top of page
Search
Writer's pictureMichael O'Sullivan

Deciphering APRA's CPG 235: A Blueprint for Effective Data Management in Australian Finance

If you have worked in the data management area within Financial Services in Australia, then you are most likely familiar with APRA's Prudential Practice Guide CPG 235. This guide, established in 2013, outlines best practices for data management and it has significantly influenced the Data Management focus and strategy of banks, insurers, and superannuation funds across the country over the last decade.


Now, even though CPG235 has been around for over a decade, aligning with its guidelines is still a challenge and ongoing effort for most organisations. Indeed, recent reflections by APRA, including a note they published in November 2023, highlighted that, whilst there has been progress in the last number of years, there is still a significant journey ahead.


In my experience distilling the CPG 235 guidance into a tangible, actionable strategy is daunting for many. The guide itself has 11 content pages and 68 distinct paragraphs, each representing a requirement. The content within each individual paragraph is generally straightforward and practical. However, the structure of the document is, to my mind, somewhat disjointed. It leads to repetition and a lot of related concepts scattered in different parts of the document. This in turn often leads organisation to create erratic and disjointed implementation plans.


A common mistake is to misinterpret CPG 235 as a framework or as a structured blueprint for data management, which it explicitly is not. We know this because paragraph 2 states it is “not an all-encompassing framework" and paragraph 9 notes that “examples of controls provided are by no means exhaustive”. CPG 235 is intended as a reference rather than as a prescriptive blueprint. As such, it lacks the cohesive structure needed for implementation and it omits many of the foundational capabilities needed to support its guidelines.


So, how should one approach CPG235? In my opinion, the key is to develop a comprehensive framework independent of CPG235 (using something like DCAM or DMBOK as a basis). A well-structured, comprehensive framework provides clarity and an implementation-friendly sequence that CPG 235 lacks. Once your framework is established, use CPG 235 for comparison and gap analysis. Address any discrepancies and prioritise aspects of your framework that align closely with CPG 235.  This approach offers some significant advantages.


  1. A framework is structured in a way that can be transposed to a practical and sequenced roadmap for execution making it far more practical to implement.

  2. A comprehensive framework will account for those foundational capabilities you need to build but which that may not be explicit in CPG235.

  3. A framework will serve as a blueprint for all your data management activities including other regulations and requirements (e.g. Data Privacy, CPS230)


So how do we do this in practice? To begin with, let's take paragraphs 20 through to 68 of CPG 235 and group them into 20 concepts, as shown in the table below. I'm covering paragraphs 20 to 68 because the earlier paragraphs in CPG 235 serve as context rather than specific requirements.

CPG 235 Concept

Paragraphs

Description

Data Quality Management

16-17

Highlights the need for data quality management and emphasises the use of a broad set of dimensions to assess quality.

Data Classification

18

Emphasises the importance of categorising data based on sensitivity and criticality.

Benchmarking Against Industry Guidelines

19

Encourages assessments against industry standards to ensure current and effective data management practices.

Systematic Data Management Framework

20-21

Advocates for a comprehensive enterprise framework supported by a formally approved strategy, budget, resources, and clear milestones.

Principle-Based Approach

22

Emphasizes the importance of data management principles as part of the strategy for a consistent approach.

Defined Roles and Responsibilities

23

Focuses on defining roles such as data owners and stewards, incorporating broader roles into the framework.

Compliance and Exception Management

24-25

Requires formal compliance mechanisms, checks, balances, and systems to ensure organisational alignment with the strategy and frameworks, and advocates for having a formal process in place to manage exceptions.

Capability Assessment and Improvement

26

Encourages regular evaluations and improvements of data management maturity.

Data Architecture

27-29

Referred to as data architecture, aligns more closely with information architecture or information management, with a clear focus on metadata management, data catalogues, diagrams, and lineage.

Staff Awareness and Training

30-32

Urges education and training in data management strategies and principles for all staff.

Data Lifecycle Management

33-35

Advocates for managing data at all stages throughout its life cycle, including appropriate handling and controls at each stage from capture through processing and retention.

Retention, Publication and Disposal

36-42

A subsection of data lifecycle management. Emphasises the need for policies and controls around data retention, careful consideration of data quality in the publication of reports and datasets, both internally and externally, and effective disposal and destruction methods, aligning with the overall retention strategy.

