Data management risks and controls

Data is the lifeblood of the modern enterprise and underpins most strategic business decisions a company makes. As such, organizations constantly work to maintain high levels of data security and protect valuable data assets. While most defensive efforts are applied to outside-the-firewall threats, inside-the-firewall data access can create equal risk—making database access authorization one of the most critical components of information security and risk management. This source of corporate vulnerability is quickly rising to a top security concern.

We are searching data for your request:

Data management risks and controls

Content:

• What is a risk management framework? | 7 steps to NIST RMF
• What Is Data Risk Management?
• Data Security Explained: Challenges and Solutions
• A Practical Guide For A Records And Information Management Risk And Control Framework
• Risk management & control
• Data Governance Manager
• Manage risk with controls
• 6 Security Controls You Need For General Data Protection Regulation (GDPR)
• Data Security & Privacy Risk Management
• Use Analytics to Drive Insights, Produce Efficiencies and Ensure Compliance

What is a risk management framework? | 7 steps to NIST RMF

Over the past decade, banks across the globe have made considerable progress in building risk-related data-control capabilities, prompted in large part by regulatory demands. Progress, however, has not been uniform, and most institutions are not fully compliant.

In fact, many banks are still struggling with major deficiencies, particularly when it comes to data architecture and technology. One major reason for this limited progress is that the Basel Committee called for effective implementation of BCBS principles without clearly explaining what that means or how to implement them. This ambiguity has led to a wide range of interpretations, which vary from institution to institution, country to country, and even regulator to regulator.

As might be expected, banks have a monumental task in analyzing the layers of data requirements across all these regulations and building common and reusable capabilities that meet regulatory expectations. In response, the industry has adopted some common, workable solutions in a few key areas. These include data-aggregation capabilities to support regulatory reporting requirements, such as automating some of the reporting required by the Federal Reserve in the US and the European Banking Authority EBA in Europe, 2 2.

For example, Federal Reserve form FR YM reports monthly data on the loan portfolios of bank holding companies, savings and loan holding companies, and intermediate holding companies; FR YQ reports quarterly data for the same kinds of institutions on various asset classes, capital components, and categories of preprovision net revenue.

Industry leaders are clear, however, that they struggle in four areas: the scope of data programs, data lineage, data quality, and transaction testing. McKinsey benchmarking survey on data programs with 60 banks, There is considerable variation within the industry on how to address these four challenging areas, in investment, degree of risk mitigation, sustainability, and automation.

A few institutions, however, are leading the way in improving their data programs and management and have made great strides toward regulatory compliance. Banks need to define the scope of their data programs clearly enough to create a basis for easily conversing with regulators and identifying additional actions necessary for regulatory compliance. Most banks have defined the scope of their data programs to include pertinent reports, the metrics used in them, and their corresponding input-data elements.

Thus a credit-risk report or a report on strategic decision making might be covered, as well as risk-weighted assets as a metric and the principal loan amounts as an input. Unfortunately, the industry has no set rules for how broadly or narrowly to define the scope of a data program or what standard metrics or data elements to include.

As a result, many banks are trying to identify industry best practices for the number of reports and types of data to include in their data programs. Interestingly, over time, we have seen the number of reports in data programs increase while the number of metrics and data elements decreased Exhibit 1. We believe the increase in reports reflects the inclusion of different nonfinancial risk types, such as operational or compliance risk. With this in mind, leading banks have established principles to define the scope and demonstrate its suitability to regulators.

Leading institutions usually define the scope of their data programs broadly Exhibit 2. For all banks, the application of the principles illustrated in Exhibit 2 ranges from narrow to broad. However, supervisors are increasingly advocating for a broader scope, and many banks are complying. Best-in-class institutions periodically expand the scope of their data programs as their needs shift. From purely meeting regulatory objectives, these banks seek to meet business objectives as well.

After all, the same data support business decisions and client interactions as well as regulatory processes. Of all data-management capabilities in banking, data lineage often generates the most debate. Data-lineage documents how data flow throughout the organization—from the point of capture or origination to consumption by an end user or application, often including the transformations performed along the way.

As a result of the lack of regulatory clarity, banks have taken almost every feasible approach to data-lineage documentation. In some organizations, data-lineage standards are overengineered, making them costly and time consuming to document and maintain.

But increasingly, overspending is more the exception than the rule. Most banks are working hard to extract some business value from data lineage; for example, by using it as a basis to simplify their data architecture or to spot unauthorized data-access points, or even to identify inconsistencies among data in different reports.

Our benchmarking revealed that more than half of banks are opting for the strictest data-lineage standards possible, tracing back to the system of record at the data-element level Exhibit 3. We also found that leading institutions do not take a one-size-fits-all approach to data.

The data-lineage standards they apply are more or less rigorous depending on the data elements involved. For example, they capture the full end-to-end data lineage including depth and granularity for critical data elements, while data lineage for less critical data elements extends only as far as systems of record or provisioning points. Most institutions are looking to reduce the expense and effort required to document data lineage by utilizing increasingly sophisticated technology.

