BCBS 239

From Open Risk Manual


BCBS 239 denotes a Standard published by the Basel Committee on Banking Supervision in January 2013. The objective of the standard is to strengthen banks’ Risk Data Aggregation capabilities and internal Risk Reporting practices, in turn, enhancing the Risk Management and decision making processes at banks. The scope of the standard covers Global Systemically Important_Banks (G-SIBs) with a recommendation that national supervisors apply it also to Domestic Systemically Important Banks (D-SIBs)[1]


The standard consists of five sections and articulates 14 principles. The first three sections (Overarching governance and infrastructure, Risk data aggregation capabilities, Risk reporting practices) are integrated into the Open Risk Manual. Supervisory Review and Implementation Timelines are not integrated.

Overarching Governance and Infrastructure

Principle 1: Governance

A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee.

Principle 2: Data Architecture and IT Infrastructure

A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles.

Risk Data Aggregation Capabilities

Principle 3: Accuracy and Integrity

A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of errors.

  • Data Accuracy captures the closeness of agreement between a measurement or record or representation and the value to be measured, recorded or represented
  • Data Integrity is sometimes used as a synonym for Data Quality. In the BCBS 239 standard the term is used in a more narrow sense as: the freedom of risk data from unauthorised alteration and unauthorised manipulation that compromise its accuracy, completeness and reliability

Principle 4: Completeness

A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations and emerging risks.

  • Data Completeness is the availability of relevant risk data aggregated across all firm's constituent units (eg legal entities, business lines, jurisdictions, etc

Principle 5: Timeliness

A bank should be able to generate aggregate and up-to-date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. The precise timing will also depend on the bank-specific frequency requirements for risk management reporting, under both normal and stress/crisis situations, set based on the characteristics and overall risk profile of the bank.

  • Data Timeliness is the availability of aggregated risk data within such a timeframe as to enable a bank to produce risk reports at an established frequency

Principle 6: Adaptability

A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs and requests to meet supervisory queries.

Risk Reporting Practices

Principle 7: Accuracy

Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.

Principle 8: Comprehensiveness

Risk management reports should cover all material risk areas within the organisation. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients.

Principle 9: Clarity and Usefulness

Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include an appropriate balance between risk data, analysis and interpretation, and qualitative explanations. Reports should include meaningful information tailored to the needs of the recipients.

Principle 10: Frequency

The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision-making across the bank. The frequency of reports should be increased during times of stress/crisis.

Principle 11: Distribution

Risk management reports should be distributed to the relevant parties while ensuring Confidentiality is maintained.


  1. BCBS 239, Principles for effective risk data aggregation and risk reporting, 2013

Contributors to this article

» Wiki admin