CPG 235 – Managing Data Risk

[Pages:17]Prudential Practice Guide

CPG 235 ? Managing Data Risk

September 2013

.au Australian Prudential Regulation Authority

Disclaimer and copyright

This prudential practice guide is not legal advice and users are encouraged to obtain professional advice about the application of any legislation or prudential standard relevant to their particular circumstances and to exercise their own skill and care in relation to any material contained in this guide.

APRA disclaims any liability for any loss or damage arising out of any use of this prudential practice guide.

? Australian Prudential Regulation Authority (APRA)

This work is licensed under the Creative Commons Attribution 3.0 Australia Licence (CCBY 3.0).

This licence allows you to copy, distribute and adapt this work, provided you attribute the work and do not suggest that APRA endorses you or your work. To view a full copy of the terms of this licence, visit licenses/ by/3.0/au/.

Australian Prudential Regulation Authority

2

About this guide

Prudential practice guides (PPGs) provide guidance on APRA's view of sound practice in particular areas. PPGs frequently discuss legal requirements from legislation, regulations or APRA's prudential standards, but do not themselves create enforceable requirements.

This PPG aims to assist regulated entities in managing data risk. It is designed to provide guidance to senior management, risk management and technical specialists (both management and operational). The PPG targets areas where APRA continues to identify weaknesses as part of its ongoing supervisory activities. The PPG does not seek to provide an allencompassing framework, or to replace or endorse existing industry standards and guidelines.

Subject to meeting APRA's prudential requirements, a regulated entity has the flexibility to manage data risk in a manner that is best suited to achieving its business objectives. Not all of the practices outlined in this PPG will be relevant for every regulated entity and some aspects may vary depending upon the size, complexity and risk profile of the entity.

Australian Prudential Regulation Authority

3

Contents

Introduction

Data and data risk Definition Data risk management Data quality Classification by criticality and sensitivity Industry baselines

A systematic and formalised approach Overarching framework Principles-based approach Roles and responsibilities Ongoing compliance Ongoing assessment of effectiveness Data architecture

Staff awareness Training and awareness programs Staff education areas

Data life-cycle management Data risk considered at all stages Capture Processing Retention Publication Disposal

Other control considerations Auditability Desensitisation End-user computing Outsourcing/offshoring of data management responsibilities

Australian Prudential Regulation Authority

6

7 7 7 8 8 8

8 8 9 9 10 10 10

11 11 11

11 11 11 11 12 12 12

13 13 13 13 13

4

Data validation

14

Assessment of fitness for use

14

Data cleansing

15

Monitoring and management of data issues

15

Monitoring processes

15

Data issue management

15

Data quality metrics

16

Data risk management assurance

16

Assurance program

16

Frequency of assurance

16

Australian Prudential Regulation Authority

5

Introduction

1. The management of data and associated risks is important for a broad range of business objectives including meeting financial and other obligations to stakeholders, effective management and proper governance. This prudential practice guide (PPG) provides guidance on data risk management where weaknesses continue to be identified as part of APRA's ongoing supervision activities.

2. While this PPG provides guidance for managing data and complying with APRA's prudential requirements, it does not seek to be an allencompassing framework. APRA expects that a regulated entity using a risk-based approach will implement controls around data, including in areas not addressed in this PPG, appropriate for the size, nature and complexity of its operations.

3. Data is essential for a regulated entity to achieve its business objectives. Furthermore, reliance on data has increased as a result of process automation and greater reliance on analytics and business intelligence to support decisionmaking. Consequently, stakeholders including the Board of directors (Board), senior management, shareholders, customers and regulators have heightened expectations regarding the effective management of data. This trend has enhanced the importance of treating data as an asset1 in its own right.

4. This PPG aims to provide guidance to senior management, risk management, business and technical specialists. The multiple audiences reflect the pervasive nature of data, and the need for sound risk management disciplines and a solid business understanding to effectively manage a regulated entity's data risk profile. Additionally, effective data risk management can facilitate business initiatives and assist compliance with other regulatory and legal requirements.

5. As with any process, governance is vital to ensure that data risk management and related business processes are properly designed and operating effectively to meet the needs of the regulated entity. In APRA's view, effective governance of data risk management would be aligned to the broader corporate governance frameworks and involve the clear articulation of Board and senior management responsibilities and expectations, formally delegated powers of authority and regular oversight.

6. Subject to the requirements of APRA's prudential standards, an APRA-regulated entity has the flexibility to manage data risk in the way most suited to achieving its business objectives.

7. A regulated entity would typically use discretion in adopting whichever industry standards and guidelines it sees fit-for-purpose in specific control areas. This PPG does not seek to replace or endorse any existing industry standards or guidelines.

8. The relevance of the content of this PPG will differ for each regulated entity, depending upon factors such as the nature, size, complexity, risk profile and risk appetite of the entity. The nature and specific usage of the data (current or potential) will also have an impact on the application of this PPG. APRA envisages that an entity's approach to managing data risk would also take into consideration the resources the entity has as its disposal, including whether the business is supported by an in-house technology function or an external service provider. Such factors will assist an entity in determining the relevance and extent to which it adopts the practices in this PPG.

