Basel III and Basel IV: Risk and Capital Framework Architecture in Sparx EA

Direct Answer

Basel III and Basel IV are often discussed as regulatory capital requirements — minimum capital ratios, leverage ratios, liquidity coverage ratios. What is less often discussed is that they are also architecture requirements. The Basel Committee on Banking Supervision’s Principle 239 (BCBS 239) — Risk Data Aggregation and Risk Reporting Principles — sets out specific architectural requirements for how banks must manage, aggregate, and report risk data. It is the most directly EA-relevant Basel regulation, and it is one that regulators consistently find banks failing to meet.

Sparx EA provides the architecture repository where BCBS 239 compliance is documented: data lineage (tracing risk data from source systems through transformations to regulatory capital reports), the canonical risk data model (single sources of truth for credit exposure, market risk positions, and operational risk events), and the model risk governance architecture (IRB model inventory, validation framework, governance workflow). EA GraphLink connects this risk architecture to Power BI and AI interfaces, enabling risk data quality and model governance to be tracked in real time rather than discovered at the next supervisory review.

Key Takeaways

BCBS 239 is the most architecturally significant Basel regulation — it requires documented data lineage, single sources of truth for risk data, and automated aggregation capability.
Sparx EA models the risk data architecture: Data Objects carry source system, transformation, and lineage tagged values connecting raw risk data to regulatory capital reports.
The IRB (Internal Ratings-Based) approach introduces model risk governance requirements — model inventory, validation workflow, and material change governance are all architecture concerns modeled in Sparx EA.
MDG stereotypes for risk models and BCBS 239 data elements enable automated model inventory reporting without manual spreadsheets.
EA GraphLink connects the risk architecture to Power BI for real-time risk data quality monitoring and model governance dashboards.

Basel III/IV: The Architectural Requirements

Capital Adequacy: Why It Is an Architecture Problem

Basel III — implemented progressively from 2010 following the Global Financial Crisis — and its finalised extension (commonly called Basel IV, or the Basel III Final Rule, to be fully implemented by 2028) establishes capital adequacy requirements for banks. The requirements mandate that banks hold sufficient capital to absorb losses across three risk categories:

Credit Risk — the risk of loss from borrower default. Banks can calculate credit risk capital requirements using the Standardised Approach (external credit ratings and supervisor-set risk weights) or the Internal Ratings-Based (IRB) Approach (internal models for probability of default, loss given default, and exposure at default). The IRB approach requires regulators to approve the bank’s internal models and the data systems supporting them.

Market Risk — the risk of loss from changes in market prices (interest rates, equity prices, foreign exchange, commodities). The Fundamental Review of the Trading Book (FRTB), a key Basel IV component, substantially revises market risk capital requirements and introduces the Internal Models Approach (IMA) for qualifying trading desks — again requiring regulator approval of internal models and data systems.

Operational Risk — the risk of loss from failed processes, people, systems, or external events. Basel IV replaces all advanced operational risk approaches with the Standardised Measurement Approach (SMA), which is formula-based but relies on accurate historical loss data aggregation.

For all three risk categories, the architecture question is the same: how is the underlying data collected, aggregated, and reported? Regulators find that banks frequently cannot demonstrate authoritative, traceable data lineage from source systems to capital calculations. This is a BCBS 239 failure.

BCBS 239: The Architecture Mandate

BCBS 239 — published by the Basel Committee in 2013 and referenced in supervisory reviews since — establishes 11 principles for risk data aggregation and risk reporting. The principles most directly relevant to EA are:

Principle 2 — Data Architecture and IT Infrastructure: Banks must design, build, and maintain data architecture and IT infrastructure that fully supports risk data aggregation capabilities. This means risk data must be traceable end-to-end, integration between source systems and risk engines must be documented, and the architecture must be capable of producing accurate risk reports rapidly (within the required timeframes for stress testing and recovery planning).

Principle 3 — Accuracy and Integrity: Risk data must be accurate and reliable. Where manual adjustments are made to risk data, these must be documented and governed. The architecture must distinguish automated from manual data flows and make manual adjustments auditable.

Principle 4 — Completeness: Banks must be able to capture and aggregate all material risk data. The architecture must demonstrate that no risk positions are excluded from aggregation — requiring complete mapping of position-taking systems to the risk data aggregation layer.

