This trend has opened opportunities for institutions to potentially use this data for strategic and commercial purposes. Yet, this does not come without risks, which control functions might not place sufficient emphasis on. Avantage Reply has observed the criticality of effective data governance from multiple perspectives.
What is meant by Data Governance?
Data governance is the process of managing data throughout its lifecycle from data collection to the use of data. Traditionally, this includes regulatory (such as COREP, FINREP, MiFID, AnaCredit, etc.) and internal reporting (e.g. financial planning and forecasting, risk analysis and management information) but more recently banks have developed ways to make more use of their data by using advanced technologies and analytics for marketing, sales and customer satisfaction.
The expanding focus on data-driven decisions requires banks to have an appropriate governance in place, which includes a framework ensuring data quality, the definition of roles and responsibilities and the implementation of policies regarding the handling of data within the organisation.
However, the pure formalisation of a governance framework is not enough, as institutions must introduce a data culture within the company and involve all employees in ensuring proper data management. Moreover, while the collection and use of data can support managing risks, the handling itself is highly critical, and potential threats must be considered in the data governance framework.
The role of data handling in the overall Risk Management Process
While data-driven reporting and decision-making can be a success driver for financial institutions, inherent risks should not be overlooked, such as poor data quality, data protection breaches and data integration errors. Hence, the identification, monitoring and management of risks in the handling of data should be an integral part of an organisation’s governance and align with the risk management framework and risk appetite. These aspects should be in the back of the mind of the decision makers during the risk identification and assessment. Policies defining thresholds for risk events like privacy incidents, loss of data or data inaccuracy are necessary to enable stakeholders to assess compliance with the risk management framework. This assessment should involve, as with other enterprise risks, the three lines of defence, with responsibilities and accountabilities clearly defined. All involved parties, from data collectors via data processors and analysts to data users, must know their duties. Therefore, to fulfil their positions, they should aim not only to realise the full potential of a company’s data, but also consider the inherent risks involved.
How to ensure the adequacy of data management?
As innovations regarding the collection and use of data are fast paced, regular reviews of a company’s data governance and its risk management are necessary. As institutions continue to foray into new methodologies when handling information, e.g. Artificial Intelligence and Machine Learning, they need to re-asses the appropriateness of their processes. The goal being to identify, manage and mitigate risks and decide whether they need to undertake steps to improve their data risk management. Such steps possibly include:
1. The implementation of a simpler, streamlined data architecture which tracks data flows throughout the organisation. This could be accompanied by an enhanced, automated, integrated controls framework, enabling stakeholders to understand limitations and risks associated with Artificial Intelligence and Machine Learning techniques and models
2. Extension of risk models towards these new technologies and clear responsibilities, defined within the three lines of defence to measure and manage these risks
3. Adequate consideration to emerging potential issues associated with new data platforms (such as clouds) and how these operational risks can be mitigated
4. Possess of appropriate knowledge and skills within the institution to properly apply implemented technologies and to assess the inherent risks. Companies should evaluate whether they need to hire additional staff or receive external support with the necessary expertise
Enhanced data governance among today’s highest priorities
The growing importance of data in the entirety of a bank’s decision-making process is now no longer a futuristic vision of tomorrow but the day-to-day reality. Thus, financial institutions can no longer consider excellence in data governance as “nice to have” but as a mandatory ingredient in the design and execution of their major risk affecting activities.
Previously, banks lacking in this regard had to face a growing competitive gap when not applying sufficient rigour to the development of data governance capabilities. Poor performers in this area will now face progressively stricter scrutiny by the regulators. Regulatory legislation and guidelines such as BCBS239, GDPR or EMIR have opened the floodgates for stricter data governance regulation and it is highly unlikely that they will remain the last sets of regulation on this matter.
In addition to the competition and regulation based incentives, financial institutions should be aware of the necessity of the implementation of the formerly mentioned data governance aspects in their risk management framework. The growing use of interconnected data means that risk decisions based on wrongly gathered or interpreted data will generate a butterfly effect that reaches much farther than in previous decades.
Never before has the “I” in IT been this important as the clarity, quality and trustworthiness of the information gathered across the institution translates directly into the quality of the decision making, especially so when touching risk-related aspects.
More information about Avantage Reply Luxembourg here .