A_marathon_ not_a_sprint_Capturing_value_from_BCBS_239_and_beyond_1536x1536_Original_Original

A marathon, not a sprint: Capturing value from BCBS 239 and beyond

By Holger Harreis, Matthias Lange, Jorge Machado, Kayvaun Rowshankish, and David Schraa

Meeting more stringent regulations requires banks globally to spend billions of dollars. Yet with the right long-term strategy, they could realize even bigger annual savings.

Stringent banking regulation has become even more the norm for the financial-services sector across the globe. Global systemically important banks (G-SIBs) and domestic systemically important banks (D-SIBs) have been given extra layers of requirements.

In January 2013, the Basel Committee on Banking Supervision issued 11 principles for effective risk data aggregation and risk reporting (BCBS 239) and outlined the paths to compliance for G-SIBs and D-SIBs.1 The BCBS 239 requirements are intended to address what supervisors see as a major weakness that banks carried into the crisis: inability to understand quickly and accurately (and tell their supervisors about) their overall exposures and other key risk metrics influencing the key risk decisions of the bank. The regulation was, however, designed at a high level, using a principles-based approach that allowed banks to interpret and build tailored remediation approaches. While this can be perceived as a burden, it can also be seen as a great benefit. Banks have the opportunity to interpret this regulation using a strategic lens that allows them to balance the right decisions to gain a competitive advantage, which would be lost if the work were driven from a “checking-the-box” technical perspective.

Aligning with the 11 principles is a lengthy and complex process. It requires interweaving risk data aggregation capabilities with supervisory risk-reporting practices (running on a sound technical infrastructure). It also needs support from the right level of governance to ensure that information flows in the right ways, along with sustained commitment by the organization.

Beyond BCBS 239, a further host of critically important regulatory items will have implications for risk and finance data and technology in banks:

  • In the United States, comprehensive capital analysis and review (CCAR) and comprehensive liquidity analysis and review (CLAR)
  • In the European Union, comprehensive assessment, asset quality review (AQR), stress testing, analytical credit, and supervisory review and evaluation process (SREP)
  • Globally, evolving requirements for the Financial Stability Board (FSB) data templates, revised and expanded Pillar 3 disclosures, and intersecting with the recommendations of the private-sector but FSB-inspired Enhanced Disclosure Task Force2

In addition, significant accounting changes such as IFRS 9 and the parallel US Current Expected Credit Loss (CECL) proposal for loan-loss provisioning will make additional demands. These changes will further strain bank management, requiring additional large investments and additional enhancements to the data infrastructure.

We foresee two large consequences if data and IT platforms for these programs are not properly addressed. First, there is massive regulatory risk and a reputational risk if a bank fails to comply. Aside from possible specific supervisory measures against banks that don’t get it right, deficiencies reported in early assessments of BCBS 239 often figure in “break-up-the-banks” arguments. Second, the bank might incur excessive but not fully productive investment and put strains on management capacity. Risk and finance data and technology should become—and already have become in many institutions—key strategic board-level topics. Most institutions agree with the view that BCBS 239 compliance is not the end, but rather the beginning of a continuous journey of enhancing Risk and Finance data aggregation and reporting. Many regard this process as a long-term cultural transformation that will change how banks look at and work with their data and technology to generate risk and opportunity insights.

This perspective is reflected in the numbers. Based on our joint IIF / McKinsey industry survey, we estimate that the overall banking industry is spending a total incremental investment between USD 12 billion and USD 15 billion on Risk and Finance Data and Technology transformation (Average G-SIB: USD 230 million, average D-SIB: USD 75 million). Much of this investment is already underway (mainly in G-SIBs, with the bulk starting around 2013) and will continue for the next 3–5 years (mostly by recently designated D-SIBs). These are certainly very significant figures, warranting utmost care and strategic foresight to steer investments in a value-based way. Indeed, some banks are looking beyond the direct regulatory demands and complexity, considering how to leverage their investments and drive strategic opportunities, rather than just improving reporting capabilities. In short, they are focusing on uncovering what could drive the most value for the investment.

The good news is that in survey respondents’ views, as well as ours, there is indeed a great deal of value to unearth. Based on projects and case studies, McKinsey estimates that with strategically targeted and run Risk and Finance Data and Technology programs, the industry as a whole could add between USD 19 billion and USD 24 billion3 of annual benefits to the other side of the equation, including revenue improvement, capital enhancement and Operations and IT expense reduction. We will discuss these estimates in greater detail later in the paper, but it is important to note that these projections depend significantly on starting position and on the scope and aggressiveness of the data transformation. Reaping the full benefits as project would depend for most banks on significant investment in business-enabling analytics (with a typical budget of USD 100–150 million).

Irrespective of the specific figures, the general message is compatible with the view of most industry participants (expressed both in the survey and in recent live polls at McKinsey roundtables) that BCBS 239 acts as a catalyst for meaningful investments that would have been the right thing to do anyway. Despite the promise of this undertaking, however, it is important to remember how difficult and complex it is likely to be: very high investments, many complex interdependencies, overlaying timelines and scopes, multi-jurisdiction, and (despite the global standard set in BCBS 239) possibly unaligned regulations and supervisors’ requirements.

To support the industry through this complex journey, McKinsey & Company has partnered with the Institute of International Finance (IIF) to conduct initial research and annual benchmarks, working-group discussions, and roundtables with banks and regulators. The goal has been to understand the approaches that G-SIBs and D-SIBs are taking to embrace the BCBS 239 principles and to go beyond them, to give banks a sense of what their peers are doing, and to distill the key strategic issues that need remediation for banks to be on track for compliance and seizing strategic value beyond that. This report sheds light on industry preparedness and the remaining challenges. More importantly it looks at solutions for achieving compliance and possibilities for gaining new competitive advantages.

Download the full report from which this article was excerpted, A marathon, not a sprint: Capturing value from BCBS 239 and beyond (PDF–1,903KB).

About the author(s)

Holger Harreis is a principal in McKinsey’s Düsseldorf office; Matthias Lange is an associate principal in the Berlin office; Jorge Machado is an associate principal in the New York office, where Kayvaun Rowshankish is a principal; and David Schraa is director of regulatory affairs, Institute of International Finance.

More on Risk
Article - McKinsey Quarterly

Why effective leaders must manage up, down, and sideways

Article - McKinsey Quarterly

What makes a CEO ‘exceptional’?