Defining what BCBS 239 compliance looks like remains clouded in mystery. Tough ‘show and tell’ discussions rage on between banks and regulators as to what absolutely must be done to meet the requirements of the principles. But what if it could all be rolled
up into a simple litmus test? One that could be presented to your board as being a good, solid marker as to how close your bank realistically is?
BCBS 239 is the show starter. Risk data aggregation standards across the industry as a whole are the expected goal. Any and all firms should consider solid risk data aggregation as an opportunity to simplify operations, an opportunity to demonstrate a sound
risk management model and an opportunity to share business critical risk data.
So what is the big question that firms must be able to answer in order to benchmark their risk data aggregation capabilities? Here goes. If your firm was theoretically divesting a business unit, would you have all the data to hand? If you would, you are
compliant. If you wouldn’t, you’re not.
Want to know the scary part? At this stage, no one is compliant and the deadline is literally a matter of months away. All sides appear to have underestimated the scale of the task: the changes needed to existing processes and systems; the limitations of
existing risk reports; the continued inadequacies of capturing an accurate risk profile during crisis situations and the commitment and comprehension needed at C-suite level. There are also battles raging on for internal expertise.
At this stage, the compliance bar has lowered to one of intent, to the spirit of compliance. Banks are also typically looking at a pared down version of a true risk data universe. The internal data web in banks is proving so complex that there appears to
be limited clarity on how it holds together.
Compliance at the January deadline currently looks like this: the bank can demonstrate a clear intention to build a strong risk data aggregation framework, the bank is some ways along the path to doing so and the bank has put money behind it.
We are some way soft of a perfect compliance model. Tactical projects appear to be the focus for now. The hope is that these tactical responses are a starter pack to a single, strategic platform.