In order to make a clear connection between Data governance and the regulation, first we will clarify what is covered by Basel Committee on Banking Supervision’s standard number 239 (BCBS 239) and what does it mean to implement Data governance. Further on, we will see what does “Having BCBS 239 principles in place” mean and how does Data governance implementation support compliance with the regulation. Finally, we will share our experience and lessons learned based on projects we implemented.
Basel Committee on Banking Supervision’s standard number 239 – BCBS 239
The purpose of BCBS 239 is to make sure that banks report on all the risks they are exposed to. Specifically, banks are expected to communicate their risk data aggregation capabilities as well as their internal risks transparently and consistently.
BCBS has a total of 14 principles, that cover four closely related topics:
- Overarching governance and infrastructure
- Risk data aggregation capabilities
- Risk-reporting practices
- Supervisory review, tools, and cooperation
Out of these 14 principles, the key principles are Principle 2 and Principle 3, so let’s look at them a bit more closely and point out the keywords that highlight the connection of Data governance and BCBS 239 compliance.
Principle 2 is all about data architecture and IT architecture. This principle states that a bank should design, build and maintain data architecture and IT infrastructure that fully supports its risk data aggregation capabilities. Furthermore, the architecture should be designed in a way that it supports risk reporting practices both in regular situations as well as in cases of crisis, while still meeting all the other Principles.
The standard also determines that, in order to achieve the requirements of this principle, banks should establish data taxonomies, collect metadata and create unified naming conventions for data. Banks should also define business and IT roles and responsibilities when it comes to data, its usage and quality.
Principle 3 addresses accuracy and integrity. A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimize the probability of errors.
In addition to Principles’ provisions, They expect banks to measure and monitor the accuracy of data and to develop appropriate escalation channels and action plans to be in place to rectify poor data quality. Even more so, supervisors will question data quality management, which is often wrongly mixed up with Data governance. Data governance includes data quality management, but it covers much more, such as policies and standards for handling data, guiding principles, business rules, data usage rules, data access rules and so on.
PWC review on southeast Asia’s banks (2021) shows that not a single bank is fully compliant with the BCBS 239.
According to the same source, most of the challenges preventing the full compliance were identified within the area of data and IT architecture, specifically, related to data issues that Data governance in place could address and solve.
Data governance connects the business (people) with the pieces of information (data) through the technology used by the organization. Each business process in the organization is viewed through these aspects – who is doing what, how and with which data.
Figure shows B-I-T sequence from Data Governance Institute, which emphasizes that data governance lies in the cross-section of these three aspects.
Implementing Data governance means assigning responsibility for all data within one organization to clearly identified data owners and tracking what happens with the data in its lifecycle. This means that one should keep in mind that these three elements: the piece of information (data), business (people) who take care of this data and technology used to store and manage data, are – so to say – inseparable. Data governance implementation is not about adding new tool into your technology landscape. Instead, it is about creating a framework that provides understanding of data ownership, data lifecycle, meaning of the data and acceptable data usage
All of that will result in having a business glossary and data catalog, documented policies describing data consumption via processes, business and technical lineage, as well as in having data monitoring via data quality rules, all of which is exactly what is required by BCBS 239.
What does “Having BCBS 239 principles in place” mean?
Through BCBS 239 principles Basel Committee has explicitly introduced qualitative expectations for risk reporting organization, processes and tools. Implicitly, it has quantitative expectations for reporting. These requirements display an increased focus on data quality, as well as emphasis on risk aggregation, timeliness, accuracy and granularity when producing a report.
Figure shows relation between Data governance pillars and BCBS 239 requirements.
If we take “producing a Risk report” as an example, Article 37 states that each position in Risk report has to be clearly and unambiguously defined. From Data governance perspective,
- having a business glossary categorized by risk report positions and
- having a policy for creating each position in the Risk report
will cover exactly what is required by Article 37.
Knowing who (more as a role than in terms of exact person) is responsible for risk data used in calculation of each position in Risk report is exactly what Data ownership and Data stewardship of Data governance framework are covering (and Article 34 is asking). By ownership and stewardship, we mean both technical and business sidewise, and we also mean escalation procedures and action plans in case of poor data quality.
So, if we go back to BCBS 239 requirements, as described above through Principles, it turns out that having implemented Data governance directly and significantly contributes to BCBS 239 compliance.
Authors: Jelena Jančiev Basrak, Senior Consultant and Antonija Tadić, Consultancy Head – CQ at Poslovna inteligencija