8 Things You Probably Donít Know About BCBS 239
Living in Manhattan means coping with the increasing complexity of traffic rules on what were, only a few years ago, relatively simple avenues. I happen to live on Second Avenue, which first endured the removal of parking in favor of bus-only lanes, then about six months ago the addition of bike lanes, new parking zones, and turn-only lanes. While the goals may be admirable, the visible result has been a noticeable increase in honking horns, traffic jams, and pedestrian vs. biker confrontations.
I haven’t looked at the section of NYC code that resulted in this mess. But I did review in some detail the document known as “BCBS 239” – the Basel Committee on Banking Supervision “Principles for effective risk data aggregation and risk reporting.”
BCBS 239 is a direct result of the work undertaken by the Basel Committee and the Financial Stability Board (FSB) to provide guidance to enhance banks’ ability to identify and manage bank-wide risks. In particular, FSB recommended that they, in collaboration with standards setters, develop a “set of supervisory expectations” that would guide risk data aggregation and reporting for systemically important financial institutions.
The goals are admirable, but as you might imagine the devil is in the details -- and because most folks assume that BCBS 239 pertains only to the short list of global, systemically important banks (G-SIBs) and only to credit and counterparty risk aggregation, they may be missing a few of the more pertinent details of the document:
- It doesn’t just apply to G-SIBs. “It is strongly suggested that national supervisors also apply these Principles to banks identified as D-SIBs.” (domestic, systemically important banks)
- It doesn’t just apply to market, credit, and counterparty risk. “These Principles also apply to all key internal risk management models, including… advanced measurement approaches for operational risk.”
- You can’t just wait until the deadline. “G-SIBs subject to the 2016 timeline are expected to start making progress towards effectively implementing the Principles from early 2013.”
- It isn’t just limited to internal processes… “All the Principles included in this paper are also applicable to processes that have been outsourced to third parties.”
- …or internal systems. The governance framework “should include agreed service-level standards for both outsourced and in-house risk data-related processes.”
- It considers data confidentiality, integrity and availability (not just aggregation and reporting) as part of the risk management framework.
- You can’t rely on your IT audit function to validate compliance. “Independent validation… should be conducted using staff with specific IT data and reporting expertise…"
- The Bank’s IT strategy should address any shortcomings against the Principles, and initiatives should be supported through “the allocation of appropriate levels of financial and human resources.”
The slow progress of many of the regulators in identifying D-SIBs has meant in practice that BCBS 239 is currently applicable to only the 30 identified G-SIBs. But within the G-SIBs, there are likely many IT leaders who are unaware of the scope of BCBS 239 and who, when assessing the broad scope of the guidelines, may not concur with the self-reported progress of their institutions so far.
Jennifer L. Costley, Ph.D. is a scientifically-trained technologist with broad multidisciplinary experience in enterprise architecture, software development, line management and infrastructure operations, primarily (although not exclusively) in capital markets. She is also a ... View Full Bio