Background: The goal of data governance is to increase the value of information
The goals of data governance depend on a coherent and standardized definition of data. A comprehensive view on data streams and the elimination of competing subject-related perspectives is necessary to no longer explain and interpret data. All stakeholders who provide or receive data are given rights and obligations for using data. This guarantees high-quality and consistent data. The data governance reference model of zeb defines different requirements for the data governance strategy as well as ctb and rtb processes.
Challenge: BCBS 239 necessitates holistic data governance
The diversity of data requirements for banks often leads to the fact that specific data is gathered and stored for each report requirement. The different perspectives from Accounting, Controlling, Treasury and Risk Management also play an important part. Management-relevant KPIs of the bank are prepared in a different way, depending on the reporting focus. This usually results in enormous coordination efforts between the different perspectives in case of a validation or cross-check of the reported KPIs. Due to the new requirements according to BCBS 239 (risk data aggregation), which demand consistent transparency of data from the source system to the report, the problem of coordinating different data sources is additionally being blown up by regulations. This means that removing existing blinders is no longer just an internal issue of the banks, but has to be seen as a regulatory matter of duty. BCBS 239 states that “a bank’s board and senior management should review and approve the bank’s group risk data aggregation and risk reporting framework.” Thus, the strategic design of the implementation of data governance resides with the supervisory and executive board of a bank.
Which processes are to be covered by data governance within BCBS 239?
In general, data governance describes the process of data processing. It determines who is responsible for which data and defines a common thread regarding different requirements for data quality, integrity or security. There is neither a standardized definition of “data governance”—nor of the processes and rules it entails. It is rather the task of the bank to define for itself which data and data processing processes are to be integrated into data governance. This means the following with regard to BCBS 239: First, it has to defined, which relevant steps of data processing or data characteristics are to be subject of data governance. BCBS 239 states “precision requirements based on validation, testing or reconciliation processes and results“ as well as “ensuring data is correctly entered […] and kept current and aligned with the data definitions“. These processes are enshrined in data quality and metadata management. Furthermore, “a firm’s policies on data confidentiality […] and availability“ are demanded. Data security is to be guaranteed with regard to unauthorized external access as well as undesired internal access (data security management, authorization management). The aforementioned cross-departmental perspective is responsible for making sure that data streams are “unaffected by the bank’s group structure. The group structure should not hinder risk data aggregation capabilities.“ The target process with the respective rules is to be defined for each of the aforementioned topics in a second step. Here, the following questions are to be answered:
- Which data quality level is a minimum standard, which is required from each application?
- How is the description of data in a repository structured and which data characteristics are to be taken into consideration?
- What guarantees that sensitive data can only be seen and evaluated by authorized persons?
- Which requirements are there for data, that is to be available group-wide?
Finally, roles are defined for each subject area, which are equipped with the respective responsibilities and obligations. Here, roles are to be combined in a sensible way—for instance, the system administrator should be not only responsible for the compliance with the data quality requirements, but also for the maintenance of the repository with regard to “his/her” data. This combination of roles enables an efficient assignment to the responsible persons in the company.
The introduction of data governance for fulfilling BCBS 239 should be implemented step-by-step
Against the backdrop of the aforementioned subject areas, that are to be part of data governance, an incremental implementation of the introduction should be considered. It is advisable to ascertain the current status of data governance and to make a delta analysis of the actual situation and the target image. Here, the subject areas are to be processed one after another. Higher efficiency can be achieved by adjusting processes to the already existing patterns and by gradually expanding roles by new responsibilities. At the same time, a sense of responsibility for data governance is created step-by-step among the acting persons. Thus, data governance can be built and expanded little by little.
BCBS 239 forces the management to assume its responsibility
One key success factor for the implementation of data governance is the active integration of the management, so that rights and obligations of individual persons can take effect in the day-to-day business. This fosters the acceptance of defined processes and roles and prevents these definitions from losing their binding character in the course of time. The involvement of the management should be shaped in such a way that there is a sponsor for data governance in the management, who at the same time assumes the responsibility required in BCBS 239 and also represents the last escalation level in conflicts.
Evaluation of data governance in case of changes to requirements, data and processes
Once data governance has been established in a bank, it should update itself over and over again in the day-to-day business. This means that, due to the defined responsibilities, new requirements make constant reactions necessary. This leads to ongoing adjustments in the initially defined processes. If there are fundamentally new requirements, which lead to the establishment of new subject areas in data governance or demand a restructuring of present roles, these processes will have to be initiated by the aforementioned sponsor.