Most banks fail BCBS 239 because they can’t explain the data. Risk data is scattered across silos, reporting is slow, and no one knows who owns what. That’s exactly what BCBS 239 was meant to fix. But more than a decade later, many institutions still struggle to put its principles into practice. The missing link? A data catalog that actually gets used. In this article, we explore how modern data catalogs support real-world BCBS 239 compliance, what capabilities you need, and which tools help you get there faster, affordably, and with company-wide adoption.
The global financial crisis of 2007–2009 exposed a critical vulnerability in the banking sector: the inability of many institutions to quickly and accurately aggregate their risk exposures. This lack of transparency and control over risk data significantly contributed to the crisis and its wide-reaching impact on global financial systems. In response, regulators began placing greater emphasis on how banks manage, aggregate, and report their risk data.
To address these shortcomings, the Basel Committee on Banking Supervision (BCBS) released a key regulatory framework in January 2013, BCBS 239: Principles for Effective Risk Data Aggregation and Risk Reporting. This guidance laid out 14 principles designed to enhance banks’ ability to manage risk through improved data practices. Eleven of these principles apply to banks directly, while the remaining three target regulatory bodies, with a focus on supervision and oversight.
BCBS 239 is not a prescriptive checklist, but a principle-based regulation grouped into four main categories:
Together, these principles aim to establish a stronger foundation for risk management by improving the accuracy, completeness, and timeliness of the data used by banks’ leadership teams. Ultimately, the goal is to ensure banks can identify, monitor, and respond to risks proactively, before they threaten.
The BCBS 239 principles are formally titled “Principles for Effective Risk Data Aggregation and Risk Reporting". These 14 principles are grouped into four categories and provide a framework for building a resilient, compliant risk data environment.
1. Governance
Banks must establish a robust data governance framework with defined roles and accountability for risk data aggregation and reporting.
2. Data architecture and IT infrastructure
A scalable, integrated IT environment is required to support accurate and timely risk data aggregation, even under stress conditions.
3. Accuracy and integrity
Risk data must be precise and consistent. Controls should ensure integrity across all systems and reports.
4. Completeness
Banks must aggregate all material risk data across business lines and legal entities to achieve a comprehensive view.
5. Timeliness
Data must be aggregated and reported fast enough to support effective decision-making, especially during market volatility.
6. Adaptability
Risk aggregation systems must be flexible and responsive to new risks, regulatory requirements, and internal demands.
7. Accuracy
Risk reports must reflect the underlying data accurately and support confident, real-time decision-making.
8. Comprehensiveness
Reports should cover all material risks, ensuring that nothing critical is overlooked.
9. Clarity and usefulness
Reports must be clear, relevant, and structured to meet the needs of senior management, the board, and regulators.
10. Frequency
Banks must produce risk reports at appropriate intervals, with the ability to increase frequency during times of stress.
11. Distribution
Reports must be distributed to the right stakeholders securely and efficiently, balancing data accessibility and confidentiality.
12. Review
Regulators should regularly assess banks’ compliance with BCBS 239 principles and evaluate progress toward maturity.
13. Remedial actions and supervisory measures
Supervisors must have the authority to take action when banks fall short of compliance expectations.
14. Home and host cooperation
For internationally active banks, supervisory bodies must collaborate to ensure coordinated and consistent oversight.
Nothing is just black and white. Achieving compliance with BCBS 239 is also about strategic investment in better risk data aggregation and financial risk reporting. By implementing the principles of BCBS 239, banks can ensure their risk data is accurate, timely, and complete. This empowers senior management with the insights needed to make informed decisions, especially in high-pressure situations.
Strong data governance in banking also improves operational efficiency, reduces reporting errors, and supports faster regulatory response. In the long term, BCBS 239 compliance enables financial institutions to build resilience, gain the trust of regulators, and stay ahead in an increasingly data-driven environment.
Complying with the 14 principles of BCBS 239 requires a coordinated effort across people, processes, and technology. A key first step is establishing strong data governance frameworks with clearly defined roles, responsibilities, and ownership for critical risk data. Financial institutions must also invest in scalable IT infrastructure that supports automated risk data aggregation, consistent data definitions, and real-time access to high-quality information.
Tools like data catalogs and metadata management platforms play a central role by providing visibility into data lineage, improving data quality controls, and ensuring that risk data is accurate, complete, and traceable. Collaboration between risk, finance, IT, and compliance teams is essential to ensure that governance is embedded in daily operations, not just documented in policy. Finally, regular internal audits and continuous improvement practices help maintain alignment with BCBS 239 over time and adapt to evolving regulatory expectations.