Principle 5 — Timeliness: Risk data aggregation must be completed within defined timeframes — intraday for significant firms’ most material risk exposures. The architecture must demonstrate that real-time or near-real-time data flows exist for critical risk data elements.

Principle 6 — Adaptability: Banks must be able to generate aggregated risk data for ad hoc requests during stress events. This requires a flexible, governed risk data architecture — not bespoke scripts assembled under pressure.

Principle 7 — Accuracy and Completeness of Risk Reports: Risk reports must be accurate, clear, and complete. The architecture must show that reports are produced from governed data with documented provenance.

Regulators in the UK (PRA), EU (ECB), US (Federal Reserve), and others have repeatedly found that significant banks cannot demonstrate compliance with these principles — specifically because their risk data architecture is undocumented, poorly governed, and reliant on manual processes that cannot satisfy principles 3–6.

BCBS 239 in Sparx EA

Data Lineage Documentation

The core of the BCBS 239 architecture in Sparx EA is the data lineage model: a documentation of how risk data flows from source systems through transformation stages to the regulatory capital reports and risk reporting outputs.

In Sparx EA, data lineage is modeled at the Information layer using ArchiMate Data Objects. Each Data Object represents a distinct data entity in the risk data chain:

Source Data Objects — the raw risk data as captured by position-taking or transactional systems. Examples: Loan Record (from the loan origination system), Trading Position (from the trading system), Counterparty Exposure (from the CRM or credit system), Operational Loss Event (from the loss event capture system).

Transformed Data Objects — the risk data as it exists after extraction, transformation, and loading into the risk data aggregation layer. Examples: Normalised Credit Exposure, Aggregated Market Position, Consolidated Operational Loss.

Aggregated Risk Data Objects — the canonical risk data elements produced by the aggregation layer and consumed by risk models and reporting. Examples: Credit Risk-Weighted Asset, Expected Loss, Value at Risk, Net Open Position.

Report Data Objects — the risk metrics that appear in regulatory capital reports, stress test submissions, and management risk reports. Examples: CET1 Ratio, Tier 1 Capital Ratio, Total Capital Ratio, LCR, NSFR.

Each Data Object carries BCBS 239 MDG tagged values:

Source System: The application that produces or owns this data element.
Data Owner: The business function or person accountable for this data element.
Lineage Reference: A reference to the upstream Data Object from which this element is derived.
Transformation Type: Whether the transformation is automated (ETL process, API call), semi-automated (automated with manual review gate), or manual (analyst-produced).
Aggregation Method: The business rule used to aggregate this data element (sum, weighted average, maximum, etc.).
Latency: The time lag between the source data and this derived element.
Reconciliation Control: Whether there is a documented reconciliation control validating this data element against its source.

ArchiMate Association relationships (with a «Derives» or «Transforms» label) connect Data Objects through the lineage chain — from Source to Transformed to Aggregated to Report. This lineage chain is the BCBS 239 documentation: it demonstrates that every number in the regulatory capital report can be traced to a source system, through documented transformations, with known data owners and quality controls.

Risk Data Aggregation Architecture

The risk data aggregation layer — the systems that ingest source risk data and produce aggregated risk metrics — is modeled in the ArchiMate Application layer. Application Components represent:

Position-taking systems — trading systems, loan origination systems, credit systems, treasury management systems. These are the sources of raw risk data.
Data integration layer — the ETL (Extract, Transform, Load) platform or integration middleware that moves risk data from position-taking systems to the risk data warehouse or aggregation engine (examples: Informatica PowerCenter, IBM DataStage, Denodo, cloud-native pipelines on Azure Data Factory or AWS Glue).
Risk data repository — the canonical risk data store: a risk data warehouse, a risk data lake, or a purpose-built risk aggregation platform (examples: Axiom, Wolters Kluwer OneSumX, Moody’s RiskCalc infrastructure).
Risk models — the computational models that consume aggregated risk data to produce risk metrics (IRB credit risk models, VaR market risk models, SA-CCR counterparty credit risk calculations).
Risk reporting platform — the systems that produce regulatory reports and management risk reports from aggregated risk metrics (examples: Axiom RA, Oracle Financial Services Regulatory Reporting, MSCI RiskManager, bespoke reporting infrastructure).

