BCBS 239 governance: so what does good look like?

Dealing with data is an issue that senior management has long been aware of. As Moody's put it in a report last year, "it is often the elephant in the room – a big something to be dealt with, but one that is almost always too big to tackle, or one that is postponed as tomorrow's problem". With BCBS 239 a bank's board and senior management are now very much centre stage as the owners of the dreaded data problem. And it's not just the tier 1 banks that need to take notice, there is an increasing belief that this regulation is merely a foot note, it isn't the end game.

Under BCBS 239, there are some key questions that senior managers must know the answer to. These include:

• What are the limitations that prevent full risk data aggregation?
• Do I understand what those limitations are and their impact in terms of coverage (e.g. risk not captured or subsidiaries not included), technical (e.g. model performance indicators or degree of reliance on manual processes) and legal (legal impediments to data sharing across jurisdictions)?
• How are the reports I'm reading and making decisions based on impacted by these limitations?
• Do we have adequate resources deployed to meet the standards required?
• Have we agreed service level standards with our outsourcers?
• With a lack of concrete parameters set, are we meeting a high enough standard across all the data and reporting standards?
• Who has responsibility for what?
• Is there a stratification of control from execs, to management and business leads to day-to-day users?

As mentioned already, if BCBS 239 is not the end game then it makes sense for all banks to take notice. The financial crisis exposed risk, data and IT failures throughout the entire community, so looking to BCBS 239 as a starting point for minimum standards of best practice makes sense. Why would the regulators stop at the G-SIBs or the D-SIBs? Surely the ultimate goal has to be better risk management for all.