This document discusses implementing the Basel Committee on Banking Supervision's Principles for Effective Risk Data Aggregation and Risk Reporting (BCBS-239). It begins with some questions and challenges around BCBS-239 implementation related to the scope of risk data aggregation, level of automation, compliance focus, regulator engagement, implementation guidance, target state definition, and progress measurement. The document then presents six themes for interpreting the BCBS-239 principles: materiality, flexibility, reconciliation and validation, transparency, automation and adaptation, and speed and confidentiality. It outlines a framework moving from siloed, manual arrangements to a totally integrated, automated environment. Benchmarks are suggested to measure compliance levels against this target state.

1. IMPLEMENTING BCBS-239
Presented by:
MUHAMMAD ZAHID
Mobile:00966 50 153 5985,
mzahidgill@yahoo.com
**Disclaimer: Views expressed in this presentation are of the presenter only.
Copyrights reserved

2. BCBS-239 Related Questions & Challenges
1. Does risk data aggregation apply only to internal reports or also to the
regulatory reports as well?
2. Focused on automating the reports only or more on integrating them?
3. A one-off compliance exercise or an investment for the future?
4. To what extent have regulators been engaged in this exercise, enabling the
banks to comply with the BCBS-239 Requirements?
5. Does BCBS-239 provide a standard implementation roadmap & benchmarks,
enabling the banks to measure their compliance level or is it all judgmental?
6. Does BCBS-239 draw out some target state for the banks in terms of their
business model & risk profile?
7. Have the progress documents (ie BCBS-268, 308 & 348) measured and
mapped the implementation progress around some pre-defined themes?
8. How far is the ‘BCBS Committee’ confident that earnest implementation of
these principles by G-SIBs & D-SIBs will enable banks to withstand the ‘future
financial crises’?
2

3. Start:
Adoption of 11
Principles Underlying themes Current state of play
End:
Totally Integrated-
Automated
Environment
Risk
management
capabilities
Data
management
capabilities
RDA
capabilities
Risk reporting
capabilities
CapabilitiesThemesPrinciples/
Frameworks
Overarching
- Governance
- IT infrastructure
- Architecture
Risk Data Aggregation
- Accuracy & Integrity
- Completeness & Timeliness
- Adaptability
Risk Reporting
- Accuracy
- Clarity & Usefulness
- Frequency & Distribution
Speed & Confidentiality
RDA themes
Automation & Adaptation
Transparency
Reconciliation & Validation
Flexibility
Materiality
3

4. 4
Why Themes….?
• RDA Principles are very high level and generic.
• To build a strong connection between the principles
and the actual working pattern of the enterprise.
• Themes have been worked out to communicate the
essence of principles to the risk, business, data, finance
and technology functions across the organization.
• Proposed six Themes enable us to lever the
understanding of the principles down to the respective
function level.

5. 6-Speed &
Confidentiality
RDA themes
5-Automation &
Adaptation
4-Transparency
3-Reconciliation &
Validation
2-Flexibility
1-Materiality
RDA Themes & Principles Mapping…
5
4-Completenesss
8-Comprehensiveness
9-Clarity & Usefulness
7-Accuracy
1-Governance
2-Data Architecture & IT
Infrastructure
3-Accuracy & Integrity
5-Timeliness
6-Adaptability
10-Frequency
11-Distribution
RDA Principles
Defined in silos or in an integrated
environment
Empowering the management/board to make
decisions with right level of information
Controlled level of errors & ambiguities
Moving from black box analytics towards open
box & transparent analytics environment
Resilience in organization to any emerging
scenarios
Information available on Timely & Need to
know basis within near zero time lapse
Themes Explained

6. 6
(f) Speed & Confidentiality
RDA themes
(e) Automation & Adaptation
(d) Transparency
(c) Reconciliation & Validation
(b) Flexibility
(a) Materiality
6
Risk Data Aggregation Themes…

7. BCBS-239 IMPLEMENTATION FRAMEWORK
(Our Understanding -Totally Integrated-Automation of Risk Data Aggregation & Risk Reporting)
Major Themes
emerging from
BCBS-239 Principles
(a) Materiality
(b) Flexibility
(c) Reconciliation
and Validation
(d) Transparency
(e) Automation &
Adaptation
(f) Speed &
Confidentiality
Situation Driven
Arrangements
Defined in siloed
environment
External interventions
(through
vendors/consultants for
reporting changes)
Disparate Repositories
Black Box Analytics
Manual
Batch-based Reporting
Confidential information
bypassed from the reports
Interim Arrangements
(centralization)
Framework based definitions
Power-user
configurable rule
based model
On-demand
drill-down
Clarity
Single data pool (for
all operating units ie
branches, regions
and HO)
Automated
monthly/quarterly
Reporting
Automated daily
batch-based
reporting
Totally Integrated-Automated
Environment
Systems & Frameworks integrated with the
evolving business model and risk profile
End user configurable reporting/
Self service BI
Risk Aggregation (ie Economic Capital)
Model review, validation, monitoring and
mitigation based on near real inputs, enabling
current/forward looking
Risk Intelligence
Clarity and Robustness
Near-Continuous automated and on-
demand reporting
Unification of Risk & Accounting Data
Confidential information duly included in the
reports and confidentiality of reports ensured
Current
State
Target
State
7