Application Interface relationships carry the data flow metadata: the specific Data Objects exchanged, the integration standard, the scheduled frequency, and the latency.

The combination of the Application layer (systems and their connections) and the Information layer (the Data Objects flowing through those connections) creates the complete BCBS 239 architecture documentation — systems and data in a single governed repository.

Canonical Risk Data Model

BCBS 239 Principle 4 (Completeness) requires that all material risk positions are captured. This means the risk data architecture must have a canonical definition of what constitutes each risk data element — agreed across the bank, not defined differently by each risk model or report.

In Sparx EA, the canonical risk data model is documented as a class diagram within the Information package. Entities represent canonical risk data concepts: Counterparty, Facility, Exposure, Position, Contract, Loss Event. Attributes represent the required fields. Relationships represent the semantic connections between entities (a Facility is associated with one or more Counterparties, an Exposure is calculated from one or more Positions, a Loss Event is associated with an Operational Risk Event Type).

This canonical model is the governance artefact that adjudicates disputes between risk functions, finance, and IT about what specific data elements mean and how they should be calculated. When a credit risk model team defines counterparty exposure differently from the market risk team, the canonical model in Sparx EA is the reference for resolution.

IRB Model Governance Architecture

The Model Risk Governance Challenge

Banks using the IRB approach for credit risk capital (or the IMA for market risk) must seek regulatory approval for their internal models. Regulatory approval is not a one-time event — it requires ongoing governance: models must be validated annually at minimum, material changes must be notified or re-approved, model performance must be monitored, and model limitations must be documented and disclosed.

In practice, many banks have dozens of approved IRB models (one per portfolio segment — mortgages, SME lending, large corporate, specialised lending, etc.) and a complex model validation and governance process. The model inventory — the complete list of approved models with their owners, validation status, and change history — is frequently maintained in a spreadsheet, which makes it difficult to enforce governance workflows and impossible to query automatically for regulatory reporting.

IRB Model Architecture in Sparx EA

In Sparx EA, the IRB model inventory is built as a Requirements package with model elements at the top level and their governance attributes as tagged values. Each approved IRB model is a Requirement element (using the «Risk-Model» stereotype from the MDG profile) with:

«Risk-Model» tagged values:

ModelType: Credit Risk (IRB PD / LGD / EAD) | Market Risk (VaR / ES / FRTB IMA) | Operational Risk | IRRBB | Liquidity.
ModelOwner: The business function accountable for the model (First Line of Defence).
ModelDeveloper: The team that built and maintains the model (quantitative analytics, risk technology).
ValidationStatus: Approved | Under Validation | Materially Changed (pending approval) | Deprecated.
ApprovalDate: The date of the most recent regulatory or internal approval.
NextValidationDue: The date the next scheduled validation is due.
MaterialChangeTrigger: The conditions that would trigger a material model change notification (enumeration: Parameter update threshold | Methodology change | Portfolio scope change | Performance deterioration).
PortfolioScope: The portfolio segments this model covers (e.g., Retail Mortgages, SME Unsecured).
RegulatorApproved: Boolean — whether this model has received formal regulatory approval (for IRB/IMA approaches).

Each IRB model element is linked (through trace relationships) to:

The Data Objects it consumes (its input data dependencies in the BCBS 239 lineage chain).
The Data Objects it produces (its output risk metrics).
The Application Component that hosts it (the risk calculation engine).
The regulatory requirements it satisfies (Requirements elements representing the relevant Basel articles).

Model Validation Framework Architecture

The model validation framework — the governance process for validating models — is modeled as a workflow in Sparx EA. The validation workflow stages are modeled as process elements with decision gates representing governance checkpoints:

Model change identified (trigger: scheduled revalidation, performance monitoring alert, or proposed methodology change).
Pre-validation scope assessment — determining whether the change is material (requiring regulatory notification) or non-material (internal validation only).
Independent model validation — conducted by the Second Line model validation function.
Validation findings remediation — model developer response to validation findings.
Validation sign-off — model validation committee approval.
Regulatory notification (if material change) — submission to competent authority.
Model inventory update — updating the ValidationStatus and ApprovalDate tagged values in Sparx EA.

