APRA’s focus on data risk has been steadily increasing throughout the years, with specific guidance in CPG 235 on Managing Data Risk, and data featuring as a key risk type in CPS 234 Information Security and more recently in CPS 230 Operational Resilience.
To date, APRA’s supervisory activities on data have been focused on the accuracy of prudential reporting processes, maturity of data risk management practices, and effectiveness of data security controls. Recent cyber events leading to customer data leakages and entity data breaches in the industry have highlighted the importance of data storage, deletion, and security, all of which require a sound understanding of the data environment and quality of data. Data is key to many, if not all, the decisions an entity must make and as such is the “crown jewels” for most entities. The protection of an entity’s crown jewels should be a high priority for directors and executives alike.
To gain insights into the status of data risk management, APRA embarked on a multi-year pilot study with a selection of banks. Observations point to recent improvements in data practices driven in part by APRA’s supervision focus, however progress is slow and the gap between current and better practice in data risk management remains wide. The findings outlined below highlight multiple areas where all APRA-regulated entities can improve their data management practices.
Quality data is an asset to a business. It can provide valuable insights, predict trends, and identify commercial opportunities. It can measure performance, help a business customise its products and services, optimise processes, and increase profitability – but like any tool, it only works well if used and managed appropriately.
The costs of poorly managed data can manifest through misinformed decisions, increased errors, customer complaints, and even regulatory action – the impacts of which can result in reputational damage, and loss of customers and profit. For banks, insurers, and superannuation funds, access to high quality data can make a significant difference in the accuracy of decisions made across the organisation. Conversely, decisions made based on poor quality data can have lasting negative impacts.
This is why data management must be an ongoing area of focus and monitoring for boards, management, and business.
Addressing a rising risk
The negative consequences arising from the inability to safely and effectively collect, store, process and analyse data is known as data risk. APRA has increased its engagement on data risk over the past decade, as it has sought to reinforce:
the importance of data governance by ensuring that data management and related business processes are adequately designed and operating effectively, to meet the needs of the regulated entity;
responsibilities and expectations for board and senior management and expectations in managing data;
the need for high quality data to ensure it is acceptable for the intended purpose; and
use of domestic and international industry best practice principles for data management.
APRA's engagement with industry
In 2019 APRA wrote to a selection of ADIs seeking their involvement in an exercise known as the 100 Critical Risk Data Elements (CRDE) Pilot aimed at understanding data management practices. The pilot involved banks identifying 100 of their most critical data elements (such as customer name, account number and interest rate) and enhancing the control environment over those data elements.1 This was followed up with a series of in-depth data risk prudential reviews that assessed the implementation of each bank’s data risk management frameworks. Similar questionnaires were sent to a group of life insurers and superannuation entities in 2022 to better understand their risk practices following concerns surrounding incorrect regulatory submissions.
Better practice examples from the 100 CRDE Pilot
The examples that follow are among the better practice activities observed by APRA through the pilot and subsequent reviews, which are applicable to all banks, insurers, and superannuation trustees.
Enterprise-wide data programs that are consistently implemented and adopted by business teams
The goal of data governance is to establish trust in the data that is used for decision-making in business activity, management meetings, and in the boardroom. To truly understand data that is being used in business processes, a common definition for data and its parameters are used to establish consistency, which forms the basis of the control environment.
As such, entities that had a strong ‘data office’ for central coordination of activities for the entire enterprise at the onset of the data program were able to demonstrate consistent implementation and progress in governing data.
This ensures that once data activities2 are adopted by business teams, processes are consistently applied so that work can be completed at scale. Importantly, for data management practices to be fully embedded, it is essential that data activities form part of business-as-usual processes.
Technology strategies that are scalable and adaptable to changes in business requirements
APRA observed that in attempts to modernise, the technology landscape across the participants has been moving towards a data mesh architecture or variations of a data hub, data lake house, and cloud storage. Participants are transitioning from traditional databases to an unstructured approach for storing and processing data that is better suited to meeting complex business requirements. Better practice included a focus on improving the quality of source data and redesigning the data architecture to improve linkages between data points.
Whichever technology approach is chosen, a significant transformation calls for multi-year, scalable strategies and supporting projects to consistently carry data work forward. Given the length of time to deliver on these initiatives, strategies that are adaptable to changes in technology and business requirements are more likely to be sustainable. These tend to lead to a more resilient data and technology strategy, with sufficient oversight by the Board and management.