Data-lineage tools have traditionally been platform specific, obliging banks to use a tool from the same vendor that provided their data warehouse or their ETL tools extract, transform, and load. However, newer tools are becoming available that can partly automate the data-lineage effort and operate across several platforms. They also offer autodiscovery and integration capabilities based on machine-learning techniques for creating and updating metadata and building interactive data-lineage flows.

These tools are not yet widely available and have no proven market leaders, so some banks are experimenting with more than one solution or are developing proprietary solutions. Other ways to reduce the data-lineage effort include simplifying the data architecture. For example, by establishing an enterprise data lake, a global bank reduced the number of data hops for a specific report from more than a hundred to just three.

Some institutions also use random sampling to determine when full lineage is needed, especially for upstream flows that are especially manual in nature and costly to trace. Another possibility is to adjust the operating model. For instance, banking systems change quickly, so element-level lineages go out of date just as fast. To tackle this issue, some banks are embedding tollgates on change processes to ensure that the documented lineage is maintained and usable through IT upgrades.

Report owners are expected to periodically review and certify the lineage documentation to identify necessary updates. Improving data quality is often considered one of the primary objectives of data management.

Most banks have programs for measuring data quality and for analyzing, prioritizing, and remediating issues that are detected.

They face two common challenges. First, thresholds and rules are specific to each bank, with little or no consistency across the industry. Although some jurisdictions have attempted to define standards for data-quality rules, these failed to gain traction. Second, remediation efforts often consume significant time and resources, creating massive backlogs at some banks. Some institutions have resorted to establishing vast data-remediation programs with hundreds of dedicated staff involved in mostly manual data-scrubbing activities.

Banks are starting to implement better processes for prioritizing and remediating issues at scale. To this end, some are setting up dedicated funds to remediate data-quality issues more rapidly, rather than relying on the standard, much slower IT prioritization processes. This approach is especially helpful for low- or medium-priority issues that might not otherwise receive enough attention or funding. As data-quality programs mature, three levels of sophistication in data-quality controls are emerging among banks.

The first and most common uses standard reconciliations to measure data quality in completeness, consistency, and validity.

At the second level, banks apply statistical analysis to detect anomalies that might indicate accuracy issues. These could be values beyond three standard deviations, or values that change by more than 50 percent in a month. At the third and most sophisticated level, programs use artificial intelligence and machine learning—based techniques to identify existing and emerging data-quality issues and accelerate remediation efforts Exhibit 4.

One institution identified accuracy issues by using machine-learning clustering algorithms to analyze a population of loans and spot contextual anomalies, such as when the value of one attribute is incongruent with that of other attributes. To do this the program used information captured in free-form text during onboarding and integrated this with third-party data sources. Leading institutions are revising and enhancing their entire data-control framework.

They are developing holistic risk taxonomies that identify all types of data risks, including for accuracy, timeliness, or completeness. They are choosing what control types to use, such as rules, reconciliation, or data-capture drop-downs, and they are also setting the minimum standards for each control type—when the control should be applied and who shall define the threshold, for example.

Banks are furthermore pushing for more sophisticated controls, such as those involving machine learning, as well as greater levels of automation throughout the end-to-end data life cycle. Banks are pushing for more sophisticated controls, such as those involving machine learning, as well as greater levels of automation throughout the end-to-end data life cycle. Transaction testing, also referred to as data tracing or account testing, involves checking whether the reported value of data at the end of the journey matches the value at the start of the journey the source.

Banks utilize a spectrum of different transaction-testing approaches, with single testing cycles taking between a few weeks and nine months to complete. Regulators are putting pressure on banks to strengthen their transaction-testing capabilities through direct regulatory feedback and by conducting their own transaction tests at several large banks.

At the same time, many banks are inclined to focus more on transaction testing because they increasingly recognize that maintaining high-quality data can lead to better strategic decision making, permit more accurate modeling, and improve confidence among customers and shareholders.

Banks with distinctive transaction-testing capabilities shine in three areas. First, they have well-defined operating models that conduct transaction testing as an ongoing exercise rather than a one-off effort , with clearly assigned roles, procedures, and governance oversight.

The findings from transaction tests are funneled into existing data-governance processes that assess the impact of identified issues and remediate them. Second, they strategically automate and expedite transaction testing, utilizing modern technology and tools. While no tools exist that span the end-to-end process, leading banks are using a combination of best-in-class solutions for critical capabilities such as document management and retrieval , while building wraparound workflows for integration.

Finally, they apply a risk-based approach to define their transaction-testing methodology. For example, leading banks often select the population for testing by combining data criticality and materiality with other considerations. These could include the persistence or resolution of issues identified in previous tests.

While most leading banks opt for a minimum sample size and random sampling, some also use data profiling to inform their sampling, pulling in more samples from potentially problematic accounts.

