If you have worked in the data management area within Financial Services in Australia, then you are most likely familiar with APRA’s Prudential Practice Guide CPG 235. This guide, established in 2013, outlines best practices for data management and it has significantly influenced the Data Management focus and strategy of banks, insurers, and superannuation funds across the country over the last decade.

Now, even though CPG235 has been around for over a decade, aligning with its guidelines is still a challenge and ongoing effort for most organisations. Indeed, recent reflections by APRA, including a note they published in November 2023, highlighted that, whilst there has been progress in the last number of years, there is still a significant journey ahead.

In my experience distilling the CPG 235 guidance into a tangible, actionable strategy is daunting for many. The guide itself has 11 content pages and 68 distinct paragraphs, each representing a requirement. The content within each individual paragraph is generally straightforward and practical. However, the structure of the document is, to my mind, somewhat disjointed. It leads to repetition and a lot of related concepts scattered in different parts of the document. This in turn often leads organisation to create erratic and disjointed implementation plans.

A common mistake is to misinterpret CPG 235 as a framework or as a structured blueprint for data management, which it explicitly is not. We know this because paragraph 2 states it is “not an all-encompassing framework” and paragraph 9 notes that “examples of controls provided are by no means exhaustive”. CPG 235 is intended as a reference rather than as a prescriptive blueprint. As such, it lacks the cohesive structure needed for implementation and it omits many of the foundational capabilities needed to support its guidelines.

So, how should one approach CPG235? In my opinion, the key is to develop a comprehensive framework independent of CPG235 (using something like DCAM or DMBOK as a basis). A well-structured, comprehensive framework provides clarity and an implementation-friendly sequence that CPG 235 lacks. Once your framework is established, use CPG 235 for comparison and gap analysis. Address any discrepancies and prioritise aspects of your framework that align closely with CPG 235. This approach offers some significant advantages.

A framework is structured in a way that can be transposed to a practical and sequenced roadmap for execution making it far more practical to implement.

A comprehensive framework will account for those foundational capabilities you need to build but which that may not be explicit in CPG235.

A framework will serve as a blueprint for all your data management activities including other regulations and requirements (e.g. Data Privacy, CPS230)

So how do we do this in practice? To begin with, let’s take paragraphs 20 through to 68 of CPG 235 and group them into 20 concepts, as shown in the table below. I’m covering paragraphs 20 to 68 because the earlier paragraphs in CPG 235 serve as context rather than specific requirements.

CPG 235 Concept Paragraphs Description
Data Quality Management 16-17 Highlights the need for data quality management and emphasises the use of a broad set of dimensions to assess quality.
Data Classification 18 Emphasises the importance of categorising data based on sensitivity and criticality.
Benchmarking Against Industry Guidelines 19 Encourages assessments against industry standards to ensure current and effective data management practices.
Systematic Data Management Framework 20-21 Advocates for a comprehensive enterprise framework supported by a formally approved strategy, budget, resources, and clear milestones.
Principle-Based Approach 22 Emphasizes the importance of data management principles as part of the strategy for a consistent approach.
Defined Roles and Responsibilities 23 Focuses on defining roles such as data owners and stewards, incorporating broader roles into the framework.
Compliance and Exception Management 24-25 Requires formal compliance mechanisms, checks, balances, and systems to ensure organisational alignment with the strategy and frameworks, and advocates for having a formal process in place to manage exceptions.
Capability Assessment and Improvement 26 Encourages regular evaluations and improvements of data management maturity.
Data Architecture 27-29 Referred to as data architecture, aligns more closely with information architecture or information management, with a clear focus on metadata management, data catalogues, diagrams, and lineage.
Staff Awareness and Training 30-32 Urges education and training in data management strategies and principles for all staff.
Data Lifecycle Management 33-35 Advocates for managing data at all stages throughout its life cycle, including appropriate handling and controls at each stage from capture through processing and retention.
Retention, Publication and Disposal 36-42 A subsection of data lifecycle management. Emphasises the need for policies and controls around data retention, careful consideration of data quality in the publication of reports and datasets, both internally and externally, and effective disposal and destruction methods, aligning with the overall retention strategy.
Auditability 43 Stresses the need to be able to audit data processes for data traceability, focusing on evidencing the sequence of activities that have affected data through its life cycle, such as log files and paperwork.
Data Desensitization 44 Highlights the capability to desensitize sensitive data to reduce misuse risks.
End User Computing Risks 45-46 Points out risks with data managed outside secure environments and the need for mitigation strategies.
Outsourcing and Offshoring Risks 47-50 Stresses increased risks in outsourcing/offshoring data management, especially outside of its jurisdiction, requiring comprehensive risk assessments and control measures.
Data Validation including Cleansing 50-57 Covers the importance of data validation processes, including data cleansing, to ensure accuracy and reliability.
Monitoring and Management of Data Issues 58-62 Requires monitoring the data lifecycle to identify issues, with clear responsibilities and effective management tools.
Data Quality Metrics 63-65 Advocates for specific, measurable data quality metrics, particularly in areas of high regulatory importance or critical business impact.
Data Risk Management Assurance 66-68 Emphasises the need for regular review and assurance that data management is being implemented effectively, recommending inclusion as part of a broader enterprise assurance programme. It advises organisations to have a multi-year assurance plan to test the effectiveness of controls.

