A layman’s guide to BCBS239
In January 2013, the Basel Committee on Banking Supervision (BCBS) issued a document
titled “Principles for effective risk data aggregation and risk reporting”. It is generally known
as “BCBS 239”.The document sets out guidelines for effective reporting of risk to the board
and senior management of banks.
So does BCBS 239 matter? Well, if a bank is a SIFI (systematically important financial
institution), big enough so that its failure could cause instability in the financial system then
it does matter since such banks need to comply with the guidelines, some as early as 2016.
But I would argue these regulations are important even if a firm is not a SIFI simply because
BCBS 239 describes the best practice of this important topic and does it concisely and
clearly. The document says that one of its objectives is enhanced risk management and
decision making, and to improve strategic planning – for the ultimate good of the firm and
its shareholders.
The BCBS has the interests of the taxpayers rather than shareholders in mind. Its motivation
for issuing this document arise from the crisis of 2007 when some banks’ Risk functions
could not cope and it was impossible to get good risk information for proper decision. In any
future crisis, the regulators want the good time risk information to be able to wind-up the
bank or perhaps organise a recovery.
The document defines 14 principles and groups those into 4 areas; governance, aggregation,
reporting and supervisory review. Table 1 summarises these.
Table 1 The 14 principles
Area
Principle # Summary
Governance and
Infrastructure
1
Strong governance “in the round”
2
Risk IT must be able to cope in a crisis
Aggregation
3
Achieve integrity and accuracy via automation
4
Completeness at group level but also drill down to entity
5
Timeliness-especially in the crisis
6
Adaptability-for changing circumstances
Reporting
Supervisory
Review
7
Accuracy through reconciliation and validation
8
Comprehensiveness – include all material risks
9
Clarity - to facilitate informed decision making
10
Frequency of reporting-appropriate to nature of risk
11
Distribution to right people (and only them)
12
Periodic review and spot tests
13
Supervisor’s power to require remedial action
14
Supervisor home/host co-operation
Governance and management controls and processes are the overriding preoccupation;
these include controls, roles, ownership of data and independent validation. The document
draws a rather arbitrary distinction between aggregation and reporting. Aggregation is the
gathering all the data together which is a pre-requisite for reporting - providing useful,
relevant summaries to inform better decisions. Supervisory review describes the supervisors’
powers to do periodic assessments (including spot tests) and to require the banks to
perform remedial action if they fail these tests.
These are several themes that resonate through the document. There are many references
to ensure risk reporting not only works well in normal circumstances but also in a crisis
situation – clearly this reflects the experience of the 2007 crisis.
The board and senior management must be aware and in control of all aspects of risk
reporting. They must define the information they need and must be aware of the
weaknesses and omissions in the reports they receive. This holds true even if they delegate
parts of the process to third parties. The buck stops with the board.
The document states the ‘what’ but not the ‘how’. There are very few hard and fast rules on
how the guidelines should be implemented. The only occasions when the guidelines are
explicit are to state that banks must be able to report certain risks intra-day in a crisis
situation and to stipulate the minimum content for a risk report. But for the rest, well it
depends on what’s appropriate in the firm’s situation.
The BCBS prefer automation of risk data processes. They have a strong suspicion of any
manual process – these should be the temporary (and well documented and independently
validated) exception rather than the rule.
“Forward looking” reports are encouraged. These include stress test and scenario-based
reports.
The entire BCBS239 can be read from start to end in an hour – it is less than 30 pages. For
those in hurry, I would suggest starting with Annex 1 which very clearly defines the terms so you appreciate BSBS’s distinction between key terms e.g. the difference between
accuracy and precision or between completeness and comprehensiveness. Annex 2 is a
summary of the 14 principles. For most people, this will be enough but for more detail, the
initial sections cover the motivation behind these regulations, the context and then more
background to the principles.
BCBS 239 reflects a traditional reporting situation – it assumes that senior management
receives their risk data as canned reports – hence their distinction between aggregation and
reporting. It assumes a world where the summary risk data is selected as communicated to
the board by risk management and risk IT. It does not consider the emerging world of
selfreliant and self-service reporting where risk managers have good tools to visually explore
and analyse the data. This is probably a reflection of the current status quo in most of the
banks.
In summary, BCBS 239 is a very useful document and not only for those firms for which the
regulations apply. It provides well thought-out, well drafted guidelines with implications for
all processes involved in ensuring that the board of a firm can take well informed decisions
about the management of their financial risk.