The Australian Prudential Regulation Authority (APRA) has published new guidance for regulated firms to address the developing a risk based approach to data management. Alongside six foundation principles for building a sound data risk management (DRM) framework, the guidance gives examples of data risks, how to measure data quality, pillars to build your DRM framework around and more.
The regulator underlines that the guidance does not cover every possible data risk, does not provide checklists and that firms should use the risk based approach to assess their own unique risks and build a DRM framework that addresses those risks. Any risk management framework applied under a risk based approach is underpinned by knowledge of the business. Fundamentally, if you do not understand your own business inside out, you will not understand the risks and not be able to apply an effective risk management system. This could lead to regulatory censure and ultimately loss of business.
The final guidance found on the APRA’s website applies to all authorised deposit taking institutions and provides guidance on risks associated with the use of data, including data application, retention, storage and security. Although this prudential practice guide is aimed at Australian authorised firms, it provides a useful tool for other deposit taking firms in terms of building a sold risk management framework which is in keeping with international standards.
Here are some of the highlights from the guidance:
Six high level principles for building a sound DRM system
Access to data is only granted where required to conduct business processes;
Data validation, correction and cleansing occur as close to the point of capture as possible;
Automation (where viable) is used as an alternative to manual processes;
Timely detection and reporting of data issues to minimise the time in which an issue can impact on the entity;
Assessment of data quality to ensure it is acceptable for the intended purpose; and
Design of the control environment is based on the assumption that staff do not know what the data risk management policies and procedures are.
Four common data risks
Fraud due to theft of data;
Business disruption due to data corruption or unavailability;
Execution delivery failure due to inaccurate data;
Breach of legal or compliance obligations resulting from disclosure of sensitive data.
Ten dimensions for measuring data quality
Accuracy: the degree to which data is error free and aligns with what it represents;
Completeness: the extent to which data is not missing and is of sufficient breadth and depth for the intended purpose;
Consistency: the degree to which related data is in alignment with respect to dimensions such as definition, value, range, type and format, as applicable;
Timeliness: the degree to which data is upto-date;
Availability: accessibility and usability of data when required; and
Fitness for use: the degree to which data is relevant, appropriate for the intended purpose and meets business specifications
Confidentiality: restriction of data access to authorised users, software and hardware;
Accountability: the ability to attribute the responsibility for an action;
Authenticity: the condition of being genuine; and
Non-repudiation: the concept that an event cannot later be denied.
Seven pillars to build your DRM framework around:
Includes a hierarchy of policies, standards, guidelines, procedures and other documentation supporting business processes;
Aligns with other enterprise frameworks such as operational risk, security, project management, system development, business continuity management, outsourcing/offshoring management and risk management;
Includes the expectations of the Board and senior management;
Assigns a designated owner or owners;
Outlines the roles and responsibilities of staff to ensure effective data risk management outcomes;
Enables the design and implementation of data controls. The strength of controls would normally be commensurate with the criticality and sensitivity of the data involved; and
Is reviewed on a regular basis, with periodic assessment for completeness against current practices and industry standards
Four keys to creating and maintaining effective data architecture
It is important for the regulated entity to:
Understand the nature and characteristics of the data used for business purposes;
Be able to assess the quality of the data;
Understand the flow of data and processing undertaken (i.e. data lineage); and
Understand the data risks and associated controls.