APRA CPG 235 - Govern your Data before getting Driven by Data
Updated: Jun 19, 2019
About half a century ago, American Statistician cum Author, W. Edwards Deming said, “In God we trust, rest bring data”. In other words, to gain others’ trust, you should be able to support your trustworthiness with factual data. However, the point to ponder is; what if your data itself is questionable? Can a bank really rely on making business decisions based on insights derived from its questionable “data”? More importantly, can a bank feel confident about its regulatory return submissions, when its confidence on the underlying data is not 100%?
Although, the importance of data-driven decision making had started gaining traction much before computers made inroads to organizations, yet hardly any such efforts led to successful value extraction from data. And rightfully so; because the data being used was un-fit to deliver any value; let alone driving the decision-making process.
Because for data to be of value, it must be:
Free of data quality issues;
Protected with adequate controls;
Owned by real people;
And most importantly, the data must be treated like any other asset i.e. when nurtured, it should generate cash flow for the organization.
In a nutshell, firms needed a holistic approach in governing how their data is managed i.e. a full-fledged data governance framework implemented throughout organization that restores their faith in the data.
The journey to the stage where banks realized the need of data governance hasn’t been an overnight one.
After World War II, the world had just started to learn & implement the modern techniques of risk management. This was the era of blurring geographical boundaries with technology slowly yet steadily making headways into every aspects of banking & businesses. By the time we reached the end of 20th century, banks had fairly mature risk management practices with a good idea of where they wanted to go in terms of managing, mitigating and reporting their risks. Basel Committee with the support of country regulators had done a tremendous job in standardizing banking risk management across the globe.
However, Data governance ‘as a holistic approach’ was still not on agenda, neither for regulators nor for banks. Yes, there were efforts being carried out in silos to enhance data quality, implement data controls, create lineages but what was missing was endorsement from board level executives. There wasn’t much of a buy-in by businesses as ‘data’ was still considered to be the ‘baby’ of IT department.
But the data governance as a holistic approach started gaining momentum right after the 2008 financial meltdown when the regulators, investors & even general public questioned not just the capital adequacy & liquidity rules but also the sanctity of underlying data used by the regulated entities for submitting returns! And hence, the need to manage data risk was brought into the attention of regulators & policy makers.
Basel Committee came up with BCBS 239 – a principles-based guideline for banks & supervisors to implement data governance framework that minimizes data risks and helps banks unlock the hidden data values. APRA introduced CPG 235 in 2013, a Prudential Practice Guide for ADIs to manage their data risk. The guide touched multiple aspects surrounding data governance as covered below:
Manage Data Risk
As data remains one of the most valuable assets to regulated entities, APRA is of the view that managing data risk is imperative for these entities to be able to continue to meet their overall business objectives while remaining compliant.
APRA recommends that data risk must sit within the purview of Operational Risk while overlapping with Information & IT security risk. Just like managing mainstream risks such as credit, market risk etc. ADIs must also implement data risk management practices to ensure adequate controls are placed on data throughout its lifecycle (origination, transformation, reporting and all the way to archiving & disposal). Successful implementation of data risk management should in-turn lead to enhanced level of data quality over a period of time. APRA also advocates shortlisting critical data elements for focused data risk management approach.
Implement Data Management Framework
The data management framework as prescribed by APRA must be implemented as part of the entity’s change management initiative with an end goal to convert the data management practice into business-as-usual process over a period of time. The regularly revisited & revised data management framework must clearly follow a principle-based approach including hierarchies of policies & standards pertaining to data management that tie back to the entity’s business processes.
APRA also expects ADIs to incorporate clearly defined roles & responsibilities surrounding the data management framework starting with assigning data owners at top (CDO) as well as owners at business division/group levels in a decentralized or federated business model.
Generate Staff Awareness & Support
Apart from data ownership roles, APRA prescribes creation of a gamut of roles (& responsibilities) playing part in data-specific endeavors within the framework such as data custodians, owners & stewards. The regulated entities are also expected to run awareness campaign among their non-data professionals to buy their support in working towards improving data quality levels, implementing proper data controls, managing data issues and overall adherence to policies and standards covered in the framework.
