Since the financial crisis of 2008, it would appear that a paradigm shift has taken place whereby regulation breeds regulation! Just when you thought you had grasped EMIR and the early stages of MiFID II, the Bank of International Settlements (BIS) ramps
up its BCBS239 directive. This new regulation’s origins lie in the analysis of the causes of the financial meltdown, and the subsequent report uncovered shocking inadequacies in institutional risk management, including the widespread absence of consolidated
views of risk across organisations, and the inability of firms to produce the required aggregation and reports in a timely manner.
The deadline for all Global Systemically Important Banks (GSIBs) to comply with the ‘Principles for effective risk data aggregation and risk reporting’ is January 2016, but only two-thirds of the 30 listed firms anticipate that they will be ready. There
are 14 principles set out by the document, of which 11 relate directly to GSIBs’ capabilities: governance and structure, risk data aggregation, and risk reporting. In reality, the directive will affect the day-to-day operations across departments (and silos),
and in many cases this has exposed and exacerbated organisational and cultural limitations within firms. The need for an integrated, firm-wide compliance and governance structure stands in stark contrast to the traditional, embedded and departmentalised approach
to risk management commonly found in the majority of banks.
In its December 2013 progress report, the Basel Committee for Banking Supervision (BCBS) highlighted the scale of the challenge ahead, citing “large, ongoing, multi-year IT and data-related projects” as a primary factor. Historically, the infrastructure
of banks has been built up over decades and in that time it has expanded and evolved to accommodate mergers and acquisitions, new business and product lines, and geographic expansions. The resultant patchwork of accumulated ‘Frankenstein’ systems will certainly
not meet the requirements of BCBS239, without significant and costly reengineering.
On the positive side, the survey highlights that firms judge themselves to be almost fully compliant with principles 8, 9 and 11, also known as comprehensiveness, clarity and usefulness, and distribution. The more challenging areas are undoubtedly data architecture,
IT infrastructure and adaptability, which continue to give cause for concern. Unfortunately, and somewhat predictably, these are more time-consuming elements to transform and therefore a proactive approach implemented early seems the only remedy in the reputational
and legal race to comply. Whilst it is obviously a well-intentioned and sound directive, an enduring problem with BCBS239 is that it does not offer a prescriptive formula of specific requirements. In essence then, unlike other regulatory strictures BCBS239
is not just another box-ticking exercise; those firms that embrace the opportunity to transform their business could reap the considerable rewards arising from dramatic efficiency gains.