The table above certainly distils CPG 235, but in my opinion, this is still quite an indigestible representation, with very little logic to the sequencing of these concepts. Lets demonstrate how you can leverage a comprehensive data management framework to help you align with CPG 235. I will start by sharing a simple data management framework with you. The illustration below shows an outline view of a simple framework that I have developed. There is a detailed sequence of activities and artefacts that sit behind this, but this high-level view is sufficient for this example.

Decaf Data – High Level Data Management Framework

The next step is mapping and sequencing the 20 summarised concepts from CPG 235 against my framework which is shown in the table below. This reorganisation presents the CPG 235 concepts in a way that I find much more logical and conducive to implementation.

For instance, paragraphs 16 to 17, which emphasise data quality dimensions, and paragraphs 63 to 65, focusing on data quality metrics, are now grouped together under the data quality monitoring theme within the framework. This consolidation appears much more intuitive than their disparate placement at either end of the CPG 235 document.

Pillar Theme Concept Paragraphs
Enablement Charter and Framework Systematic Data Management Framework 20-21
Enablement Charter and Framework Principle-Based Approach 22
Enablement Training & Tools Staff Awareness and Training 30-32
Enablement Classification & Prioritisation Data Classification 18
Enablement Project Management Data Risk Management Assurance 66-67
Enablement Project Management Capability Assessment and Improvement 26
Enablement Project Management Benchmarking Against Industry Guidelines 19
Information Architecture All Areas Data Architecture 27-29
Data Quality Data Quality Monitoring Data Quality Management 16-17
Data Quality Data Quality Monitoring Data Quality Metrics 63-65
Data Quality Data Issue Management Monitoring and Management of Data Issues 58-62
Data Quality Data Issue Management Data Validation including Cleansing 50-57
Data Quality Data Controls Library Data Lifecycle Management 33-35
Data Governance Policies and Procedures Defined Roles and Responsibilities 23
Data Governance Policies and Procedures Outsourcing and Offshoring Risks 47-50
Data Governance Stewardship, Ownership & Governance Compliance and Exception Management 24-25
Data Governance Vendor Mgmt. & Data Sharing End User Computing Risks 45-46
Infrastructure & Analytics Data Storage & Security Retention, Publication and Disposal 36-42
Infrastructure & Analytics Data Storage & Security Data Desensitization 44
Infrastructure & Analytics Data Storage & Security Auditability 43

This approach of aligning CPG 235 to the framework does more than streamline the concepts for easier implementation. Should we examine the lower levels of this framework, it becomes apparent which capabilities need to be established as prerequisites for the CPG 235 guidelines, even though those capabilities, tasks, and artefacts might not be directly identified in CPG 235 itself.

In summary, while CPG 235 remains a crucial guideline in Australia’s financial data management landscape, it is most effective when used in conjunction with a comprehensive, structured framework. This approach ensures a well-rounded strategy that aligns with CPG 235, enabling organisations to navigate the complexities of data management with greater ease and effectiveness.

Published On: November 5th, 2024 / Categories: Insights /

Subscribe To Receive The Latest News

Curabitur ac leo nunc. Vestibulum et mauris vel ante finibus maximus.

Add notice about your Privacy Policy here.