APRA CPG 235 - Data Risk Management Overview
Updated: Jun 19, 2019
Never before has the focus on data been so imperative in banking as it is in today’s knowledge-based global economy. Data is the tool every bank relies upon to gain competitive advantage over their competitors. Winners & losers can merely be distinguished on the basis of how they make use of the data assets available at their disposal.
An asset such powerful never comes without its own risks. And therefore, managing data risk has been the centerpiece when it comes to governing data.
So what is data risk and how does APRA define it?
A first read of APRA’s data risk definition reminds of the globally accepted definition of Operational Risk, originally coined by BCBS (Basel Committee on banking Supervision).
APRA ON DATA RISK
“Data risk encompasses the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events impacting on data”
BCBS ON OPERATIONAL RISK
“Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.”
Such close alignment of the two definitions is not a coincidence but a conscious effort of APRA to explain that data risk sits within the periphery of Operational Risk.
As depicted in the diagram below by APRA, data risk in tandem with Information & IT security risk must be managed by banks as part of their Operational Risk framework. With data theft at the forefront of worries amongst organizations, focusing on data security risk as part of data risk helps in covering all the bases of managing it.
Image Source: APRA CPG 235
APRA also states that banks must manage their data risk just like other mainstream risks such as Credit or Market Risk.
Managing of data risk includes but is not limited to protection from:
Fraud due to theft of data
Business disruption due to data corruption or unavailability
Execution delivery failure due to inaccurate data
Breach of legal or compliance obligations resulting from disclosure of sensitive data
Here are some common features of data risk management as suggested by APRA in its PPG circular 235:
Data risk management must be implemented throughout the organization instead of limiting the efforts to only some of the divisions within a regulated entity. Historically, risk has been considered a division specific entity, just like business development is perceived as a job of sales department only. However, APRA recommends breaking the silos within department and ensuring managing of data throughout its lifecycle while it flows from one department to another. Thus, data risk management must be aligned with the strategy & business objective of the entity as a whole.
Data controls must be implemented on a data set while taking into account all its usages. E.g. controls implemented on retail data must cater for all its usages such as data analytics for marketing, risk modelling, regulatory reporting etc.
The implemented controls must be well aligned with the overall risk appetite of a bank and if required, be revisited during the introduction of new business processes, products or even regulatory requirements.
Shortlisting Critical Data Elements – First step towards Data Governance
APRA also acknowledges that some data are more useful and sensitive than others. Furthermore, for a regulated entity to manage all its data may not even be possible. Therefore, APRA recommends identification of critical or sensitive data elements on the basis of their usage and impact on business from aspects such legal, financial, regulatory etc.
This is also considered to be a starting point of data risk management or even data governance as a whole. Banks can choose to adopt qualitative or quantitative ways (or mix of both) for shortlisting critical data elements (CDEs). The process is considered to be iterative in nature where banks keep working towards shortening the list of critical data elements that are not only easy to manage but also when tracked, can depict overall data health of the regulated entity.
Minimising Data Risk by Maximizing Data Quality
At the core of data risk management lies the assurance requirement on the quality of the critical data identified by a bank. APRA opines that data risk management requires an assessment of data quality under various dimensions such as accuracy, completeness, consistency, timeliness, availability and fitness-for-use. Banks must have processes in place for identification and resolution of Data Quality issues.
Lastly, considering data risk management plays a crucial part in enterprise-wide data management framework, APRA encourages the regulated entities to constantly benchmark the effectiveness of their data risk management with that of their industry peers and standards.
For a brief overview of CPG-235 – the prudential guideline of APRA for Australian banks on data governance. Click here.