What is BCBS 239, and why is risk-data aggregation and reporting capability a supervisory priority?
A core Risk & Compliance interview question — asked in analyst and associate interviews across IB, PE, and the Big 4.
THE SHORT ANSWER
BCBS 239 sets the Basel principles for effective risk-data aggregation and risk reporting, introduced after the 2008 crisis exposed that many banks couldn't quickly and accurately aggregate their risk exposures across the group — they didn't know their total exposure to a counterparty, sector, or risk factor when it mattered most. Its principles span governance and data architecture/IT infrastructure, the aggregation capabilities themselves (accuracy and integrity, completeness, timeliness, and adaptability — being able to produce reliable aggregated risk numbers quickly and flexibly, including in stress and ad hoc), and risk-reporting practices (accuracy, comprehensiveness, clarity, frequency, distribution). It's a supervisory priority because risk management is only as good as the data behind it: poor data lineage, fragmented systems, and manual workarounds mean decisions are made on wrong or stale numbers, stress tests are unreliable, and a firm can't respond in a crisis. Supervisors have repeatedly found persistent shortfalls (especially data architecture and governance), so it remains an active focus, increasingly intertwined with data governance, automation, and the data demands of newer areas like climate risk. The core message: trustworthy, timely, aggregable risk data is foundational infrastructure, not a back-office afterthought.
WHAT INTERVIEWERS LISTEN FOR
- ✓Basel principles for risk-data aggregation and reporting (post-2008)
- ✓Crisis showed banks couldn't aggregate exposures accurately/quickly
- ✓Covers governance, data architecture, aggregation (accuracy/completeness/timeliness/adaptability), reporting
- ✓Foundational: poor data → wrong decisions, unreliable stress tests, crisis blindness
COMMON MISTAKES
- ✗Treating it as a pure IT/reporting formatting issue
- ✗Ignoring governance and data lineage
- ✗Not linking data quality to risk-decision reliability
Reading isn't the same as answering under pressure.
Interviewers don't hand you the model answer — you deliver yours on a clock. Practice this and 1,000+ questions with AI feedback on every answer.
RELATED QUESTIONS
- How do you quantify operational risk?
- Why did Basel move from Value-at-Risk to Expected Shortfall for market risk under FRTB, and what does ES capture that VaR misses?
- What does DORA require for ICT incident reporting, and how does it change operational resilience expectations for financial entities?
- What are the key risks in outsourcing and third-party arrangements, and what do supervisory expectations (e.g., EBA guidelines) require?
- How is climate risk being incorporated into the prudential and risk-management framework?
- Explain the COSO ERM framework.