Incorporation of data risk in the banking risk taxonomy

To strengthen these capabilities, especially at global systemically important banks (G-SIBs), the Basel Committee on Banking Supervision (BCBS) in 2013 introduced Standard 239, focusing on effective risk data aggregation and reporting.

Coupled with the US Federal Reserve regulations, like Comprehensive Capital and Analysis Review (CCAR) and supervisory emphasis on data quality, this highlights the need to manage data risks just as well as credit and market risks. 

With the proliferation of data available to banks in this digital age, data is used in almost all aspects such as using it for making business strategy decisions, in quantitative models and for regulatory reporting.  

Thus, there is a need to manage and govern an organisation’s key data and associated risks end-to-end; from risk identification, assessment, appropriate mitigation through implementation of risk-based controls and ongoing monitoring. This process is known as data risk management. 

Traditionally, banks managed risks such as credit, market, operational, compliance, strategic, reputational risks through various high-level committees. While data is inherent to most of these risks, the need to govern it separately is often not recognised. 

When the analysts responsible for determining the right data attributes investigates the warehouse, they are going to observe a number of similarly labeled data attributes such as country, operational address country, mailing address country, registered address country.  

Without a well-defined and agreed upon definition of customer’s legal country of incorporation, there is a risk that the inappropriate data attribute may be provided on the credit risk report.  

Further yet, if the source of these attributes is not well documented, there is a risk of an inadvertent, unrecognised change to these attributes, which would put the consistency of the report in question.  

In recognition of these risks, data risk in recent years has begun to be recognised formally at the highest levels in banking through establishment of data governance functions and the role of chief data officer.  

Lastly, banking being a highly regulated sector, regulators routinely raise questions on data governance controls such as the presence of internal controls that demonstrate data quality and ability to produce timely and accurate reports to understand the data risk environment. Given these heightened expectations, there is a strong case for managing data as its own risk stripe. 

As highlighted by Ajiri, data risk holds regulatory significance in banking. Data risk can emerge during any phase from collection to usage.  

To address this, the second-line data governance function bridges data governance and risk management, ensuring data risks are adequately managed. This involves providing governance to the business, implementing risk-based controls, and providing data that is fit for purpose for risk models. 

To manage data risk, it is important to setup a lifecycle process that can help to understand and prioritise the finite set of the most critical data attributes within the organisation, assess the associated business processes to determine the risk, implement risk-based controls to mitigate those risks and periodically monitor the implemented controls.

KDE Identification: As a first step to risk identification both from a governance and risk perspective, identify the most critical data attributes within your organisation and their associated risk exposure.

These systemagnostic critical attributes commonly known as key data elements (KDEs) are the data elements that carry the most weight in the organisation’s decision-making or regulatory reporting. Given the increasing cost pressures in banking, it is important to create a prioritised list of these KDEs. To identify KDEs, the following factors may be considered: 

• Do risk models directly rely on this attribute for making decisions? 
• Is the KDE atomic or is it a derived attribute? 
• Are there current or prior regulatory issues associated with the attribute? 
• How material of an impact would inadequate data quality of this attribute have on the organisation? 
• Is this attribute important for business revenue generation or customer satisfaction? 

Once KDEs have been identified, a risk assessment can be performed to identify potential associates risks. This analysis can either be quantitative or qualitative depending on the business domain and should take into consideration relevant existing controls for the KDE. 

As an example, quantitative assessment will generally be suitable for financial data used for regulatory reports where a dollar value can be assigned to the risks. A qualitative assessment will be more suited for functions such as compliance where expert judgment may need to be layered on top of modeled results. 

In a qualitative assessment, severity and probability of risk occurrence can be determined through data owner and subject matter expert interviews. In both types of assessment, the eventual goal is to determine cost of implementing appropriate controls to mitigate the risk versus the cost if the risk were to materialise. 

As noted by Martins et al, this assessment process has to be periodic, and a regular reassessment process must be established. 

Following data risk identification and impact assessment, risk-based controls can be implemented for mitigation. Ongoing risk monitoring ensures relevant risk management, reflecting the control environment and senior management oversight.  

Effective governance, operationalised and embraced across the organisation, is crucial in managing data risks. This involves policies, standards, roles, documented procedures, enhanced communication, and fostering a data-centric culture. 

Policies & standards: These documents define at a high level the minimum set of data requirements that each business unit is expected to adhere to. They set the tone from the top, are generally created by the second line of defense and are generally rooted in banking regulatory requirements on data. 

Policies while setting the minimum requirements should also be flexible and not overly prescriptive in how a particular business unit achieves compliance with the policy. 

Change management-based controls: Managing changes in data infrastructure can be challenging. 

As an example, a report data attribute previously containing only numbers transitions to alphanumeric values resulting in data quality failures. In such instances, change management controls can serve as a preventative control against adverse impact to a KDE. 

Related to establishing a strong data culture, all changes should be logged, assessed and tested for KDE impact. This process requires consultation with relevant stakeholders and their approval. 

Role of data culture in data risk mitigation: An effective data risk culture is essential to any data driven organisation. 

A proactive risk management culture self-identifies and manages risks prior to a review function such as audit or regulators. Often organisations are good at identifying risks but either take too long to mitigate or simply don’t implement mitigation with the belief that the risk will not materialise.  

This is especially true in cases where legacy data is concerned, the argument being that the risk has existed for many years. A lack of documentation on KDEs combined with the departure of key personnel with institutional knowledge about these KDEs can also hamper timely data risk mitigation. 

A Consequence Management Framework can be implemented for maturing the data culture within the organisation. Rewarding staff for timely and appropriate identification of data risks may be beneficial. 

In the absence of enough literature on data risk management in general, and specifically within the banking industry, this paper highlights the importance of data risk management being its own risk stripe. It also presents key considerations for the identification, assessment and mitigation of data risk

PRMIA membership sets professionals apart, identifying them as active in the growth and promotion of the risk profession and demonstrating leadership by helping fellow risk practitioners develop best practices for their employees and community. Become a leader by joining PRMIA and providing your expertise. Join today at www.prmia.org.