 is primarily intended for global-systemically important banks (G-SIBs) (and D-SIBs), a number of other parties and/or elements are also encouraged to meet and/or adhere to the principles. Table 2 details the scope of BCBS 239.

Table 2: Scope details1

  • Global-systemically important banks (G-SIBs).
  • National/Domestic supervisory authorities may apply BCBS 239/principles to a wider variety of banks
    [including domestic-systemically important banks (D-SIBs)].
  • Banking groups and on a solo basis.
  • All risk (management) reporting and processes.


Global-systemically important banks (G-SIBs) are expected, by regulators, to meet the requirements by 2016, with the deadline being as early as January 2016 for approximately 30 G-SIBs. D-SIBs must comply three years after their designation as D-SIBs.

In order to ensure banks developed a strategy to meet the principles by 2016, implementation discussions between the G-SIB and national banking supervisors started in early 2013. Moreover, throughout the period spanning 2013 to the present, national banking supervisors have been involved with banks’ senior management in order to agree upon continuous timelines for required improvements. From a supervisory perspective, progress tracking has primarily been done through self-assessment exercises by the G-SIBs – these exercises were done against expectations in early 2013 with the goal of closing significant gaps before 2016. From 2013 onwards, the Basel Committee also kept abreast of G-SIBs’ progress towards compliance with the principles through its Standards Implementation Group (SIG). Figure 1 presents some timeline details; the high-level regulatory requirements through time.

Figure 1: Timeline details


Details: Themes & Requirements (Principles)

Regulatory documents can often be overwhelming and, at times, also difficult to dissect and understand. Although this specific regulatory document is not lengthy, two distinctive manners to dissect the contained information are relevant; the theme and the requirements.


As previously stated, BCBS 239 deals with risk (data) aggregation (from a regulatory perspective), and BCBS 239 talks about risk aggregation using four distinct theme categories as presented in Table 3.

Table 3: Theme categories within BCBS 2394

Theme 1: Accuracy
  • Primarily, this point speaks to reference data – ensure a single reference data point that is associated with multiple positions is aligned to the same entity/object.
Theme 2: Adaptability
  • The ability to source risk information from various systems within an organisation.
  • Also, the risk aggregation platform must be able to consolidate the aggregation.
Theme 3: Completeness
  • Risk data must always be complete (including risk factors) – at any point in time.
Theme 4: Timeliness
  • Real-time market events and their impact on risk exposures must be promptly reflected within the aggregated data.
  • The institution should be able to compute risk valuations and aggregate risk ‘numbers’ in a reasonable time.

Requirements (Categories & Principles)

The BCBS 239 requirements are principle based and are categorised into four categories (or topics) with the fourth being a requirement for local regulators. Also of importance is that as the requirements are principle based this offers few clear metrics to measure compliance (against) in an effective fashion.

Figure 2: The four BCBS 239 principle categories.


1. Overarching governance and infrastructure

A bank should have in place a strong governance framework, risk data architecture and IT infrastructure – these are preconditions to ensure compliance.

  • The management board and senior management have responsibility for data quality.
  • Regardless of organisational limitations (e.g. jurisdictions, business units etc.) the aim is the correctness of risk data.
  • In times of crisis or periods of stress, effective IT support for risk data aggregation and reporting must be available.

2. Risk data aggregation capabilities

Banks should develop and also maintain strong risk data aggregation capabilities to confirm that risk management reports reflect the risks in an unfailing manner.

  • Capacity should be available to produce correct and complete risk data.
  • Timely risk data aggregation must be certain.
  • Where possible, generation of risk data must be automated – as to reduce errors.
  • Risk data aggregation should be flexible, scalable and adaptable.

3. Risk reporting practices

In terms of content, risk reports should be accurate, clear and complete. These reports should also be presented to the appropriate decision makers in reasonable time.

  • All (material) risk areas must be integrated.
  • Risk reports must be easily understandable.
  • Timely preparation and dissemination of risk reports must be guaranteed.

4. Supervisory review, tools and cooperation (this principle is for local regulators).

Supervisors have the responsibility to determine whether the principles achieve the desired objectives.

  • Supervisory authorities must assess and monitor compliance.
  • Supervisory authorities should use the correct tools for assessment or reviews and for sanctions.
  • Cooperation of supervisory authorities should also take place across borders.

Figure 3 provides a summarised view of which principles are contained within each of the four categories.

