The genesis of managing risk data
Data Governance | Risk | Strategy

Financial Regulations…… Why do we have them?

It is always a useful starting point to consider how regulations came to bear.

During the Global financial crisis in 2008 banks struggled to responsively gain clarity on their exposure or predict default despite banks having robust modelling in place. Regulators found it to be the quality and credibility of the data used in these models to be the root cause. Despite these learnings, 2 years later, banks were yet again faced with similar challenges during the EuroZone Greek crisis.

Regulators stepped in and created BCBS239 as a regulation to ensure data used to determine risk metrics are managed appropriately.

BCBS239 should never have been a regulation. Actively managing one of their key assets, their data, is something banks should always have been doing.

The Covid pandemic has once again shown that no-one can predict the future and what it may hold. Even though BCBS 239 should never have

been a regulation, it provides key foundational principles to ensure readiness for the next world event.


Managing Data Risk in Australia (APRA CPG 235 Guidelines)

CPG235 is a similar guideline implemented by APRA in the Australian context – even though BCBS239 is not formally required in Australia – as it is in Europe and other countries. CPG235 suggests appropriate management of all data risk within financial services organisations. It is a wider scope than BCBS where the focus is more on risk data management than managing risk associated with all data.


BCBS239 – managing risk data

CPG235 – managing data risk


Summary overview of BCBS239 and CPG235

BCBS-239 is a principle based regulation that covers various aspects of risk data which includes credit risk, operational risk, market risk and all other material risk types.

The 11 principles prescribed for the banks in the BCBS regulation are categorised into three distinct categories and can be summarised as follows:

  • Overarching governance and infrastructure
    • Governance
    •  Data Architecture andIT infrastructure
  • Risk data aggregation capabilities
    • Accuracy and integrity
    • Completeness
    • Timeliness
    • Adaptability
  • Risk reporting practices
    • Accuracy
    • Comprehensiveness
    • Clarity and usefulness
    • Frequency
    • Distribution

CPG is also a principle-based regulation taking into account the broader data risk and can be summarised as follows:

  • Overarching Data Management Framework
  • Data Risk Management
  • Staff awareness and Training
  • Data Risk Assurance & Audibility
  • Managing Data Quality – Metrics & Issues
  • Establish data Controls and Validation
  • Risk Management throughout Data Lifecycle



Becoming materially compliant to these regulations requires significant investment from organisations and
in order to build a business case the data management capabilities of the organisation must be enhanced to build long term value – over and above being compliant.

With global banks especially in South Africa and Europe having done this for many years, there are multiple benefits of joining the journey late. Australian banks are in a unique position where they can learn from the successes and mistakes that the global banks have made. Collateral and accelerators that have also been developed, and most importantly access to resources who have done this before or are still busy doing it.


It is a marathon, not a sprint



Regulations don’t have to be seen as a negative. In the case of both CPG235 and BCBS239, there are numerous benefits including:

Improved risk management through quality data

Improved identification, monitoring and management of risks at both global, consolidated and detailed levels.

Enhance capabilities of risk management quantifications that may result in the reduction in risk losses and ultimately in capital requirements.

Simplification of data processes drive responsiveness and adaptability in normal and times of stress/crisis.


Cost reduction

Drive structural cost reductions through process rationalisation.

Reduce losses through more accurate, adaptable and faster reporting and insights.

Minimising of costs associated with poor-quality data (such as reporting that requires constant remediation).


Improved decision making

Better quality of strategic decision making and planning.

Empowerment of risk and business line teams to access and leverage data assets.

Maximise return on investment from the BCBS 239 program as it increases speed of the decision-making process throughout the organisation.

The introduction of these regulations will ensure that financial services organisations in Australia uplift their data management capabilities and move towards being truly data-driven.

Connect with a NovoFinity consultant

Contact Form Demo (#1)