If you have worked in the data management area within Financial Services in Australia, then you are most likely familiar with APRA's Prudential Practice Guide CPG 235. This guide, established in 2013, outlines best practices for data management and it has significantly influenced the Data Management focus and strategy of banks, insurers, and superannuation funds across the country over the last decade.
Now, even though CPG235 has been around for over a decade, aligning with its guidelines is still a challenge and ongoing effort for most organisations. Indeed, recent reflections by APRA, including a note they published in November 2023, highlighted that, whilst there has been progress in the last number of years, there is still a significant journey ahead.
In my experience distilling the CPG 235 guidance into a tangible, actionable strategy is daunting for many. The guide itself has 11 content pages and 68 distinct paragraphs, each representing a requirement. The content within each individual paragraph is generally straightforward and practical. However, the structure of the document is, to my mind, somewhat disjointed. It leads to repetition and a lot of related concepts scattered in different parts of the document. This in turn often leads organisation to create erratic and disjointed implementation plans.
A common mistake is to misinterpret CPG 235 as a framework or as a structured blueprint for data management, which it explicitly is not. We know this because paragraph 2 states it is “not an all-encompassing framework" and paragraph 9 notes that “examples of controls provided are by no means exhaustive”. CPG 235 is intended as a reference rather than as a prescriptive blueprint. As such, it lacks the cohesive structure needed for implementation and it omits many of the foundational capabilities needed to support its guidelines.
So, how should one approach CPG235? In my opinion, the key is to develop a comprehensive framework independent of CPG235 (using something like DCAM or DMBOK as a basis). A well-structured, comprehensive framework provides clarity and an implementation-friendly sequence that CPG 235 lacks. Once your framework is established, use CPG 235 for comparison and gap analysis. Address any discrepancies and prioritise aspects of your framework that align closely with CPG 235. This approach offers some significant advantages.
A framework is structured in a way that can be transposed to a practical and sequenced roadmap for execution making it far more practical to implement.
A comprehensive framework will account for those foundational capabilities you need to build but which that may not be explicit in CPG235.
A framework will serve as a blueprint for all your data management activities including other regulations and requirements (e.g. Data Privacy, CPS230)
So how do we do this in practice? To begin with, let's take paragraphs 20 through to 68 of CPG 235 and group them into 20 concepts, as shown in the table below. I'm covering paragraphs 20 to 68 because the earlier paragraphs in CPG 235 serve as context rather than specific requirements.
CPG 235 Concept | Paragraphs | Description |
Data Quality Management | 16-17 | Highlights the need for data quality management and emphasises the use of a broad set of dimensions to assess quality. |
Data Classification | 18 | Emphasises the importance of categorising data based on sensitivity and criticality. |
Benchmarking Against Industry Guidelines | 19 | Encourages assessments against industry standards to ensure current and effective data management practices. |
Systematic Data Management Framework | 20-21 | Advocates for a comprehensive enterprise framework supported by a formally approved strategy, budget, resources, and clear milestones. |
Principle-Based Approach | 22 | Emphasizes the importance of data management principles as part of the strategy for a consistent approach. |
Defined Roles and Responsibilities | 23 | Focuses on defining roles such as data owners and stewards, incorporating broader roles into the framework. |
Compliance and Exception Management | 24-25 | Requires formal compliance mechanisms, checks, balances, and systems to ensure organisational alignment with the strategy and frameworks, and advocates for having a formal process in place to manage exceptions. |
Capability Assessment and Improvement | 26 | Encourages regular evaluations and improvements of data management maturity. |
Data Architecture | 27-29 | Referred to as data architecture, aligns more closely with information architecture or information management, with a clear focus on metadata management, data catalogues, diagrams, and lineage. |
Staff Awareness and Training | 30-32 | Urges education and training in data management strategies and principles for all staff. |
Data Lifecycle Management | 33-35 | Advocates for managing data at all stages throughout its life cycle, including appropriate handling and controls at each stage from capture through processing and retention. |
Retention, Publication and Disposal | 36-42 | A subsection of data lifecycle management. Emphasises the need for policies and controls around data retention, careful consideration of data quality in the publication of reports and datasets, both internally and externally, and effective disposal and destruction methods, aligning with the overall retention strategy. |
