Data Governance

An Introduction to BCBS 239

Kasey Nolan

March 27, 2025

business windows depicting bcbs 230

In response to the vulnerabilities exposed by the 2008 financial crisis, the Basel Committee on Banking Supervision developed BCBS 239, formally titled “Principles for Effective Risk Data Aggregation and Risk Reporting”. This regulatory framework is not merely a set of guidelines but a transformative approach to risk data aggregation and risk reporting, particularly for Global Systemically Important Banks (G-SIBs). BCBS 239 establishes rigorous risk data aggregation and reporting standards to enhance the banking sector’s ability to manage, identify, and mitigate financial risks effectively.

Implemented to ensure banks can respond with agility and accuracy in stressful financial periods, this framework is crucial for maintaining stability in the global financial system.

The 14 Principles of BCBS 239

BCBS 239 is divided into several areas, focusing on overarching governance, risk data aggregation capabilities, and risk reporting practices. BCBS 239 outlines 14 key principles, with 11 applicable to banks and 3 to regulatory supervisors across four core focus areas:

Overarching Governance and Infrastructure

This emphasizes the importance of having a robust governance framework, risk data architecture, and IT infrastructure as foundational elements that enable compliance with the other principles. It mainly affects bank boards and senior management, who are responsible for ensuring that these elements are effectively implemented and maintained.

  • Governance: Banks must have a strong governance framework that clearly assigns responsibilities and establishes control mechanisms for risk data aggregation and reporting. This places responsibility on bank senior management to review and approve of risk data aggregation and risk reporting frameworks.
  • Data Architecture and IT Infrastructure: Banks are required to maintain data architecture and IT infrastructure that robustly support risk data aggregation and reporting under normal and stress conditions. It impacts IT and data management departments within banks, which must design and maintain these systems.

Risk Data Aggregation Capabilities

These principles focus on a bank’s ability to define, gather, process, and provide risk data in a way that meets the bank’s risk reporting requirements and supports its risk management framework. Banks must develop systems and processes that allow for the accurate, complete, timely, and adaptable aggregation of risk data to ensure that they can respond effectively to both normal and stress conditions in the market.

  • Accuracy and Integrity: Banks must generate accurate and reliable risk data that minimizes the probability of errors. This principle primarily impacts risk management and data processing teams tasked with ensuring data integrity.
  • Completeness: Risk data must be comprehensive and cover all material risks and business areas within the bank. This principle involves risk managers and data analysts who must ensure no critical data is omitted from reports.
  • Timeliness: Risk data should be produced promptly to meet regular and stress condition reporting needs. It affects all levels of risk management, particularly during periods of rapid change when timely data is critical.
  • Adaptability: Banks should be able to adjust their risk data aggregation capabilities to meet a broad range of reporting requirements and stress conditions. This impacts strategic operational risk teams who need to respond to emerging risks and regulatory demands.

Risk Reporting Practices

These principles pertain to the processes of creating reports that accurately and comprehensively reflect the aggregated risk data, tailored to meet the specific needs of its recipients, which typically include senior management and the board. The reports must be clear, useful, and produced at a frequency that supports timely decision-making and effective risk management.

  • Accuracy of Risk Data Aggregation: Risk reports must precisely convey aggregated risk data, ensuring that reports are reconciled and validated. This impacts the risk reporting teams responsible for the accuracy and reliability of risk reports.
  • Comprehensiveness: Risk reports should encompass all material risk areas and reflect the complexity and scope of the bank’s operations. This impacts senior management and board members who rely on these reports for decision-making.
  • Clarity and Usefulness: Risk reports should be clear, concise, and useful to their intended recipients, facilitating informed decision-making. This principle mainly affects the design and distribution of reports to ensure they meet the needs of executives and board members.
  • Frequency: The production and distribution frequency of risk reports should be set based on the nature of the risks reported and the needs of the recipients. This impacts how management and the board monitor and respond to risks.
  • Distribution: Risk reports should be appropriately distributed while maintaining confidentiality. This impacts compliance and risk management teams who must ensure secure and effective communication of risk findings.

Supervisory Review, Tools, and Cooperation

These principles involve the role of regulatory bodies in monitoring and ensuring that banks comply with the set principles through regular reviews and the use of supervisory tools. It requires cooperation among supervisors across different jurisdictions, particularly for banks that operate internationally, to ensure consistent application and adherence to these risk management standards.

  • Review: Supervisors should periodically evaluate a bank’s compliance with the risk data aggregation and reporting principles. This affects regulatory bodies and internal audit functions tasked with oversight.
  • Remedial Actions and Supervisory Measures: Regulators should have tools to require banks to take timely corrective actions to address deficiencies in risk data practices. This impacts bank management who are responsible for aligning practices with regulatory expectations.
  • Home/Host Cooperation: Supervisors should cooperate across jurisdictions to supervise and review the principles effectively, especially in the context of global banking operations. This impacts international banks and their regulatory supervisors in various countries.

Understanding the 14 principles of BCBS 239 is just the beginning of mastering how banks can elevate their risk management frameworks to not only meet regulatory expectations, but also enhance operational efficiency and competitive advantage. Each principle is a stepping stone towards achieving robust data governance, accurate risk reporting, and ultimately, financial stability. This is vitally important, as governance serves as the foundation upon which all procedural and compliance standards are built.

By reinforcing these practices, BCBS 239 ensures that banks have resilient and responsive governance structures capable of addressing potential risks proactively, safeguarding against systemic vulnerabilities and enhancing the overall health of the financial system.

Stay tuned for future blogs in our series on BCBS 239 to learn more about how the Actian Zeenea platform helps ensure that governance frameworks and IT infrastructures are not only compliant with BCBS 239, but optimized for efficiency and scalability. In the meantime, take a free product tour to see how enterprise data teams use Zeenea to quickly discover data and AI assets, establish trust, and democratize data access.

Kasey Nolan

About Kasey Nolan

Kasey Nolan serves as Actian’s Solutions Product Marketing Manager. She has spent 10 years supporting both sales and marketing in the cloud Infrastructure as a Service space, specializing in cloud and edge compute technologies. At Actian, she is responsible for aligning marketing and sales messages, emphasizing the use cases (jobs to be done) and solutions addressed by the Actian Portfolio.