9. This PPG also provides examples to illustrate a range of controls that could be deployed to address a stated principle. These examples are not intended to be exhaustive compliance checklists.

1 `Asset' is used here to represent anything deemed to be of value (either financial or otherwise) by an entity.

Australian Prudential Regulation Authority

6

Data and data risk

Definition

10. Data2 refers to the representation of facts, figures and ideas. It is often viewed as the lowest level of abstraction from which information and knowledge are derived.

11. Data risk encompasses the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events impacting on data. Consideration of data risk is relevant regardless of whether the data is in hard copy or soft copy form. Examples include:

(a) fraud due to theft of data;

(b) business disruption due to data corruption or unavailability;

(c) execution delivery failure due to inaccurate data; and

(d) breach of legal or compliance obligations resulting from disclosure of sensitive data.

12. For the purposes of this PPG, data risk is considered to be a subset of operational risk, which includes information and information technology risk. In addition, information and information technology security risk overlaps with data risk (refer to the diagram below).3

Operational risk

(including information & information technology)

Data risk

Information and Information Technology (IT) security risk

Data risk can adversely affect a regulated entity and could result in a failure to meet business objectives (including regulatory and legal requirements). Consequently, it is important that business functions understand and manage the risks associated with the data required for the successful execution of their processes. Additionally, an understanding of data risk is beneficial when managing other types of risk.

Data risk management

13. A regulated entity would typically manage data risk in alignment with the operational risk framework and, where relevant, in conjunction with other risk management frameworks (e.g. credit, market and insurance risk management frameworks), depending on the nature of the data involved.

14. A goal of data risk management is to ensure that the overall business objectives of a regulated entity continue to be met. Therefore, it is important that an individual business unit's objectives are not considered in isolation, but rather in the context of the objectives of the entity as a whole. Consequently, the design of controls for a particular data set would typically take into account all usage of that data.

15. The adequacy of data controls in ensuring that a regulated entity operates within its risk appetite would normally be assessed as part of introducing new business processes and then on a regular basis thereafter (or following material change to either the process, usage of data, internal controls or external environments). The assessment would typically take into account the end-to-end use of the data and related control environment (including compensating controls). Changes to the control environment would typically follow normal business case practices, taking into account the likelihood and impact of an event against the cost of the control.

2 For the purposes of this PPG, data encompasses a broad range of categories including data that is entered, calculated, derived and structured or unstructured.

3 For further details, refer to Prudential Practice Guide PPG 234 ? Management of security risk in information and information technology (PPG 234), which incorporates data (both hard and soft copy) as a subset of information and information technology assets.

Australian Prudential Regulation Authority

7

Data quality

Classification by criticality and sensitivity

16. In APRA's view, a useful technique for managing data risk is through the assessment and management of data quality. Data quality can be assessed using a range of dimensions. The relevance of each of these dimensions will vary depending upon the nature of the data. Dimensions typically considered in the assessment of data quality include:

(a) accuracy: the degree to which data is error free and aligns with what it represents;

(b) completeness: the extent to which data is not missing and is of sufficient breadth and depth for the intended purpose;

(c) consistency: the degree to which related data is in alignment with respect to dimensions such as definition, value, range, type and format, as applicable;

(d) timeliness: the degree to which data is upto-date;

(e) availability: accessibility and usability of data when required; and

(f) fitness for use: the degree to which data is relevant, appropriate for the intended purpose and meets business specifications.

17. Other dimensions that could also be relevant, depending on the nature and use of specific data, include:

18. For the purposes of managing data risk, a regulated entity would typically classify data based on business criticality and sensitivity. The assessment would typically take into account the end-to-end use of the data. A regulated entity could seek to leverage the existing business impact analysis process to achieve this. The entity's data classification method and granularity would normally be determined by the requirements of the business.

Industry baselines

19. A regulated entity could find it useful to regularly assess the completeness of its data risk management processes by comparison to peers and established control frameworks and standards.

A systematic and formalised approach

Overarching framework

20. In order to ensure that data risk management is not conducted in an ad hoc and fragmented manner, a regulated entity would typically adopt a systematic and formalised approach that ensures data risk is taken into consideration as part of its change management and business-as-usual processes. This could be encapsulated in a formally approved data risk management framework outlining the entity's approach to managing data risk that:

(a) confidentiality: restriction of data access to authorised users, software and hardware;

(b) accountability: the ability to attribute the responsibility for an action;

(c) authenticity: the condition of being genuine; and

(d) non-repudiation: the concept that an event cannot later be denied.

(a) includes a hierarchy of policies, standards, guidelines, procedures and other documentation supporting business processes;

(b) aligns with other enterprise frameworks such as operational risk, security, project management, system development, business continuity management, outsourcing/ offshoring management and risk management;

(c) includes the expectations of the Board and senior management;

Australian Prudential Regulation Authority

8

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download