APRA has issued for consultation draft prudential practice guide PPG 235 – Managing Data Risk to provide guidance on data risk management to Boards, senior management, risk management, business and technical specialists.
In APRA’s view, effective governance of data risk management should be aligned to the broader corporate governance frameworks and involve the clear articulation of Board and senior management responsibilities and expectations, formally delegated powers of authority and regular oversight.
Subject to the requirements of APRA’s prudential standards, an APRA-regulated institution has the flexibility to manage data risk in the way most suited to achieving its business objectives, having regard to the nature, size, complexity, risk profile and risk appetite of the institution.
What is data risk?
Data risk encompasses the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events impacting on data quality.
Examples include:
(a) fraud due to theft of data;
(b) business disruption due to data corruption or unavailability;
(c) execution delivery failure due to inaccurate data; and
(d) breach of legal or compliance obligations resulting from disclosure of confidential data.
For the purposes of the draft PPG, data risk is considered to be a subset of information and information technology risk, which in turn is a subset of operational risk. In addition, IT security risk overlaps with data risk.
The draft PPG pays particular attention to the outsourcing/offshoring of data.
APRA considers that the moving of data management responsibilities to service providers or other entities within a group (both on- and offshore) increases the risk that data lifecycle controls may be inadequate, with problems potentially magnified when offshoring is involved.
The possible causes of this increased risk include control framework variations, lack of proximity, reduced corporate allegiance, geopolitical risks and jurisdictional-specific requirements.
APRA expects a regulated institution to apply a cautious and measured approach when considering retaining data outside the jurisdiction it pertains to.
See also the Payments Systems Board report on operational risk and OAIC’s draft guide to information security