The 2015 BIS progress report around BCBS 239 throws up some significant compliance gaps. There is much within the report to discuss. One of the primary goals of these principles was to address was a bank’s ability to access the right data at the right time and get it to the right people. The 2008 crisis made it clear that this wasn’t either doable or easy in a lot of cases back. How far have the banks progressed? And what are the similarities and discrepancies that we also find with our own independently commissioned report of 29 major financial institutions across the globe.
Headline challenges highlighted by the BIS include bank ongoing dependence on manual processes. Still, seven years on, and a common challenge remains the reliance on manual workarounds. There remains an insistence too that this will not create any material negative impact or that these manual processes are adequate stop gaps. So when will this be fully addressed? Other areas highlighted were the need to develop common data dictionaries and data taxonomies and the inability to create accurate and timely risk data reports during stressed or crisis situations.
Execution risk has also increased since the last progress report. The issue here is that large scale IT projects are typically interdependent and they rely upon many smaller IT projects. While we know that GSIBS and DSIBS have largely created the frameworks needed for compliance, the implementation phase across geographies, business units and on a cross-functional basis is proving a clear challenge. One approach that is being discussed is to identify accelerator solutions that are vendor agnostic and that can pull together disparate projects and systems.
Also adding to execution risk is the lack of subject matter experts. Finding suitable experts to do the gap analysis, create the framework, identify the RDA universe, has not proven to be that easy. Further, as we get closer to the January 2016 deadline and implementation becomes an issue we find that banks are scaling back on how they define that all important risk data universe. What that means is that what falls into that universe is becoming a narrower definition of risk data.
The BIS report also highlighted the need for improvements to board level reporting. Some banks continue to report that the current limitations of risk reporting have yet to be communicated to their board. Board level understanding and appreciation of RDA was highlighted in the last progress report as an area that needed to improve. Banks are now saying that board understanding of RDA is strong and that they understand the importance of it to the business. There still exists clear gaps in their understanding of what data they do have, what they don’t have and what limitations that places on any strategic decisions that might need to be made – especially during times of stress or crisis.
Overall the BIS report points to banks continuing to encounter difficulties in establishing strong data aggregation governance, architecture and processes. Each of these areas need strong execution capabilities and it is these areas that are own research concentrated on. Next time we will look more closely at execution of BCBS 239 in the banks in our survey.