This workflow architecture in Sparx EA is the process documentation required by BCBS 239 Principle 3 — demonstrating that model changes are governed, not ad hoc.

MDG Design: Risk Architecture Stereotype Profile

«BCBS239-DataElement» — applied to ArchiMate Data Objects in the risk data lineage. Tagged values: SourceSystem, DataOwner, LineageReference, TransformationType (enumeration: Automated | Semi-automated | Manual), AggregationMethod, Latency_hours, ReconciliationControl (boolean), DataQualityScore (0–100, updated from monitoring tools).

«Risk-Model» — applied to Requirement elements representing IRB, IMA, or other internal risk models. Tagged values: ModelType, ModelOwner, ModelDeveloper, ValidationStatus, ApprovalDate, NextValidationDue, MaterialChangeTrigger, PortfolioScope, RegulatorApproved.

«Risk-Report» — applied to ArchiMate Data Objects representing regulatory report outputs. Tagged values: RegulatoryFramework (Basel III | Basel IV | DORA | EMIR | other), SubmissionFrequency, SubmittingEntity, CompetentAuthority, LastSubmissionDate.

EA GraphLink: Risk Data Quality and Model Governance Dashboards

EA GraphLink connects the Sparx EA risk architecture to Power BI, providing the risk data quality and model governance visibility that BCBS 239 auditors look for.

Risk Data Lineage Dashboard: A visual representation of the risk data lineage chain — from source systems through transformations to regulatory reports — with Data Quality Score and Reconciliation Control flags for each element. Red flags (missing reconciliation controls, low data quality scores, manual transformation steps for critical data elements) are surfaced immediately rather than discovered during supervisory review.

Model Inventory Dashboard: A complete view of the IRB model inventory — model type, owner, validation status, approval date, and next validation due date. The dashboard highlights models with overdue validations, models with pending material change notifications, and models approaching their next scheduled validation window.

BCBS 239 Compliance Tracker: A heat map showing compliance status across the 11 BCBS 239 principles — assessed against the tagged value completeness of Data Objects (Principles 2–6) and the model governance workflow coverage (Principles 7–11).

Capital Calculation Traceability: For each regulatory capital metric (CET1 Ratio, Total Capital Ratio), the lineage chain back to source Data Objects — enabling auditors to trace any capital number to its data sources in a single query.

FAQ

Q1: What is BCBS 239 and which banks does it apply to?

BCBS 239 (officially “Principles for Effective Risk Data Aggregation and Risk Reporting,” published by the Basel Committee on Banking Supervision in January 2013) originally applied to Global Systemically Important Banks (G-SIBs), with a compliance deadline of January 2016. National regulators have since extended the principles to Domestically Systemically Important Banks (D-SIBs) and, in many jurisdictions, to a wider set of significant banks through supervisory expectations. Regulators including the ECB (under TRIM — Targeted Review of Internal Models), the PRA (UK), and the Federal Reserve have referenced BCBS 239 principles in supervisory findings against banks that cannot demonstrate adequate risk data architecture. In practice, any bank subject to SREP (Supervisory Review and Evaluation Process) under CRD V should treat BCBS 239 as applicable.

Q2: What is the difference between Basel III and Basel IV?

“Basel IV” is a market term (not used by the Basel Committee itself) referring to the finalisation of the Basel III framework published in December 2017, with implementation phased through to January 2028. The key Basel IV changes from an architecture perspective are: the introduction of the Output Floor (requiring that IRB-calculated capital requirements cannot be less than 72.5% of the Standardised Approach floor — increasing the importance of Standardised Approach data), the Fundamental Review of the Trading Book (FRTB) which substantially revises market risk capital requirements and the IMA framework, revised Credit Valuation Adjustment (CVA) capital requirements, and the replacement of all advanced operational risk approaches with the Standardised Measurement Approach. Each of these changes has implications for the risk data architecture — specifically for which data must be aggregated, at what granularity, and to what timeliness standards.

Q3: How does Sparx EA handle the complexity of a large bank’s risk data architecture?