Auditability

43

Stresses the need to be able to audit data processes for data traceability, focusing on evidencing the sequence of activities that have affected data through its life cycle, such as log files and paperwork.

Data Desensitization

44

Highlights the capability to desensitize sensitive data to reduce misuse risks.

End User Computing Risks

45-46

Points out risks with data managed outside secure environments and the need for mitigation strategies.

Outsourcing and Offshoring Risks

47-50

Stresses increased risks in outsourcing/offshoring data management, especially outside of its jurisdiction, requiring comprehensive risk assessments and control measures.

Data Validation including  Cleansing

50-57

Covers the importance of data validation processes, including data cleansing, to ensure accuracy and reliability.

Monitoring and Management of Data Issues

58-62

Requires monitoring the data lifecycle to identify issues, with clear responsibilities and effective management tools.

Data Quality Metrics

63-65

Advocates for specific, measurable data quality metrics, particularly in areas of high regulatory importance or critical business impact.

Data Risk Management Assurance

66-68

Emphasises the need for regular review and assurance that data management is being implemented effectively, recommending inclusion as part of a broader enterprise assurance programme. It advises organisations to have a multi-year assurance plan to test the effectiveness of controls.


The table above certainly distils CPG 235, but in my opinion, this is still quite an indigestible representation, with very little logic to the sequencing of these concepts. Lets demonstrate how you can leverage a comprehensive data management framework to help you align with CPG 235. I will start by sharing a simple data management framework with you. The illustration below shows an outline view of a simple framework that I have developed. There is a detailed sequence of activities and artefacts that sit behind this, but this high-level view is sufficient for this example.




The next step is mapping and sequencing the 20 summarised concepts from CPG 235 against my framework which is shown in the table below. This reorganisation presents the CPG 235 concepts in a way that I find much more logical and conducive to implementation.


For instance, paragraphs 16 to 17, which emphasise data quality dimensions, and paragraphs 63 to 65, focusing on data quality metrics, are now grouped together under the data quality monitoring theme within the framework. This consolidation appears much more intuitive than their disparate placement at either end of the CPG 235 document.

Pillar

Theme

Concept

Paragraphs

Enablement

Charter and Framework

Systematic Data Management Framework

20-21

Enablement

Charter and Framework

Principle-Based Approach

22

Enablement

Training & Tools

Staff Awareness and Training

30-32

Enablement

Classification & Prioritisation

Data Classification

18

Enablement

Project Management

Data Risk Management Assurance

66-67

Enablement

Project Management

Capability Assessment and Improvement

26

Enablement

Project Management

Benchmarking Against Industry Guidelines

19

Information Architecture

All Areas

Data Architecture

27-29

Data Quality

Data Quality Monitoring

Data Quality Management

16-17

Data Quality

Data Quality Monitoring

Data Quality Metrics

63-65

Data Quality

Data Issue Management

Monitoring and Management of Data Issues

58-62

Data Quality

Data Issue Management

Data Validation including  Cleansing

50-57

Data Quality

Data Controls Library

Data Lifecycle Management

33-35

Data Governance

Policies and Procedures

Defined Roles and Responsibilities

23

Data Governance

Policies and Procedures

Outsourcing and Offshoring Risks

47-50

Data Governance

Stewardship, Ownership & Governance

Compliance and Exception Management

24-25

Data Governance

Vendor Mgmt. & Data Sharing

End User Computing Risks

45-46

Infrastructure & Analytics

Data Storage & Security

Retention, Publication and Disposal

36-42

Infrastructure & Analytics

Data Storage & Security

Data Desensitization

44

Infrastructure & Analytics

Data Storage & Security

Auditability

43


This approach of aligning CPG 235 to the framework does more than streamline the concepts for easier implementation. Should we examine the lower levels of this framework, it becomes apparent which capabilities need to be established as prerequisites for the CPG 235 guidelines, even though those capabilities, tasks, and artefacts might not be directly identified in CPG 235 itself.


In summary, while CPG 235 remains a crucial guideline in Australia's financial data management landscape, it is most effective when used in conjunction with a comprehensive, structured framework. This approach ensures a well-rounded strategy that aligns with CPG 235, enabling organisations to navigate the complexities of data management with greater ease and effectiveness.


 

Thank you for reading this article. If you found value in it, or if we share similar interests, then I'd be delighted to connect on LinkedIn. If you would like to discuss how Decaf Data can support you with training and coaching then please reach out via our contact page.

157 views0 comments

Comments


bottom of page