8. Totally Integrated-Automated
Environment
• Systems & Frameworks integrated with the evolving business
model and risk profile
• End user configurable reporting
• Risk Aggregation (ie Economic Capital)
• Model reviews, validation, monitoring and risk mitigation based
on near real inputs, enabling Risk Intelligence
• Clarity and Robustness
• Near-Continuous automated and on-demand reporting
• Unification of Risk & Accounting Data
• Confidential information duly included in the reports and
confidentiality of reports ensured
Benchmarks Development
Involves intensive effort to
align Benchmarks with the
business model and the
risk profile of the bank.
These benchmarks
become the yardstick to
measure the level of
compliance.
8
TARGET STATE VISUALISATION THROUGH THE BENCHMARKS

9. 9
BENCHMARKS LINKED WITH THE TARGET STATE
•Framework/Strategy
•Policies
•Integrated Risk
Processes
•Integrated Risk Data
•Integrated Risk
Systems
Infrastructural
Maturity
Parameters
•Ongoing Processing
•Exceptions
(Regulatory, Audit,
Policy etc)
•Loss Events
Processing &
Controls
Maturity
Parameters
BCBS-239
Principles
Requirements
(87)
Interpretation/
Understanding

10. 10
•Framework/Strategy
•Policies
•Integrated Risk
Processes
•Integrated Risk Data
•Integrated Risk
Systems
Infrastructural
Maturity
Parameters
•Ongoing Processing
•Exceptions
(Regulatory, Audit,
Policy etc)
•Loss Events
Processing
& Controls
Maturity
Parameters
BENCHMARKS LINKED WITH THE TARGET STATE
*
Documentation
Coverage
Quality
*
Documentation
Coverage
Quality
Compliance
Levels
Each point
assessed
against…
Each point
assessed
against…
4-Fully
Compliant
3-Largely
Compliant
2-
Materially
Non-
Compliant
1-Non
Compliant
* Each of these parameter to be assessed against the three sub-parameters (ie Documentation, Coverage & the Quality)

11. Benchmarks Working Sheet
11
Principles
(2)
Requirements
RDA Team
Interpretation
--
Description of
Interpretation in
terms of
Risk/Compliance
Capability Maturity Parameters, Benchmarks & Validation
Infrastructural Execution Oriented
(1-5) (6-7)
Level of
Compliance
Framework/s
(Strategy)
Policy/ies Process/es Risk Data System/s
Ongoing
Processing &
Execution
Exceptions/
Risk-Loss Events
Data architectureand IT infrastructure – A
bank should design,build and maintain data
architectureand IT infrastructurewhich fully
supportsits risk data aggregation capabilities
and risk reporting practicesnot only in
normal times but also duringtimes of stress
or crisis, while still meeting the other
Principles.
33. A bank should establish integrateddata
taxonomies and architectureacross the
banking group, which includes informationon
the characteristics of the data (metadata), as
well as use of single identifiers and/or unified
naming conventions for data includinglegal
entities, counterparties, customers and
accounts.
34. Roles and responsibilities should be
established as they relate to the ownership
and quality of risk data and informationfor
both the business and IT functions. The
owners (business and IT functions), in
partnership with risk managers, should ensure
there are adequate controls throughout the
lifecycleof the data and for all aspects of the
technology infrastructure. The role of the
business owner includes ensuring data is
correctlyentered by the relevant front office
unit, kept current and aligned with the data
definitions, and also ensuring that risk data
aggregationcapabilities and risk reporting
practices are consistent with firms’ policies.
2. Data architecture and IT infrastructure 1 2 3 4 5 6 7
19 Data taxonomies 1-Integrated data taxonomies across the
banking group
a-Meta Data
b-single identifiers and/or unified naming
conventions for data including legal entities,
counterparties, customers and accounts
2-Integrated data architecture across the
banking group
a-Meta Data
b-single identifiers and/or unified naming
conventions for data including legal entities,
counterparties, customers and accounts
Documentation: 1 Documentation: 1 Documentation: 1 Documentation: 1 Documentation: 1 Documentation: 1 Documentation: 1
Benchmark: 1 Benchmark: 1 Benchmark: 1 Benchmark: 1 Benchmark: 1 Benchmark: 1 Benchmark: 1
Coverage:
1 Coverage: 1 Coverage: 1 Coverage: 1 Coverage: 1 Coverage: 1 Coverage: 1
Benchmark: 1 Benchmark: 1 Benchmark: 1 Benchmark: 1 Benchmark: 1 Benchmark: 1 Benchmark: 1
Quality: 1 Quality: 1 Quality: 1 Quality: 1 Quality: 0 Quality: 1 Quality: 1
Benchmark: 1 Benchmark: 1 Benchmark: 1 Benchmark: 1 Benchmark: 0 Benchmark: 1 Benchmark: 1

