top of page

Data Governance Series: CPG 235 Managing Data Risk

CPG 235 Managing Data Risk acts as a guide for Australian banks to adopt a holistic approach towards Data Governance. In this video we cover the 7 key aspects of APRA's Prudential Practice Guide.


They say ‘data is the new gold’ and rightly so because of the immense benefits organizations can derive out of it.

But for data to be of any value, it must be:

  • Free of data quality issues;

  • Protected with adequate controls;

  • Owned by real people;

And most importantly…Data must be nurtured and governed like an asset

Speaking of governance of data, the Australian regulatory authority APRA introduced data governance guidelines in its compactly packed circular CPG 235 released in 2013. The document acts as a guide for Australian banks to adopt holistic approach towards Data Governance.

CPG 235 broadly comprises 7 aspects of data governance to be implemented by banks as part of their Enterprise data governance framework.

So what are these 7 aspects:

#1. Managing Data Risk

As data remains one of the most valuable assets to regulated entities, APRA opines that managing Information & IT risks is just as important as managing mainstream risks such as credit or market risk. ADIs must implement data risk management practices to ensure adequate controls are applied on data throughout its lifecycle.

#2. Implementation of Data Management Framework

Must be carried out as part of bank’s change management initiative to eventually convert the data management practice into business-as-usual process. APRA also expects ADIs to incorporate clearly defined roles & responsibilities surrounding data management framework. Some of the commonly defined data roles are chief data officer, data custodians, owners & stewards.

#3. Generating Staff Awareness & Support

By running firm-wide campaigns among non-data professionals to onboard them in working towards adherence to policies and standards covered in the data management framework.

#4. Managing Risks throughout Data Lifecycle

By identifying and mitigating them at each stage. The same can be achieved with the help of data lineage diagrams. The lineages are extremely helpful in improving data quality, implementing controls, automating manual processes and even resolving data breaks identified during reconciliation.

#5. Implementation of Controls & Validations

APRA advocates infusion of transparency by creation of meta-data repositories that contain firm-wide business glossaries, data transformation logic in the form of pseudo codes, point of origins, manual touch-points and so on.

Regulated entities must strive to ensure security, integrity & fitness-for-purpose of data by implementing appropriate controls on viewership/edit rights, information access on ‘need-to-know’ basis & restrictions on sensitive data accessibility. Such controls become even more important when data moves out of the regulated entities due to outsourcing or offshoring activities.

#6. Managing Data Quality

With the help of a DQ issue management framework that clearly defines processes to identify, resolve & report DQ issues as a BAU. The processes should be undertaken by teams designated for improving firm-wide data quality.

#7. Data Risk Assurance

In the last leg of the CPG 235 guidelines, APRA expects that a regulated entity would seek regular assurance that data quality is appropriate and data risk management is effective. This would normally be implemented through the broader assurance program and result in a systematic assessment of data risk and the control environment over time. Assurance responsibilities would typically be conducted by internal audit or another independent function.

What preceded is just a bird-eve view of a data governance framework. In upcoming episodes of our series: data governance 101, we will provide a detailed account of each of these 7 aspects.

If you would like to learn more about CPG 235 please contact here.



bottom of page