Risk-based approach to data lineage: Achieving sustainable BCBS 239 compliance

Since the introduction of BCBS 239 in 2013, financial institutions have faced the challenge of achieving compliance and, even more importantly, maintaining it sustainably over time. Among the regulation’s many demands, data lineage remains one of the toughest to embed into business-as-usual operations.

Over time, regulators have become increasingly prescriptive regarding lineage requirements; especially on links to a bank’s Risk Metrics, on Critical Data Elements (CDEs), and on Key Risk Indicators (KRIs). The ECB’s May 2024 guide sets the clearest expectations to date for how data lineage should be evidenced and managed.

We take a closer look at the important role data lineage plays within an organisation and how firms can approach the key challenges of achieving sustainable BCBS 239 compliance.

What is data lineage?

Fundamentally, data lineage refers to the ability to understand and document how data moves through an organisation, from its origin to its final representation in reports. It provides a clear view of how data is generated, transformed, and utilised across systems, enabling firms to trace critical data elements, validate accuracy and consistency, detect issues promptly, and strengthen confidence in reporting.

Lineage can be understood across four key stages or layers. In descending order of granularity these are:

1. Application layer: The highest level of lineage, showing how applications and data assets connect to each other. It also often outlines ownership boundaries and hand-offs.
2. Data table layer: The intermediate level, showing relationships between data tables within and across systems. It offers initial insights into system mechanisms and complexities.
3. Data element layer: The most granular view, connecting individual data elements and attributes back to their sources.
4. Transformation layer: The logic level which, once reached, fully explains how data is physically transformed and calculated throughout the process.

The objective of data lineage and why it’s so important

Data lineage is more than a compliance exercise; it is itself a control over data. It helps describe and, more importantly, understand the flow of data for all interested parties, from regulators to developers and auditors to analysts.

Under BCBS 239, lineage provides transparency over how Risk Metrics and Risk Reports are calculated and created, as well as the data and systems that underpin them. It is the mechanism by which firms can demonstrate data quality, governance, and reliability and how they build regulatory confidence.

Why is this a challenge for banks?

Most banks are contending with decades of legacy systems. Many of these cannot automatically capture metadata, meaning lineage often relies on manual intervention.

Common challenges include:

• Legacy architecture: Older technologies incompatible with modern data management tools.
• Complex infrastructure: Layers of systems built through mergers and acquisitions without full integration.
• Multi-technology landscapes: Diverse systems requiring different approaches to harvest and maintain metadata.
• Constant change and transformation: Continuous change means lineage needs regular updating.
• Cloud and modern tech adoption: Moving to cloud introduces new complexity and data volumes.
• AI adoption: AI opens new possibilities but demands well-governed, trusted data to avoid amplifying existing weaknesses.

Given these challenges, it is clear that firms cannot document lineage across the whole organisation all at once. The key is prioritisation which is why taking a risk-based approach provides the most effective and efficient path forward.

Here are the areas banks should focus on:

• Risk-based focus: Not all metrics or systems carry equal risk. Prioritise where inaccurate or incomplete lineage could have the biggest impact.
• Progressive depth: Some metrics require deeper, more detailed lineage than others. Calibrate the level of detail to the risk and complexity involved.
• Transparent assessment criteria: Establish clear, consistent criteria for prioritisation. This builds accountability and removes ambiguity in decision-making.

The benefits of a risk-based approach

A risk-driven methodology helps firms to:

• Mitigate data risk effectively and efficiently.
• Take a proportionate approach to regulatory demands.
• Provide confidence to senior management and regulators that data risk is clearly understood and managed.

Having high quality data lineage does not simply tick a regulatory box, it strengthens trust in data-driven decisions. By adopting a risk-based approach, firms can balance compliance with practicality and build a sustainable foundation for future innovation.

How 4most can help

At 4most, we help organisations adopt a pragmatic, risk-aligned approach to data governance and BCBS 239 compliance, ensuring your lineage frameworks are not only compliant but deliver real business value.

Get in touch to learn more about how we can support your organisation – info@4-most.co.uk.