12. Corporate
Banking
HR
Risk
Management
Operations
12
Integration
Automation
Aggregation
Risk
Management
Framework &
Risk Strategies
Risk
Management
Policies (#)
Risk
Management
Process (#)
--Data Items (Data
Dictionary) promptly
mapped to the Glossary
of Business Concepts
--Data Maturity Models
--Utilization
Integrated
Platform of Risk
Systems
Processing of risk
management constantly
reviewed & Enhanced on
ongoing basis
Risk of Losses and
Exceptions
constantly monitored
& managed
Market
Risk
Ops
Risk
Other
Risks
Credit
Risk
CRO
Dashboard
Integrated Data/Information
Policies
Integrated Systems
Integrated Processes
Ongoing Processing
Exceptions & Losses
Frameworks/Strategies
Integrated
Totally Integrated–Automation…
1-Business/
Risk Areas
3-Parameters/
Modules
2-Themes

13. Totally Integrated-Automated Environment
13
1 2 3 4
1234
Integration
Automation
HI-HA
HI-LA
LI-HA
LI-LA
2013
2.55
2015
2.65 Approx.
2016 & beyond
?
Overall G-SIBS
Progress of Results
2
0
1
5
2014
2.58
LA-Low Automation
HA-High Automation
LI-Low Integration
HI-High Integration
Full
Integration
Full
Automation

14. BCBS-239 IMPLEMENTATION FRAMEWORK
(Our Understanding -Totally Integrated-Automation of Risk Data Aggregation & Risk Reporting)
RDARR Capabilities
Capabilities
Risk Management
Capabilities
Able to …..
-Identify & Assess Risk
-Quantify & Manage Risk
- Control & Monitor Risk
- Report the Risk
Infrastructure & Data
Management Capabilities
Able to ….
- Identify & Describe Data
- Stage & Store Data
- Provide & Share Data
- Integrate & Move Data
- Govern & Manage Data
Risk Data Aggregation
Capabilities
Able to….
-Have global consolidated
- view of data
- view of exposure
- view of risk
- Adapt to the emerging
scenarios
Risk Reporting
Capabilities
Able to provide:
- dynamic & multi-dimensional
view of risk analytics
- scenario based and action
oriented analytics
- entity plus group wide view of
risk analysis
- top down and bottom up risk
steering
START
Situation Driven
Arrangements
Interim
Arrangements
Totally
Integrated-
Automated
Environment
14

15. BCBS-239 IMPLEMENTATION FRAMEWORK
(Our Understanding -Totally Integrated-Automation of Risk Data Aggregation & Risk Reporting)
START
Situation Driven
Arrangements
Interim
Arrangements
Totally
Integrated-
Automated
Environment
Principles/ Frameworks
Risk Management
Capabilities
Infrastructure & Data
Management
Capabilities
Risk Data Aggregation
Capabilities
Risk Reporting
Capabilities
P
r
i
n
c
i
p
l
e
s
/
F
r
a
m
e
w
o
r
k
s
Risk Governance Data Governance Aggregation Governance Reporting Governance
P
r
i
n
c
i
p
l
e
s
/
F
r
a
m
e
w
o
r
k
s
Risk - IT Infrastructure
Data - IT Infrastructure
Aggregation - IT
Infrastructure Reporting - IT Infrastructure
Risk Architecture Data Architecture RDA Architecture Reporting Architecture
Basel Principles of Sound Risk
Management& Corporate
Governance
DAMA
Data Management
Maturity (DMM) Model
Data Management
Capability Assessment
(DCAM) Model
….
Accuracy & Integrity Accuracy
Completeness Comprehensiveness
Timeliness Clarity & Usefulness
Adaptability Frequency
Distribution

16. EMBEDDING INTO BIGGER REPORTING FRAMEWORK
16
Basic Cubes
‘Input Layer’
Data Dictionary
Smart Cubes
‘Output Layer’
Aggregated
Bank, Regulatory,
National Needs
Templates
Aggregation
Loans Securities
Integrated Data Dictionary
https://www.bis.org/ifc/events/ifc_isi.../010_turner_presentation.pdf

17. 17
Consumers Devil lies in Data
CHANGE NEEDS TO BE REAL….

18. 18
1. Internal reports need to be covered comprehensively encompassing the
regulatory content as well.
2. Focused on integrating & automating the reports.
3. An investment for the future.
4. Regulators need to be intensively engaged in this exercise.
5. BCBS-239 being a principle-based requirement does not provide a standard
implementation roadmap & benchmarks and thus leave it to the banks.
6. BCBS-239 does not draw out target state for the banks and leaves it to them in
terms of their business model & risk profile?
7. Progress documents (ie BCBS-268, 308 & 348) does not reflect the themes to
be followed.
8. Low score on the part of banks is a cause of concern to withstand the ‘future
financial crises’
BCBS-239 Related Questions & Challenges
- Our answer..

19. 19