The Basel Committee on Banking Supervision (BCBS) released its risk data aggregation and risk reporting principles in the aftermath of the GFC. In the heat of the crisis, it became clear that global banks had inadequate information management capabilities as banks struggled to accurately measure and report their global consolidated risk exposures to troubled entities. This, coupled with the frustration of central banks stemming from repeated re-submissions and corrections of regulatory reports by the banks; led to the committee’s release of BCBS 239, a principles-based approach to effective risk data aggregation and risk reporting.
APRA has acknowledged that data management capabilities are a critical input into the setting and monitoring of risk appetites for banks, and the use of more advanced analytics are increasingly used to drive risk decisions. And - while BCBS 239 is not a formal requirement for the regulated industry in Australia - APRA has completed an assessment of risk data aggregation capabilities and internal risk reporting practices in 2018 for the largest ADIs, using the BCBS 239 principles as a benchmark. As a result of this assessment, APRA required these ADIs to initiate a comprehensive program to address shortcomings in data management. APRA has also indicated it will commence the development of a cross-industry standard on data management to improve the quality of risk data aggregation and reporting, as timely and accurate data is critical to identifying and managing emerging risks.
In this post, we are covering the BCBS 239 principles and why it is important for Australian financial services organisations to implement the principles of data aggregation and reporting. But first, a brief overview of the overlaps and areas of difference between BCBS-239 and prudential guidelines introduced by APRA on data risk management, CPG-235.
BCBS 239 and CPG 235 – Drawing Parallels and Differences
In 2013, the same year as the release of BCBS 239, APRA published CPG 235: Managing Data Risk; a guideline for the regulated industry to treat data as an asset and to embed data management practices that inherently lead to improved data quality, processes, governance and controls.
BCBS 239 is a mandatory compliance instrument for Global Systemically Important Banks (G-SIBs) and exclusively focuses upon enhancing their risk data aggregation and risk reporting capabilities, with a view to ensure banks are able to accurately and timely analyse and report on their financial risks. CPG 235 on the other hand, comprises of guidelines on managing data through the end-to-end data lifecycle and to manage data risk in line with operational risk management practices. CPG 235 covers all enterprise data so it has a much broader focus than risk-specific data & reporting. CPG 235 sets out to ensure organisations are managing their data, and all risks associated with their data, throughout the data lifecycle, from capture through to disposal.
Until recently, the expectation from APRA was that the industry would voluntarily adopt the best practices laid out in the publication for managing its data risk. Increased reliance on data shared by industry to inform policymaking by APRA and Australian government agencies such as the Reserve Bank of Australia, has increased the regulator’s focus on data quality. With the revision of Economic and Financial Statistics (EFS) reporting, for example, the regulator explicitly requires reporting entities to adhere to quantitative data quality thresholds as outlined in RPG 702 and to ensure data risk is managed in line with CPG 235. Since then, the regulator has largely relied upon its supervisory tools and the independent auditors’ reports (APS 310) to monitor the industry’s progress.
While these standards have different objectives and context, both CPG 235 and BCBS 239 require institutions to improve their data management capabilities. As such, they broadly overlap on areas covering Data Governance, Data Quality and Data Controls.
The key differences between the standards are
The narrow focus of BCBS 239 on principles covering best practices on risk data aggregation and reporting. BCBS was created a with a narrow (but challenging) goal in mind: to ensure global banks can accurately measure, monitor and report on their risk (across the group). It therefore focusses on risk data. It also outlines guidelines for central banks on extending their areas of supervision and cooperation among peers.
CPG 235 covers both risk as well non-risk data and encourages entities to manage data as an asset, and therefore manage all risks associated with that asset, throughout the end-to-end data lifecycle.
So CPG 235 is about managing data risk, while BCBS 239 is about managing risk data.
To learn more about CPG 235, read a previous article here or watch this short video:
BCBS 239 – An Overview
BCBS 239 comprises of 14 principles that are broadly divided into 4 logical groups. Below is the snippet of all the principles and their logical segregation:
Group 1 – Overarching Governance and Infrastructure, Requires firms to put in place strong governance, including senior management and Board ‘tone from the top’ oversight of risk data aggregation and reporting. Senior leadership needs to ensure firms have the data architecture and IT infrastructure to support accurate and timely risk data aggregation and risk data reporting processes including during times of stress or crisis.
Group 2 - Risk data aggregation principles stress upon the importance of key data quality dimensions namely, accuracy, integrity, completeness, timeliness and adaptability. The principles also encourage banks to establish a single authoritative source of data, metadata management practices and pre-defined processes to monitor and enhance their data quality levels. The committee recommends a bank’s maturity on its data capabilities to be assessed on the basis of their ability to provide fully reconciled, error-free data made available in a timely manner for the varied usages across internal & external stakeholders.
Group 3 – Risk Reporting Practices aims to build upon the foundation laid by matured data capabilities of a bank achieved by adopting the principles covered in Group 2. The group reinforces the criticality of establishing the principles of accuracy and precision in comprehensive regulatory as well as stress reporting policies and procedures. The committee recommends periodic reviews of risks via reports that are published and distributed among the leadership to ensure functioning of the bank within the prescribed risk appetite thresholds.
Group 4 – Supervisory review, tools and cooperation cover the principles that encourage central banks to enhance the risk data aggregation and risk reporting capabilities across the global banking industry. The Basel committee further recommends for the prudential regulators to conduct a periodic assessment of the banks they supervise to ensure their compliance with the Group 1, 2 & 3 principles; while also suggesting and following through on action plans to remediate the identified areas of deficiency.
It is important to note that the principles covered in BCBS 239 are charted in a logical sequence where governance, data architectures and IT systems act as the catalyst in strengthening the bank’s data quality and adaptability that further facilitates accurate and precise risk reporting to internal and external stakeholders.
How Australian Financial Industry can benefit by implementing the BCBS 239 Principles
The principles-based approach prescribed in BCBS 239, originates from the Basel committee’s decades worth of experience in assisting the participating member nations in measuring, managing and reporting their financial and non-financial risks. Therefore, the publication is regarded as one of the most comprehensive guides for banks to manage their data risks.
Apart from globally standardising the risk data aggregation and risk reporting practices, the principles also empower banks in embracing a strategy propelled, data-driven culture that encourages usage of high-quality data in their strategic initiatives. The BCBS 239 principles have benefitted the G-SIBs in uplifting their capabilities to publish their risk data with greater accuracy and precision. The principles’ layered approach in focusing upon the three key aspects i.e. Governance, IT and Ownership; helps banks in adopting a strategic approach in planning and increasing levels of maturity in data risk management in an incremental manner.
While both CPG 235 and BCBS 239 publications go a long way in outlining best practices on data governance, the Australian banks can also benefit from adopting principles on ‘Risk Reporting Practices’ laid out in BCBS 239. The principles’ primary objective is a widespread adoption of reporting practices in banking industry that produce correct and precise reports in a timely manner, a requirement widely covered in APRA’s reporting mandates.
BCBS 239 and CPG 235 are regulatory initiatives which require entities to manage all aspects for their data. While they have a different scope and context, they both aim at ensuring firms understand and manage their data landscape and put in place the right capabilities across people, process and technology, supported by a fit-for-purpose governance framework to ensure that the relevant internal and external stakeholders have timely access to accurate data to support their decision making and ensure risk is managed within appetite.
To know more about BCBS 239 or CPG 235 or how RegCentric can help in uplifting your data management practices, contact us for an obligation-free conversation.
References: [1] APRA's 2020 Supervision and Policy Priorities
Comments