Auditability | 43 | Stresses the need to be able to audit data processes for data traceability, focusing on evidencing the sequence of activities that have affected data through its life cycle, such as log files and paperwork. |
Data Desensitization | 44 | Highlights the capability to desensitize sensitive data to reduce misuse risks. |
End User Computing Risks | 45-46 | Points out risks with data managed outside secure environments and the need for mitigation strategies. |
Outsourcing and Offshoring Risks | 47-50 | Stresses increased risks in outsourcing/offshoring data management, especially outside of its jurisdiction, requiring comprehensive risk assessments and control measures. |
Data Validation including Cleansing | 50-57 | Covers the importance of data validation processes, including data cleansing, to ensure accuracy and reliability. |
Monitoring and Management of Data Issues | 58-62 | Requires monitoring the data lifecycle to identify issues, with clear responsibilities and effective management tools. |
Data Quality Metrics | 63-65 | Advocates for specific, measurable data quality metrics, particularly in areas of high regulatory importance or critical business impact. |
Data Risk Management Assurance | 66-68 | Emphasises the need for regular review and assurance that data management is being implemented effectively, recommending inclusion as part of a broader enterprise assurance programme. It advises organisations to have a multi-year assurance plan to test the effectiveness of controls. |
The table above certainly distils CPG 235, but in my opinion, this is still quite an indigestible representation, with very little logic to the sequencing of these concepts. Lets demonstrate how you can leverage a comprehensive data management framework to help you align with CPG 235. I will start by sharing a simple data management framework with you. The illustration below shows an outline view of a simple framework that I have developed. There is a detailed sequence of activities and artefacts that sit behind this, but this high-level view is sufficient for this example.
The next step is mapping and sequencing the 20 summarised concepts from CPG 235 against my framework which is shown in the table below. This reorganisation presents the CPG 235 concepts in a way that I find much more logical and conducive to implementation.
For instance, paragraphs 16 to 17, which emphasise data quality dimensions, and paragraphs 63 to 65, focusing on data quality metrics, are now grouped together under the data quality monitoring theme within the framework. This consolidation appears much more intuitive than their disparate placement at either end of the CPG 235 document.
Pillar | Theme | Concept | Paragraphs |
Enablement | Charter and Framework | Systematic Data Management Framework | 20-21 |
Enablement | Charter and Framework | Principle-Based Approach | 22 |
Enablement | Training & Tools | Staff Awareness and Training | 30-32 |
Enablement | Classification & Prioritisation | Data Classification | 18 |
Enablement | Project Management | Data Risk Management Assurance | 66-67 |
Enablement | Project Management | Capability Assessment and Improvement | 26 |
Enablement | Project Management | Benchmarking Against Industry Guidelines | 19 |
Information Architecture | All Areas | Data Architecture | 27-29 |
Data Quality | Data Quality Monitoring | Data Quality Management | 16-17 |
Data Quality | Data Quality Monitoring | Data Quality Metrics | 63-65 |
Data Quality | Data Issue Management | Monitoring and Management of Data Issues | 58-62 |
Data Quality | Data Issue Management | Data Validation including Cleansing | 50-57 |
Data Quality | Data Controls Library | Data Lifecycle Management | 33-35 |
Data Governance | Policies and Procedures | Defined Roles and Responsibilities | 23 |
Data Governance | Policies and Procedures | Outsourcing and Offshoring Risks | 47-50 |
Data Governance | Stewardship, Ownership & Governance | Compliance and Exception Management | 24-25 |
Data Governance | Vendor Mgmt. & Data Sharing | End User Computing Risks | 45-46 |
Infrastructure & Analytics | Data Storage & Security | Retention, Publication and Disposal | 36-42 |
Infrastructure & Analytics | Data Storage & Security | Data Desensitization | 44 |
Infrastructure & Analytics | Data Storage & Security | Auditability | 43 |
This approach of aligning CPG 235 to the framework does more than streamline the concepts for easier implementation. Should we examine the lower levels of this framework, it becomes apparent which capabilities need to be established as prerequisites for the CPG 235 guidelines, even though those capabilities, tasks, and artefacts might not be directly identified in CPG 235 itself.
In summary, while CPG 235 remains a crucial guideline in Australia's financial data management landscape, it is most effective when used in conjunction with a comprehensive, structured framework. This approach ensures a well-rounded strategy that aligns with CPG 235, enabling organisations to navigate the complexities of data management with greater ease and effectiveness.
Thank you for reading this article. If you found value in it, or if we share similar interests, then I'd be delighted to connect on LinkedIn. If you would like to discuss how Decaf Data can support you with training and coaching then please reach out via our contact page.