To meet the expectations of BCBS 239 compliance, banks must establish a robust data governance framework that supports transparency, accuracy, and control over risk data. This involves several essential capabilities:
Together, these capabilities create a foundation for effective risk data management and help financial institutions move from fragmented systems to a unified, compliant data landscape.
One of the core reasons banks struggle with BCBS 239 compliance is the lack of a shared understanding of data. As illustrated in the diagram above, financial institutions operate across multiple platforms, with changing architectures, workarounds, and hundreds of stakeholders, all while facing evolving regulations and region-specific tax rules. Add to that poor cross-team communication, and it's clear why aligning on consistent definitions, ownership, and reporting is so difficult. This complexity makes it nearly impossible to achieve “common assent”, a unified view of risk data, without the help of a centralized, business-friendly data catalog that bridges the gap between systems and people.
Banks operate across regions with conflicting regulatory demands, where different authorities define and require risk data in incompatible ways. Add regional tax complexity, where reporting obligations vary by country and tax authority, and even simple metrics become difficult to standardize. Combined with siloed platforms, gaps in communication, and workarounds built on legacy systems, it’s no surprise that aligning on a single version of truth is still out of reach for many institutions.
Implementing BCBS 239 data governance isn’t just a technical project; it’s a cultural shift. One of the biggest obstacles is resistance to change. Not because employees don’t see the value, but because change demands effort, new habits, and shared accountability. Even when data quality issues or reporting gaps are obvious, it’s easy to default to business-as-usual thinking. But effective risk data aggregation and compliance require more than policies and tools, they demand a company-wide mindset that values transparency, accuracy, and responsibility. That’s why choosing a business-friendly solution is essential. A platform that’s intuitive and accessible helps engage not just IT, but also risk, finance, and business teams, because real data governance only works when everyone is on board. Now it is even more important with the AI revolution.
If you're looking for a data catalog to support your BCBS 239 compliance journey, not all platforms are created equal. Here’s how five leading tools compare, starting with the one designed specifically to be usable, adoptable, and effective across your entire business.
Dawiso stands out for one simple reason: it’s built to be used, not just deployed. Unlike many enterprise governance tools, Dawiso combines powerful metadata scanning, lineage mapping, and cataloging features with an interface that even non-technical users can navigate confidently.
If your goal is to democratize governance and get your whole organization involved, Dawiso is built for that reality.
Atlan positions itself as a modern data catalog with strong collaboration features and an active metadata layer. However, its strengths lie primarily in technical lineage and integration with modern data stacks like Snowflake, dbt, and Databricks. As a result, it’s best suited for data engineers and developers working in decentralized, code-driven environments. For governance-led initiatives like BCBS 239 compliance, which require clear ownership, business-friendly interfaces, and accessible data definitions, Atlan’s developer-first approach can become a limitation.
Collibra is a heavyweight in the governance space, used by many large financial institutions. It’s feature-rich, but often resource-heavy. Implementations can take months, with high configuration effort and licensing costs.
Alation is a well-established data catalog known for its strong search capabilities, metadata discovery, and user-friendly interface, especially once users are onboarded. It supports self-service analytics and governance workflows with a wide range of features. However, those features come at a price: long implementation cycles, high licensing costs, and a platform that can feel heavy for everyday users. While the UI is generally intuitive, the overall setup can be complex and resource-intensive, making it harder to scale adoption quickly across business teams.
data.world brings a knowledge graph approach to metadata, with strong data discovery features and open integrations. It’s ideal for collaboration and exploration, though it may lack some of the compliance-grade controls required for heavily regulated environments.
BCBS 239 isn’t just about checking boxes; it’s about building a culture of accountability and transparency around your risk data. That culture starts with access: when everyone can find, trust, and understand the data they use, governance becomes part of the workflow, not an afterthought.
Dawiso makes this possible. It’s the platform your teams will actually use, one that balances regulatory rigor with real-world usability. And that’s what keeps you compliant in the long run.
Article – BCBS 239 in 2025: Why Now is the Time to Strengthen Compliance
Article – What do banks need to know in 2025?
Article – Data Garbage In, AI Garbage Out: Why Governance Matters More Than Ever
Article – Collibra Alternative: 6 Reasons Why Dawiso Is Better for Modern Data Governance
Article – Data Catalogs Comparison for 2025: Best Tools for Your Business
Article – The Role of Data Catalogs in Modern Analytics and AI
Article – How to Get an Overview of Your Database and Understand Data Flows
Article – Why AI Needs Business Intelligence: The Role of BI in the Age of GenAI
Article – From Regulatory Requirements to Effective Competitive Advantage
Article – What is Data Reconciliation? Achieve Consistency and Trust with a Data Catalog
Keep reading and take a deeper dive into our most recent content on metadata management and beyond: