Financial Services
BCBS 239: LEARNING
FROM PRIME MOVERS
AUTHORS
Mark James, Partner
Strategic IT & Operations
Paul Mee, Partner
Strategic IT & Operations
Pankaj Khanna, Principal
Finance & Risk and Strategic IT & Operations
Since the Basel Committee published the BCBS 239 Principles for Effective Risk Data
Aggregation and Risk Reporting (RDARR) in 2013, banks everywhere have encountered
major potholes on the road to compliance.
Progress updates by the Institute of International Finance (IIF), the Bank for International
Settlements (BIS), and others continue to raise questions about what leading banks can
realistically hope to achieve. According to recent reviews:
•• Fewer than half of the global systemically important banks (G-SIBs) say they are likely to
be compliant by the 2016 deadline, keeping in mind that “compliance” refers to broad,
non-prescriptive principles and is open to interpretation.
•• The scope of risk reports varies widely among banks, ranging from 12 or fewer reports for
some banks to more than 100 for others, once again highlighting the role of interpretation.
•• Banks are struggling to understand the concrete business impact associated with BCBS
239; nearly 70 per cent of domestic systemically important banks (D-SIBs) and half of
G-SIBs have not quantified the benefits.
•• The investment spend by G-SIBs on RDARR is very significant, averaging US$230 MM
per bank. These investment costs are likely to increase.
•• Compliance dominates the IT and Operations change agenda and associated budgets.
Additionally, expertise is significantly stretched as banks struggle to deploy risk, finance
and IT professionals for the challenge at hand. Money aside, banks lack sufficient risk,
finance, and IT professionals for the job. Data subject matter experts are also in short
supply. Some G-SIBs have dozens and even hundreds of open positions.
External pessimism is mirrored internally. The latest self-assessments have also
deteriorated markedly since the initial submissions: The Basel Committee has made
the self-assessment more thorough and precise, and banks have learned more about
regulatory expectations and the size of their gaps—and the complexity, cost, and effort
needed to close them.
Now is the time for banks to review the direction and pace of their BCBS 239 compliance
efforts. If program changes need to be made, executives should be aware and act while
time remains. This paper explains the issues, and shares the experience of compliance first
movers. Many lessons merit consideration as deadlines loom across the sector.
SLOWDOWN PROGNOSIS
There are many reasons why the road to compliance is slow and costly. Talent is scarce, and
compliance places increased demand—and a premium—on the small group of busy experts.
Programs often lack clear definition around strategic design choices and muddle tactical fixes
with sustainable long-term solutions. Coordination and trade-offs across related initiatives in
risk, finance, treasury, IT, front office, audit, compliance, and operations are hard to achieve.
2
Enhancing process and IT capabilities is tough enough, but meeting RDARR objectives
requires more. It demands definition, clarity, and instilling enterprise-wide culture around
data ownership, operational, and risk-management processes and eventually, business
process change. For many organizations, the need for a change in culture itself becomes a
major program risk. Senior management communications are often met with resistance from
competing business and political agendas, and bottom-up initiatives are slow to take hold.
In some institutions, these factors create a vicious circle. When progress seems stalled and
short-term improvements are hard to see, supporters become discouraged. The result is
waning buy-in from the board, senior management, and multiple stakeholders.
Against this unpromising background, deadlines remain. G-SIBs must satisfy regulators
soon; qualifying D-SIBs and others typically have a longer runway. Varying demands and
degrees of prescriptiveness by different regulators cloud the picture further.
The prudent approach in most cases—pending regulatory discussion—should be for banks to
focus on the most appropriate design and implementation decisions. Although a key question
is “what is required to get a passing grade at the deadline?,” banks should also ask: “What is
the achievable plan for compliance and improvement in the medium to longer term?”
In the process of meeting the first deadline, banks often neglect underlying data and
reporting issues that will continue to cause pain and will demand future investment and
rework. As one banking executive remarked wistfully, “We know we’ll be opening up the
patient again after the compliance deadline.” The risk is not only of banks missing the target,
but also a more fundamental one of pursuing the wrong target without fully realizing it and
of not exploring the consequences.
MOVING SMARTLY
The experience of first movers is instructive for all banks, whether newly embarked or
already on the bumpy road to compliance. The following questions will help those executives
who are responsible for delivering RDARR to gauge whether the organization is on track:
1. Are our objectives realistic, feasible, and achievable, given the nature of the dependencies?
2. Can we draw a straight line from our efforts to the required compliance outcomes?
3. Will the program resolve our most pressing structural data aggregation and reporting issues?
4. Is the investment in the program structured to balance short-term and longer-term priorities?
5. Are we staying on top of our numerous and evolving regulatory expectations?
3
REALISTIC AND ACHIEVABLE PROGRAM SCOPE
Too many banks have discovered too late that they have bitten off more than they can chew.
Recognizing that each bank’s business model, complexity, risk appetite, and operations differ,
there is no single right answer. One bank could invest hundreds of millions on an all-inclusive
transformative data-management and reporting technology solution. Another bank of comparable
size could opt to focus on compliance and governance solutions and spend substantially less
on technology. It depends entirely on the particular scope, design choices, and approach to
achieving compliance that a bank adopts so long as the outcome is robust and sustainable.
The decision on scope is a strategic one that involves numerous trade-offs. An easy, cheap,
and pragmatic set of fixes may not solve underlying problems. Conversely, a more expansive,
transformative and sophisticated solution may collapse under its own weight.
Options that are likely to increase investment in the near term but yield long-term benefits include:
•• Remediating data that not only affects risk but also intersects with finance and/or treasury
•• Redesigning the risk IT architecture, or at least beginning the journey
•• Moving to a leaner and more agile risk operating model
•• Establishing official / authorized risk data staging and data provisioning arrangements
•• Standardizing and / or re-engineering the reporting platform
•• Rationalizing / simplifying data sourcing
•• Addressing reference data issues, such as legal entity identifier (LEI)
•• Remediating / cleansing historical data
In considering these strategic design choices, banks need to understand what minimum
compliance means. It may entail re-engineering the whole data/reporting infrastructure, or
it may mean instituting rigorous and effective governance of existing processes to get the
job done. The answer will differ from bank to bank and from jurisdiction to jurisdiction.
The principal issue is a weighty one: Can the bank afford to postpone difficult and expensive
infrastructure and process changes until after the compliance deadline? Or are the changes
essential to becoming compliant?
STRAIGHT LINE TO OUTCOMES
The next test is equally weighty: Will the investments and the changes being implemented
lead to BCBS 239 compliance? For example, will the new enhanced risk-data-sourcing
system and operating model move the bank from BIS assessment level three to level four?
Often, the answer is not as clear as it should be.
Banks are coming up with their own ways to find out. Leading banks are using compliance
critical path analysis and control frameworks to keep initiatives on track. They work
backward from the final target, confirm where they need to be at each checkpoint, and
identify the capabilities and changes necessary to meet those goals. For example, a U.S.
4
G-SIB developed a compliance mini-scorecard for RDARR implementation to track progress
specifically by principle and action at-risk items accordingly.
With a clearer view of their progress vis-a-vis the compliance target, banks can more easily
spot and strip away noncore asks or nice-to-haves.
RESOLVING THE MOST PRESSING DATA ISSUES
Which risk data are to be remediated? Typically, banks start by defining the reports that are
core to making risk decisions. Then they—with input from key risk decision makers—triage and
prioritize the data elements required for these reports, in line with requirements (see Exhibit 1).
At a minimum, these core reports should include the following:
•• Reports to key internal stakeholders, including:
−−
−−
−−
−−
Board and senior strategy, controlling and risk-management bodies at group and entity level
Senior management and day-to-day risk decision makers
Incident/crisis assessment and management teams
Operational oversight and support teams including data, processes, and infrastructure
•• Reports to all regulatory bodies, even if this was not the primary intention of RDARR
•• Reports issued to other external stakeholders, both regularly and on an ad hoc basis
In some cases, the list of data elements can balloon into the hundreds or even thousands.
From this vast pool, the most important risk data elements must be rapidly identified and
winnowed for criticality. Top priority must go to those that are truly essential to managing
and mitigating risk—both when times are stressful and when it is business as usual.
Exhibit 1: Identifying Data Elements for Remediation
STEP
Review and
prioritize
risk reports
DESCRIPTION
PREREQUISITES
• Top-down collation of all key internal and
• At minimum a full repository of all
externally shared risk reports; inclusion of
key operational risk reports, dashboards
and models
• Forced prioritization of long-list of reports,
or subsets thereof, into buckets given
materiality of metrics during business-asusual and stress/crisis periods
• Extract all data fields from analytical models
that support reporting and underlying analytics
Identify
underlying
data-fields
Compile
prioritized
list of data
elements for
remediation
• Identify overlaps, diverging definitions,
gaps, and granularity required
reporting requirements and actual reports
• Ideally, an already stream-lined risk
model landscape
• Board, senior management and subject
matter expert (SME) input
• Business and IT analyst assessment of
reports against bank’s data taxonomy
• SME, management, data operations
and IT input
• Agreed guidelines for maximum level of
granularity for drill-down and level of data
quality checks/control
• Step-by-step alignment (or delineation
where necessary) of data definitions, model
and taxonomy
• Forced allocation of identified data elements
into prioritized remediation buckets
• Focus on shared cross-functional reference
• Clear prioritization of most critical data
items/areas
• Reference data model to cross-check
against
• Functional (Finance, Risk, Treasury, IT,
etc.) SME involvement
and other data elements
5
BALANCING NEAR-TERM AND LONG-TERM INVESTMENT
Thus far, complying with BCBS 239 has involved more sticks than carrots. But banks should
not overlook the carrots or their importance to stakeholders in compliance.
As noted earlier, pinpointing RDARR’s benefits is often a deeply challenging exercise.
However, without a clear picture of the upside of compliance, it is tempting to fix reports,
data types, and the many and varied IT system items on a fragmented and isolated basis—
dispersing sand grains of expenditure without any sense of what their collective effect may be.
