How do we define data controls that adequately mitigate risk? Part 2
Data Controls Framework
In my previous article, we looked at the importance of a Data Control Framework that takes into account the various risks that data is exposed to through its lifecycle.
The need to understand your data lineage was discussed to ensure that appropriate controls could be inserted at the right points in the process.
In Part 2, we’ll explore how to create robust control narratives.
The need for robust Control Narratives….Gold-plating or necessity for Data Quality and Risk Mitigation?
When I talk about control narratives with clients, I’m often met with a challenge that this is “gold-plating” and an unnecessary overhead.
Surely, so I’m told, we need to trust our skilled people to operate controls responsibly.
So why bother?
Quite simply, the narrative is at the heart of the control. It ensures that the control is repeatable.
Vaguely worded controls can be interpreted in different ways and therefore performed inconsistently.
An inconsistently applied control is unlikely to mitigate the risk it was intended to alleviate. Where this occurs, you may experience data that is incomplete or that needs corrective action downstream to compensate.
In one organisation that I was engaged in, it was noticed that the tick box which drove the premium earnings calculation was frequently incorrect. When this became apparent, management, were surprised as it was one of the key fields checked on the QA……but the QA merely checked that it was completed; not how it was completed. The control design was unfortunately flawed.
Not only that but a clear narrative also reinforces the 3 Lines of Defence model. By being clear on how the control is supposed to function and ensuring that appropriate evidence of its operation is collected, the 2nd and 3rd Lines of Defence can easily test its operational effectiveness.
Examples of Poorly Worded Data Controls
Here are some examples of poor control narratives.
See if you can spot why.
Example 1 – QA Check
Let’s take a QA Check against data entered into core booking systems by the Operations team. These types of controls are prevalent in many organisations.
Narrative: A daily check takes place on the data entered to ensure it is correct.
What is wrong with this wording?
Let’s take a look at the issues.
1. How do we know what fields are checked?
2. How does the checker know what good looks like?
3. Who is the checker in this scenario and are they suitably qualified?
4. How would 2nd/ 3rd Lines know that the control was operated effectively?
Example 2 – Management Review of Data
Management reviews of data represent an important control within insurance and the financial sector where data from disparate sources are brought together and summarised prior to being used in mathematical models.
This is an important control as there are numerous risks inherent within the various data pipelines in addition to the risk involved in bringing data together and summarising it - not always in an automated fashion!
An example is the Actuarial Reserving process within an insurance company. After the Actuarial Function has made its reserve “picks”, a review has to take place to ensure effective challenge and robustness.
Narrative: Actuarial picks are reviewed by management prior to data being fed back to the warehouse and allocations made.
What is wrong here?
1. What criteria is applied by management?
2. What level of management is responsible? Are they qualified?
3. How is the review documented? Is a screenshot of a calendar meeting enough?
Effective Control Narratives
An effective control narrative needs to include the following points listed below to ensure that its operation is transparent and repeatable:
· Who - team responsible for its execution
· What –nature of the control e.g. a QA check
· How – the methodology required to operate it.
· Why – the risk that the control is designed to mitigate
· When – the frequency of operation required to be effective
Finally, a robust data control narrative must itemise the evidence required to enable the 2nd or 3rd line to audit its operating effectiveness.
An Example of a Good Control Narrative
Let’s apply the above to our operational QA control:
The QA Analyst undertakes a QA check over the previous day’s policy and premium registration bookings.
The purpose of this control is to ensure the accuracy of the 30 identified Critical Data Elements.
The Team Lead operates the following process:
1. Run the Bookings Report for the previous working day’s data
2. Select at random 40% of bookings ensuring a proportionate split by team code
3. The data elements are compared between the booking system and Front Sheet
4. Discrepancies are recorded and referred to the technician for explanation or correction
5. Non-responses by the Technician are escalated to the QA Lead after 2 working days
The result of each data element checked is recorded in the Workflow system, together with any referrals to the Technician and the responses received.
It can be seen from the above narrative that the reason for the control and the method of operation is unambiguous, ensuring its repeatability.
A third-party reviewer, such as Internal Audit, can verify whether or not the control operation is effective.
This process also facilitates the identification of control design effectiveness gaps, helping us to improve our control framework.
It is only by ensuring that your data controls are defined clearly, are transparent and repeatable, that you can have confidence in their operation and, ultimately, the quality of your critical data required to drive your organisation's success.
In the next article we’ll revisit the topic of why lineage is important and how to create a business lineage that provides real value in supporting the identification of your data risks.
Subscribe to get future articles in this series.
--
Is your organisation still suffering from poor data quality after initiating a data governance programme? Are you struggling to ensure that you have the right controls in place?
Book a call to discover how we can help you implement a robust data governance framework and mature your implementation.