The European Central Bank (ECB) has published a report (PDF 136 KB )on its thematic review on effective risk data aggregation and risk reporting. The ECB states that the implementation status of the Basel Committee principles on risk data aggregation and reporting (BCBS 239) remains unsatisfactory, and that the overall level of progress is a source of concern.

Implications for banks…

The ECB expects banks to present roadmaps witch clear remediation plans to address and mitigate each of the findings in line with both supervisory expectations and the recommendations provided by the joint supervisory teams. There will be a continuing process of monitoring and follow-up on the gaps identified.


In 2016, the ECB launched a thematic review (of a sample of 25 major European banks) to assess the implementation status of the BCBS 239 principles. In doing so, the ECB followed a four-step approach:

  • banks’ descriptions of their risk data aggregation and risk reporting capabilities;
  • banks’ own evaluation of their progress towards proper implementation of the BCBS principles;
  • gap analysis conducted by those banks for each principle; and
  • action plans explaining how any gaps would be filled.

This assessment was complemented by two additional analyses:

  • a 'data lineage' exercise applied to two selected data points, to assess the ability of a bank to manage the data life cycle, from the original data source through the process and application chain, taking account of the controls applied; and
  • a 'fire drill' exercise for credit risk and liquidity risk to test the ability to aggregate and report a number of selected data points in an accurate, comprehensive and timely manner under time pressure.

For each BCBS 239 principle, the ECB describes the main findings as well as the key recommendations. Below are the main ECB observations regarding the two first BCBS 239 principles:

Regarding Principle 1 (Governance), a lack of strategic attention at senior management level was identified by the ECB, resulting in insufficient support for risk data projects:

  • a lack of clear roles and responsibilities in the area of data quality, and a lack of ownership of data quality for business, control and IT functions
  • clear data governance structures not embedded in banks’ organisational charts
  • some material legal entities not included in BCBS 239 implementation projects
  • large-scale IT projects or strategies designed to implement the BCBS principles defined incompletely
  • internal validation units assessing banks’ data aggregation capabilities and reporting practices not always independent and adequately staffed, with insufficient involvement of and distinction between the various lines of defence.

Regarding Principle 2 (Data architecture and IT infrastructure), the ECB highlighted that a silo-based IT architecture for different reporting purposes has led to a lack of integrated solutions and hampered compilation processes, increasing inefficiencies during reconciliation procedures:

  • a lack of integrated solutions in the data aggregation and report compilation processes
  • the absence of a homogeneous and integrated data taxonomy covering all material legal entities and risk types
  • manual processes not fully identified, properly documented and independently reviewed
  • many consistency checks incomplete and carried out manually
  • IT systems and business processes not always properly included in business continuity arrangements
  • some banks had limited drill-drown capabilities, with IT risk platforms unable to manage information for individual customers at transaction level.


The ECB concludes that the full implementation of the BCBS 239 principles are unlikely to be achieved in the near future because several banks’ implementation schedules for G-SIBs run until the end of 2019 and beyond. The BCBS encourages local NCAs to check whether D-SIBs institutions can implement such principles within 3 years. In both cases, we can expect the ECB to continue to promote good practices and play an active role in the implementation of such standards at EU and global level.

Connect with us