02 Oct BCBS 239: Don’t repeat the mistakes of Sarbanes-Oxley compliance
October 2, 2014 – By: Ed Royan, Chief Operating Officer, EMEA
The Basel Committee’s Principles for Effective Risk Data Aggregation and Risk Reporting (BCBS 239) present major challenges for financial firms around the world. But as they prepare for the introduction of the principles in 2016, they can learn valuable lessons from the painful, expensive and often wasteful experience of implementing the Sarbanes-Oxley Act (SOX) in the early 2000s.
Like BCBS 239, SOX required firms to put controls in place around their processes and make them auditable. Many institutions tackled the requirements by paying consultants to develop and document complicated business processes. What they often overlooked is that, if their software natively supported SOX compliance by providing auditability functionality, they would not have needed to spend so much time and money manually documenting their work.
Similarly, some people now appear to view BCBS 239 purely as a process documentation project and have underestimated the role software can play. Of course, due to the all-encompassing nature of the requirements, software alone will not solve all of the challenges firms face. However, analysis of the 14 BCBS 239 principles shows that software is an essential piece of the jigsaw.
For example, BCBS 239 requires market participants to ensure their aggregated data is accurate, complete and reliable. How can they be sure they are fulfilling this requirement unless they have software that provides complete data lineage information and gives them the ability to drill back from the aggregated data to the source data?
Firms will also struggle to meet BCBS 239 requirements for a strong governance framework if they do not have technology that includes permission controls and an audit trail of all changes made to the data. If they do not have a scalable technical infrastructure, they will fall short of requirements to continue aggregating and reporting risk data as usual during times of crisis. The list goes on….
Market participants may not be planning to invest in new software specifically for BCBS 239. However, if they want to avoid repeating the inefficiency of SOX compliance, they should keep in mind the important role software has to play and they should ensure all risk reporting and other solutions they acquire from now on support the BCBS 239 principles.
To discuss this article further, please contact:firstname.lastname@example.org