In fact, banks can quantify likely capital and cost savings, as well as increased revenues from
enhanced customer offerings—with clear caveats and assumptions. On the qualitative side,
banks may become more efficient and agile (see Exhibit 2 below). Regardless of the type of
benefit anticipated, a believable benefits case needs to be grounded in reality and linked to
the compliance schedule.
With this perspective, a bank can weigh investment choices that go beyond compliance
alone. For example, a major Canadian bank decided to deploy digital reporting, adding
several million dollars to RDARR program costs. The bank is planning to eliminate or
minimize paper reports, simplify processes, and increase efficiency while delivering more
sophisticated and flexible risk management information.
Exhibit 2: Quantitative and Qualitative Benefits
RISK & FINANCE DATA SYSTEMS ARCHITECTURE REDESIGN AND INFRASTRUCTURE UPGRADE:
COMPARISON OF TOTAL INVESTMENT BUDGET VS. QUANTITATIVE AND QUALITATIVE BENEFITS FOR MID-SIZE,
MULTI-NATIONAL UNIVERSAL BANK
350
300
1. Improved regulatory compliance and engagement
150–300
USD MM
2. Enhanced business decision-making
Capital savings
from RWA
reduction
3. Improved client management and servicing
250
4. Agile pricing and strategic risk hedging
5. Protect and improve bank’s reputation
200
150
Up to 100
USD MM
100
Up to 50
50
10 – 15
10 – 15
25 – 30
0
TOTAL 4-5 YEARS BUDGET
FOR RISK AND FINANCE
DATA/SYSTEMS REVAMP
6
+
6. Rapid product development / modification
7. Significantly increased flexibility and reduced
cost for implementing future internal and
regulatory requirements
8. Reduction of diverted management and
organizational attention and resource cost
9. Reduced manual intervention / remediation, greater
job enrichment, skills leverage and satisfaction
10. Efficient stress/crisis management support
1yr case
QUANTITATIVE BENEFITS
QUALITATIVE BENEFITS
Cost savings from
prevention of
fines and costs of
ad-hoc / ‘just in
time’ compliance
Cost savings from
significantly
reduced
reconciliation
efforts
Cost savings from
reduced recurring
provisional fixes
CHANGING REGULATORY EXPECTATIONS
What does it mean to be compliant? The answer varies. G-SIBS and other early movers
have had an advantage. Many were able to negotiate at a time when the regulatory process
was still in its infancy. With the passage of time, the positions of regulators have hardened,
regional regulators have raised the bar, and banks have less wiggle room. In our view,
regulations are likely to coalesce around the highest bar in the medium term.
To have a voice in the regulatory evolution, the more successful players engage with both
regulators and other banks, participating in official international forums and local collective
banking associations.
In addition to engagement, banks that have clear accountabilities and a comprehensive
action plan (with regard to compliance deadlines and beyond) usually enjoy smoother and
more productive regulatory dialogues. A typical supervisor wants to know that an executive
is in control of the program and is following an achievable path to success. This means
paying attention to governance, the most critical principle. It also means that the associated
organizational arrangements, responsibilities, and accountabilities must be in place and be
operational, in the case of both the RDARR program and the business-as-usual model for risk
data management and risk reporting.
INCREASING CONFIDENCE AND PACE
The questions posed in this paper derive from the experience of first movers in compliance.
Banks that can answer them in the affirmative should feel a welcome degree of confidence
and assurance.
If, however, the answers are negative or uncertain, now is the time to pause and review.
Consider undertaking a form of health-check regarding the direction, preparation, and pace
of the bank’s efforts. If a bank’s BCBS 239 compliance program needs to be adjusted or even
rerouted, it is best that executives know this while they have the time and the ability to align
investment decisions and resources.
7
Oliver Wyman is a global leader in management consulting that combines deep industry knowledge with specialised expertise in
strategy, operations, risk management, and organisation transformation.
For more information please contact the marketing department by email at info-FS@oliverwyman.com or by phone at
one of the following locations:
EMEA
+44 20 7333 8333
AMERICAS
+1 212 541 8100
ASIA PACIFIC
+65 6510 9700
www.oliverwyman.com
Copyright © 2015 Oliver Wyman
All rights reserved. This report may not be reproduced or redistributed, in whole or in part, without the written permission of Oliver Wyman and
Oliver Wyman accepts no liability whatsoever for the actions of third parties in this respect.
The information and opinions in this report were prepared by Oliver Wyman. This report is not investment advice and should not be relied on for such
advice or as a substitute for consultation with professional accountants, tax, legal or financial advisors. Oliver Wyman has made every effort to use
reliable, up-to-date and comprehensive information and analysis, but all information is provided without warranty of any kind, express or implied.
Oliver Wyman disclaims any responsibility to update the information or conclusions in this report. Oliver Wyman accepts no liability for any loss
arising from any action taken or refrained from as a result of information contained in this report or any reports or sources of information referred
to herein, or for any consequential, special or similar damages even if advised of the possibility of such damages. The report is not an offer to buy
or sell securities or a solicitation of an offer to buy or sell securities. This report may not be sold without the written consent of Oliver Wyman.