Improving data accessibility by offering ‘data as a product’
As a result of increasing requirements for data, participants involved in the pilot were moving to the concept of ‘data as a product’, where data domains are leveraged to create ready-to-use data sets that can be accessed across the organisation. Data sets are overlayed with multiple controls to ensure data quality is maintained and data can be trusted. This makes data more accessible for analysis, visualisation, and reporting – enabling business users to use data that is trusted, timely, and fit for purpose.
Resolving data issues strategically
An effective issues management framework helps an entity govern how data issues are identified, assessed, and remediated, while addressing the root cause.
Data issue remediation often requires strategic technology solutions; a commitment that can take time to deliver and fund. Better practice among participants highlighted an ongoing focus on effectively managing data risks to resolve immediate issues and ensuring that controls mitigating existing risks are working effectively until strategic solutions are in place.
Use of Governance Risk and Compliance (GRC) systems supporting data risk reporting enhancement
APRA observed the important role that GRC systems play in enabling understanding of data maturity within entities. A comprehensive understanding of the health of data environment can be delivered through better connections between data issues against control deficiencies, related to a define risk, in the GRC system. This produces a clear picture of the end-to-end view of data risk, which can be used to identify drivers for investment across the entity.
Six considerations for better data practices
The results from APRA’s engagements with industry on the topic of data management highlights six factors for businesses to consider when improving data management.
Establish data governance with a unified data strategy.
Provide clarity on roles and responsibilities for ownership of critical data elements and processes across the data lifecycle.
Simplify the technology and data architecture environment through improved platform solutions and by decommissioning legacy assets.
Identify critical data elements and create a consistent set of data controls.
Establish mechanisms to monitor data quality and timely remediation of errors based on business requirements.
Integrate data management risk into risk management frameworks.
The road ahead
APRA has observed that the data frameworks of the participants are now more developed since the beginning of the 100 CRDE Pilot in 2019. To drive industry-wide uplift of data practices, APRA intends to continue its focus on data risk management through CPS 230. Data risk is a key consideration under operational risk more broadly for boards and senior leadership, and inherent in understanding critical operations and processes end-to-end.
APRA has observed that there is still a journey ahead for entities to effectively embed data frameworks, noting that:
data practices aren’t consistently integrated into business-as-usual activities and are often being performed as an additional exercise, impacting efficiency;
entities haven’t consistently made the connection between enhancing data practices and better decision-making;
entities are struggling to quantify data inaccuracies across key reports, models, and scenarios, resulting in limited risk reduction; and
improvements in data practices aren’t considering the full requirements of business end-users and solutions aren’t always fit for purpose, resulting in reduced ability to enhance the quality of reporting provided to senior leadership.
The bottom line
Quality data is essential to boards, management, and businesses making informed, risk-based decisions, and facilitating faster and better insights. It brings value to those looking to better tailor their products and services, increase their customer base, grow their business, and ultimately improve entity performance.
Enabling the availability of data across a business helps increase transparency, manage risks and improve efficiency, but it needs to be consistent and accurate to be used effectively – this can be achieved through the implementation of controls, such as those outlined in CPG 235.
Despite all the progress made by the select banks included in this pilot, gaps remain in data practices which impacts resiliency of the industry. For data risk to be effectively managed, entities should focus on identifying critical data elements, remediating data issues, enhancing technology platforms, simplifying legacy architecture, and making data more accessible. In fact, it’s in the best interest of entities to streamline processes, increase automation of manual controls, and improve data quality. Because in a world where demand for data from customers, clients, and regulators is only increasing, entities can’t afford to be left behind.
1 Data governance activities for each critical data element included mapping data lineage, documenting, and remediating controls across the lineage, and resolving data- and system-related issues across the data lifecycle.
2 Data activities refer to bringing critical data elements under governance by mapping data lineage, documenting, and remediating controls across the lineage, and resolving data- and system-related issues across the data lifecycle.
The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, mutuals, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding around $9 trillion in assets for Australian depositors, policyholders and superannuation fund members.
Subscribe for updates
To receive media releases, publications, speeches and other industry-related information by email