BCBS 239
BCBS 239 is the Basel Committee on Banking Supervision's regulation number 239. The subject title of the regulation is: Principles for effective risk data aggregation and risk reporting.
Reporting population
The regulation was published in January 2013 and will apply for G-SIBs who were defined as such no later than November 2012, otherwise three years after their designation as G-SIBs. The regulation also recommends that it is, by the national supervisors, applied to D-SIBs three years after their designation as such.[1]
Objective
The overall objective of the regulation is to strengthen banks’ risk data aggregation capabilities and internal risk reporting practices, in turn, enhancing the risk management and decision making processes at banks.[2]
Structure of legislation
The regulation consists of five sections, four of which subsume fourteen principles:[3]
I. Overarching governance and infrastructure 1. Governance 2. Data architecture and IT infrastructure II. Risk data aggregation capabilities 3. Accuracy and integrity 4. Completeness 5. Timeliness 6. Adaptability III. Risk reporting practices 7. Accuracy 8. Comprehensiveness 9. Clarity and usefulness 10. Frequency 11. Distribution IV. Supervisory review, tools and cooperation 12. Review 13. Remedial actions and supervisory measures 14. Home/host cooperation V. Implementation timeline and transitional arrangements
The principles are in turn broken down into more detailed paragraphs. It should however be noted that even on the lowest level it is a principle based-regulation with few clear and defined metrics which can be used to monitor compliance.
A brief description of the 14 basic principles is given below.[4]
Principle 1 Governance – A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee.
Principle 2 Data architecture and IT infrastructure – A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles.
Principle 3 Accuracy and Integrity – A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of errors. A high level explanation for each principle can be found in Annex 2 of the legislation.[5]
Principle 4 Completeness – A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations and emerging risks.
Principle 5 Timeliness – A bank should be able to generate aggregate and up-to-date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. The precise timing will also depend on the bank-specific frequency requirements for risk management reporting, under both normal and stress/crisis situations, set based on the characteristics and overall risk profile of the bank.
Principle 6 Adaptability – A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs and requests to meet supervisory queries.
Principle 7 Accuracy - Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.
Principle 8 Comprehensiveness - Risk management reports should cover all material risk areas within the organisation. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients.
Principle 9 Clarity and usefulness - Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include an appropriate balance between risk data, analysis and interpretation, and qualitative explanations. Reports should include meaningful information tailored to the needs of the recipients.
Principle 10 Frequency - The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision-making across the bank. The frequency of reports should be increased during times of stress/crisis.
Principle 11 Distribution - Risk management reports should be distributed to the relevant parties and while ensuring confidentiality is maintained.
Principle 12 Review - Supervisors should periodically review and evaluate a bank’s compliance with the eleven Principles above.
Principle 13 Remedial actions and supervisory measures - Supervisors should have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices. Supervisors should have the ability to use a range of tools, including Pillar 2.
Principle 14 Home/host cooperation - Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the supervision and review of the Principles, and the implementation of any remedial action if necessary.
References
- ↑ "Principles for effective risk data aggregation and risk reporting" (PDF). p. 11, paragraphs 14 and 15. Retrieved 11 July 2016.
- ↑ "Principles for effective risk data aggregation and risk reporting" (PDF). p. 10, paragraph 9. Retrieved 11 July 2016.
- ↑ "Principles for effective risk data aggregation and risk reporting" (PDF). p. 13-23. Retrieved 11 July 2016.
- ↑ "Principles for effective risk data aggregation and risk reporting" (PDF). Annex 2, Summary of the Principles. p. 26. Retrieved 11 July 2016.
- ↑ "Principles for effective risk data aggregation and risk reporting" (PDF). p. 26-28. Retrieved 11 July 2016.