top of page

APRA CPG 235 - Data Risk Management Overview

Never before has the focus on data been so imperative in banking as it is in today’s knowledge-based global economy. Data is the tool every bank relies upon to gain competitive advantage over their competitors. Winners & losers can merely be distinguished on the basis of how they make use of the data assets available at their disposal.


An asset such powerful never comes without its own risks. And therefore, managing data risk has been the centerpiece when it comes to governing data.


CPG 235




So what is data risk and how does APRA define it?


A first read of APRA’s data risk definition reminds of the globally accepted definition of Operational Risk, originally coined by BCBS (Basel Committee on banking Supervision).



APRA ON DATA RISK


“Data risk encompasses the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events impacting on data”


BCBS ON OPERATIONAL RISK


“Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.”



Such close alignment of the two definitions is not a coincidence but a conscious effort of APRA to explain that data risk sits within the periphery of Operational Risk.


As depicted in the diagram below by APRA, data risk in tandem with Information & IT security risk must be managed by banks as part of their Operational Risk framework. With data theft at the forefront of worries amongst organizations, focusing on data security risk as part of data risk helps in covering all the bases of managing it.


CPG 235 APRA BCBS 239 Data Risk Management
<