Figure 3: Categories & principles


BCBS 239 Objectives

Although BCBS 239 was developed with several objectives in mind, the general objective of BCBS 239 (the set of principles) is clearly communicated: “to strengthen banks’ risk data aggregation capabilities and internal risk reporting practices … to enhance risk management and decision making processes.“1

These principles will undoubtedly have an impact on other areas within the wider context of risk management taken from the group level or perspective, the balance sheet and risk-weighted assets (RWA) for example. In addition, the principles also apply to internal risk and regulatory capital models.

Implementation is, however, expected to enhance both risk management and decision making processes while compliance with the principles is expected to support the following objectives:

Table 4: BCBS 239 objectives1

Objectives Description of objectives
Infrastructure (for risk reporting) Enhance the infrastructure for reporting key information, particularly that used by the board and senior management to identify, monitor and manage risks.
Decision making (processes) Improve the decision making process throughout the organisation.
Alignment of legal entity & group information Enhance the management of information across legal entities, while facilitating a comprehensive assessment of risk exposures at the global consolidated level.
Timeliness Improve the speed at which information is available and hence decisions can be made.
Strategic planning Improve the organisation’s quality of strategic planning and the ability to manage the risk associated with new products and services.
Reduce (impact of) losses Reduce the probability and severity of losses resulting from risk management weaknesses.


The Basel Committee states that effective implementation of the BCBS 239 principles should increase the value of the bank, while the Committee also believes that the long-term benefits of improved risk data aggregation capabilities and risk reporting practices will outweigh the investment costs incurred by banks.

In terms of bank supervisors, the BCBS 239 principles document states that the principles will complement other efforts to improve the intensity and effectiveness of bank supervision. Table 5 presents a selection of additional important information concerning BCBS 239.

Table 5: Important additional notes5

  • BCBS 239 does not only apply to global-systemically important banks (G-SIBs) – it is encouraged that national supervisors apply BCBS 239 to D-SIBs.
  • BCBS 239 principles do not only apply to market, credit and counterparty risk, but also to all key internal risk models.
  • BCBS 239 principles are not limited to internal processes or internal systems, as principles are also applicable to outsourced processes and service level agreements and standards.
  • Independent validation of BCBS 239 principles or compliance is required (using individuals with relevant IT, data and reporting expertise – thus reliance on internal IT audit is not permitted/sufficient).
  • In addition to aggregation and reporting, BCBS 239 also considers data confidentiality, integrity and availability (as part of the risk management framework).


“Creating an enterprise-wide analytical platform not only facilitates BCBS 239 compliance, it also helps to align risk and finance in a way that yields unprecedented visibility and actionable insight – a powerful foundation for improved performance.”*

The BCBS 239 paper goes into extensive detail on each of the principles while BCBS 239’s challenge surely lies within its immense scope. Because of the latter there will be no quick short-cut to compliance, although the benefits from adopting these principles go far beyond regulatory compliance. The 14 principles present an important and invaluable opportunity to banks to improve their risk management data along with the processes that accompany and govern it. Besides the clear and direct benefit to operational risk under AMA, BCBS 239 will undoubtedly also have substantial benefits to enterprise risk management and quite possibly the much needed further enhancement of this discipline to a more refined state. The BCBS 239 principles will also create much needed alignment between risk and finance, and thereby potentially showcasing the value and importance that risk management brings to the banking organisation in a more (coherently) powerful and vibrant light.


Table A: Important (and official) terms for BCBS 2391

Accuracy Closeness of agreement between a measurement or record or representation and the value to be measured, recorded or represented. This definition applies to both risk data aggregation and risk reports.
Adaptability The ability of risk data aggregation capabilities to change (or be changed) in response to changed circumstances (internal or external).
Completeness Availability of relevant risk data aggregated across all firm’s constituent units (e.g. legal entities, business lines, jurisdictions, etc.).
Timeliness The process by which the correctness (or not) of inputs, processing, and outputs is defined and quantified.

[1] BCBS. 2003. Principles for effective risk data aggregation and risk reporting. Basel, BIS.
[2] BCBS. 2009. Enhancements to the Basel II framework. Basel, BIS.
[3] BCBS. 2010. Principles for enhancing corporate governance. Basel, BIS.
[4] RiskFocus. 2014. What is risk Aggregation? (Implementing BCBS 239 Requirements).
[5] Costly, J. 2014. 8 Things you probably don’t know about BCBS 239. WallStreet & Technology.
* Oracle. 2014. BCBS239: Take action to ensure compliance and deliver a competitive advantage. White paper, June.