Large banks may have hundreds of source systems, dozens of data transformation stages, and scores of regulatory reports — producing a risk data lineage model with thousands of elements. Sparx EA handles this through package hierarchy, diagram management, and MDG-governed tagged values. The lineage model is broken into packages by risk type (Credit Risk, Market Risk, Operational Risk, Liquidity) and by lineage stage (Source, Integration, Aggregation, Reporting). Diagrams within each package show specific lineage chains at the right level of detail for different audiences (technical data architects, risk owners, regulators). EA GraphLink queries aggregate across the full package structure — so the completeness dashboard shows overall BCBS 239 coverage without requiring any single diagram to show the full complexity.

Q4: What does the IRB approval process require architecturally?

Regulatory approval for IRB models — under CRR Article 143 (EU) or equivalent national regulations — requires banks to submit a comprehensive application package demonstrating: the model’s theoretical basis (methodology documentation), the data used to develop and calibrate the model (data quality evidence, which maps to BCBS 239 data lineage), back-testing results against observed defaults, internal validation results, and the governance framework under which the model is maintained. The data quality evidence and governance framework are where Sparx EA adds direct value — the BCBS 239 data lineage model and the Risk-Model tagged value set provide the structured documentation that regulatory applications require, replacing narratives assembled manually from scattered sources.

Q5: How should banks document the Output Floor impact on their risk architecture?

The Basel IV Output Floor requires that IRB-calculated risk-weighted assets cannot be less than 72.5% of the SA (Standardised Approach) floor. This creates a new data architecture requirement: banks must now maintain both an IRB calculation path and a Standardised Approach calculation path in parallel, and compare them to determine the binding constraint. In Sparx EA, this is modeled as two parallel lineage chains (IRB path and SA floor path) converging at a floor comparison Data Object, which then feeds the regulatory report. The floor calculation adds new source data requirements — specifically, for asset classes where the SA uses supervisory risk weights rather than internal estimates, the architecture must ensure the SA input data is as well-governed as the IRB data.

Q6: How does Sparx EA integrate with specialist risk technology platforms?

Specialist risk platforms — Axiom, Wolters Kluwer OneSumX, Moody’s Analytics, MSCI RiskManager, AxiomSL — are modeled as Application Components in Sparx EA with Application Interfaces documenting their data inputs and outputs. Sparx EA does not replace these systems; it governs the architecture above them — documenting what data they consume, what they produce, and how they connect to other systems in the risk data chain. When a bank upgrades or replaces a risk platform, the Sparx EA architecture model is the reference for impact assessment: which upstream systems feed data to the outgoing platform, which downstream reports consume its outputs, and what changes are required in the integration layer.

Q7: Can Sparx EA support stress testing architecture documentation?

Yes. Regulatory stress testing (ECB stress tests, Bank of England DFAST/CCAR-style exercises, ICAAP/ILAAP internal stress programmes) requires demonstrating that the bank can rapidly aggregate and report stress scenarios across the full risk data architecture. In Sparx EA, the stress testing architecture is modeled as a variant view of the risk data architecture — showing the additional data flows and calculation sequences triggered during a stress scenario, and the timeline (which must be within regulatory reporting windows). The BCBS 239 Principle 6 (Adaptability) requirement is specifically about stress scenario readiness — Sparx EA’s architecture model demonstrates this readiness in a form that can be shown to supervisors.

Q8: What engagements does Sparx Services recommend for Basel and BCBS 239 architecture?

Discover is the starting point for organisations that need to assess their current risk architecture readiness — it delivers a risk data architecture inventory, a BCBS 239 gap assessment (which data elements lack documented lineage, which transformation steps are undocumented), and an IRB model inventory. Connect is the right engagement for organisations that have completed the assessment and want to build the full BCBS 239 data lineage model and connect it to Power BI via EA GraphLink for ongoing risk data quality monitoring. Together, Discover ($25,000–$75,000) and Connect ($50,000–$185,000+) deliver the BCBS 239 architecture documentation and live monitoring capability that supervisors increasingly expect to see.

Work With Sparx Services

Risk architecture readiness is not a reporting exercise — it is a governance capability. Sparx Services’ Discover engagement assesses your current-state risk data architecture against BCBS 239 principles. Connect builds the full data lineage model and connects it to Power BI via EA GraphLink for live risk data quality and model governance monitoring.

Discover from $25,000. Connect from $50,000. Contact us to discuss your risk architecture.

Contact Sparx Services | Explore Discover | Explore Connect