Manage Risk throughout Data Lifecycle
As Data risk arises from the data origination or capture stages and very much remains in existence through-out its lifecycle. Therefore, APRA recommends identifying and mitigating such risks at every stage of data lifecycle with the help of data lineage diagrams that would not only help identify multiple manual touch points but will also make implementation of controls easier at each stage. The data lineage diagrams can further be utilized in improving data quality by gathering information on data issues arising at each stage and thereby implementing issue management practices accordingly.
Implement Controls & Validations
APRA expects the entities to implement policies & practices that bring transparency in their data i.e. creating meta-data repository that contains business glossaries, data transformation logics in the form of pseudo codes, point of origins & manual touch-points etc.
While bringing transparency in data related processes is important; data privacy classification along with ensuring data security & integrity must also be high on agenda to ensure appropriate controls on viewership/editor rights, information access on ‘need-to-know’ basis & restrictions on sensitive data accessibility.
APRA also acknowledges the flow of data to entities outside the regulated ones as part of their offshoring / outsourcing activities however, the ADIs are expected to never let such activities put the data governance practices in jeopardy. Furthermore, the data management framework should actively strive to ensure that the data remains ‘fit-for-purpose' at all times and is subjected to periodic cleansing.
Manage Data Issues
APRA expects banks to create data quality metrics to assess the levels of quality while also have issue identification & resolution process in place to effectively undertake data quality issue management. It is the unknown data issues that the entities should be wary of and therefore, should endeavor to spot the data quality issues, record them and work towards fixing them as part of an ongoing process.
Data Risk Assurance
In the last leg of the CPG 235 guidelines, APRA expects that a regulated entity would seek regular assurance that data quality is appropriate and data risk management is effective. This would normally be implemented through the broader assurance program and result in a systematic assessment of data risk and the control environment over time. Assurance responsibilities would typically be conducted by internal audit or another independent function.
While the concepts covered above were prudential guidelines for regulated entities on how enterprise data must be governed; APRA went one step further in recommending minimum data quality requirements on a set of key regulatory reports, "Economic & Financial Statistics".
The EFS reporting standards are applicable for ADIs & RFCs and the data collected is primarily used by ABS & RBA for analysis, publication and policy-making purposes.
Along with recently overhauling the EFS reporting standards, APRA also classified the report's sections (data items) into three categories of priority: ‘standard’, ‘high’ and ‘very high’ priority.
The data item classification was a part of APRA's quest for implementing best-in-class data quality management framework in the financial industry. In order to achieve the same, APRA introduced RPG 702 a reporting practice guide for banks on managing data quality of the attributes that went into populating high priority data items' in EFS reports. To understand further about EFS Reporting standard & RPG 702, read on:
ABOUT THE AUTHOR
Sanjeev is an avid Banking Risk & Governance professional. He has been playing key roles in this space for well over a decade.
After starting his journey as Basel II Consultant with Oracle, Sanjeev worked on multiple Basel II / III product development and implementation projects. He proudly counts American Express, JP Morgan (APAC), HSBC, Macquarie Group among the list of organisations that benefitted from his expertise in implementing automated Basel Regulatory Reporting frameworks & systems.
A certified Financial Risk Manager with deep knowledge of Basel norms, OFSAA tool, Regulatory Reporting, ICAAP; Sanjeev took a plunge in Data Governance space and played important part in implementing world class data governance framework in HSBC Australia and Macquarie Group.
With keen interest in learning new tools and keeping himself abreast with the dynamic world of risk & governance; Sanjeev can often be spotted conducting trainings & workshops with clients on extracting best value in risk management with the help of technology.
A believer in making the financial world infallible with first class risk management practices; Sanjeev gets his inspiration from being able to make a difference in helping his clients become much more robust, sound & secure.