The review or testing of these samples is often done at an account level rather than a report level to allow for cross-report integrity checks, which examine the consistency of data across similar report disclosures. Although banks have in general made fair progress with data programs, their approaches to building data-management capabilities vary greatly in cost, risk, and value delivered.

In the absence of more coordinated guidance from regulators, it is incumbent upon the banking industry to pursue a broader and more harmonized data-control framework based on the risks that need to be managed and the pace of automation to ensure data efforts are sustainable. Never miss an insight. We'll email you when new articles are published on this topic.

Skip to main content. Optimizing data controls in banking. LinkedIn Twitter Facebook Email. We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. This article was edited by Richard Bucci, a senior editor in the New York office.

Explore a career with us Search Openings. Related Articles. Article Controlling machine-learning algorithms and their biases. Something went wrong.

What Is Data Risk Management?

Losing data, or control of it, reflects badly on companies, especially when it comes to consumer data. However, businesses that take the time to organize and securely store their data will reap the benefits. Data management can help businesses locate key insights or identify system vulnerabilities. A system with accessible and up-to-date information helps businesses in the long run. Improper data management can lead to false conclusions derived from incorrect data, data duplication, inadequate security, or inconsistencies due to lack of organization. These failures can also increase the risk of a data breach.

Data Security Explained: Challenges and Solutions

From the government and healthcare organizations to Fortune companies and small businesses, no one is exempt from threats of a security breach. After a breach is the wrong time to find out. What information poses the greatest risk? This is a murky issue. Even for areas of known risk, such as email, there is often no consistent plan to address the exposure. Methods for storing this information are often unmanaged and inconsistent. The challenge lies not only in enforcing compliance with policies for content storage and usage, but in running a discovery or audit. Explore our content library. The purpose of a content risk assessment. The key to conquering content risk is having consistent, structured methods to identify, evaluate and prioritize areas of risk.

A Practical Guide For A Records And Information Management Risk And Control Framework

The following is an excerpt from our Annual Report , describing our risk governance framework and risk appetite principles. The Board of Directors the BoD approves the risk management and control framework of the Group, including the Group and business division overall risk appetite. The Audit Committee aids the BoD with its oversight duty relating to financial reporting and internal controls over financial reporting, and the effectiveness of whistleblowing procedures and the external and internal audit functions. The Group Executive Board the GEB has overall responsibility for establishing and implementing a risk management and control framework in the Group, managing the risk profile of the Group as a whole.

Risk management & control

This position will have a significant impact on the organization, so we are seeking someone who can take charge, think big, and deliver on their commitments. This position will lead a team to perform tests and analyses related to data governance including data registration, critical data element governance, data quality, data protection, data lineage, data retention, 3rd party data sharing etc. Familiarity with credit card, auto loan, commercial loan, or deposit data is a plus. General understanding of technology infrastructure and AWS is a plus. Strong communication skills and problem solving skills are desired. Lead a team to perform tests on data governance and the related controls across Capital One.

Data Governance Manager

The Data Support Manager will be aligned and partner with Risk teams e. The role is also responsible for executing enterprise e. The role provides an opportunity for a candidate to obtain an in depth understanding of a Risk areas people, processes, data, technology and control environment while gaining knowledge of GRM and enterprise wide data activities and strategy. Become a trusted advisor to the Risk data teams. Tableau, MicroStrategy. BI tool development a plus.

Manage risk with controls

Value-based data risk management has been saved. Value-based data risk management has been removed. An Article Titled Value-based data risk management already exists in Saved items. Do you have control over your data or is your data controlling you?

6 Security Controls You Need For General Data Protection Regulation (GDPR)

Data is the most valuable asset for any business. Despite increased data protection regulation, data breach risk s are growing. Data security, or information security, includes the practices, policies and principles to protect digital data and other kinds of information. A data breach, or data leak , is a security event when critical data is accessed by or disclosed to unauthorized viewers.

Data Security & Privacy Risk Management

In the current digital era, companies are working on automated IT systems to process information for daily operations. It made computer systems vulnerable to security risks and hence creates the need for strong risk management plans. Risk management is a process that enables IT managers to balance the economic and operational costs of the protective measures implemented for the protection of data and IT systems of the company. It identifies, assesses, and control threats to capital and earnings of the company. A powerful risk management process is most important for a successful IT security program. The main objective of a company behind the implementation of the risk management process is to protect the organization from accidental losses along with financial, strategic, operational, and other risks.

Use Analytics to Drive Insights, Produce Efficiencies and Ensure Compliance

As FS leaders expanded their use and monetization of data, global regulators responded by enacting multiple regulations, notably data privacy, affecting industries and markets worldwide. With proper visibility into their data landscape, companies can more effectively manage data risk to meet regulatory requirements and benefit from the new currency of trust. The good news is that institutions likely already have the building blocks for an integrated data risk management system fragmented across their organization. Robert S.