Over the last year and a half, the Australian Prudential Regulation Authority (APRA) have been busy conducting reviews and surveys of data risk practices and maturity across a range of financial services, including deposit-taking institutions, super-funds, and insurers. The bottom-line? Progress, but improvement needed (read more here).
Clearly, these organisations operate in one of the most heavily regulated sectors in Australia (and globally), but data risk affects every sector. Whether it’s the possible regulatory, customer, financial and brand impact connected to the risk of a data breach; or the day-to-day operational cost of poorly managed and maintained data; or the many risks with failing to comply with key legislation such as the upcoming changes to the Privacy Act; we believe that APRA’s findings are essential reading for every organisation managing data in Australia today.
Whilst APRA noted some improvements in the surveys, the key findings all point to organisations facing the same problem: the data practices they have implemented to manage data risk, usually falling under the umbrella of data governance and data quality, are not fully integrated into their business. In short, they have not successfully created a data driven culture, and the same is true of most Australian businesses.
So why is that a problem?
In a non-data driven culture, the average employee or team does not appreciate that they have responsibilities to maintain and improve the overall quality and governance of data within an organisation. They might not appreciate the full impact of a duplicated store of customer information, or an uncompleted data field, or a technology process that incorrectly transforms a value which downstream processes use. Ultimately, the goal of data governance and data quality is to deliver a better outcome for customers, not just to comply with regulation. If you can’t trust that every location of critical data is understood, that the lineage of critical data is clear, or that the organisation as a whole is genuinely trying to improve data quality (rather than just measure it), how will that goal be achieved? Examples of where a lack of a data-driven culture may have contributed to consumer impact include organisations who have failed to identify double-charging of customers, or failed to respond to requests for payment plans, or who have experienced data breaches that have increased real and perceived risks of identity theft.
APRA understands that these are not processes and procedures for their own sake, that they aim to have a materially positive impact for the consumer (and organisation that implements them). This is why their communication and guides focus on the benefits for stronger data practices, as well as stating that data practises do not end with compliance (from CPG 235: “APRA expects that a regulated entity … will implement controls around data, including in areas not addressed in this [guide]”
What can we learn from APRA’s findings?
APRA makes six recommendations or considerations for better data practices, such as establishing data governance, providing clarity on roles and responsibilities, identifying critical data elements, and establishing data quality monitoring. These are key pillars for achieving a data driven culture for all organisations managing significant volumes of data, or high-risk data, however it’s APRA’s view on the road ahead that offers the most insights into what is proving difficult for organisations. APRA’s four key focus areas are:
- “data practices aren’t consistently integrated into business-as-usual activities and are often being performed as an additional exercise, impacting efficiency”
- “entities haven’t consistently made the connection between enhancing data practices and better decision-making”
- “entities are struggling to quantify data inaccuracies across key reports, models, and scenarios, resulting in limited risk reduction”
- “improvements in data practices aren’t considering the full requirements of business end-users and solutions aren’t always fit for purpose, resulting in reduced ability to enhance the quality of reporting provided to senior leadership”
Ultimately, these focuses are all related to organisational culture. So, whilst APRA observed many technological transformation changes such as cloud data storage, data lake-houses, or data mesh architecture; or organisational transformations such as the creation of a data office; it is cultural transformation that needs focus. Here are some (and by no means exhaustive) suggestions on what to consider to move to a data-driven culture:
- Leadership awareness & education is crucial: Do your leaders have access to examples or data that measures the maturity of your data-driven culture, and the impact issues have? Measuring “culture” can be difficult, but 2 tools can help: i) examples of data quality issues that have created material financial (or other) impact can demonstrate real costs, and ii) data maturity survey data, if representatively collected across an organisation, can measure the likelihood of where else data quality issues may have material impact. Collecting data maturity survey data can be as simple as an online form, distributed across your organisation, however thought must go into question design, minimum representative responses rates and frequency of collection in order to be meaningful.
- What’s measured is what’s important: Do your leaders and managers have data governance and quality key performance indicators (KPIs) in their performance metrics? KPIs are designed to drive focus, so incorporating data KPIs for roles across an organisation sets the tone for what is expected for “business-as-usual”. Consider incorporating data KPIs across all management layers and/or training new management hires on the importance of data-focused KPIs relevant to their areas.
- Data needs to be everyone’s responsibility: Are individuals and teams within your organisation clear on their role, for example, what data they create, how it is primarily used, how long it is retained and what their responsibilities are to maintain it? Aside from KPIs mentioned above, consider whether the documentation and processes that govern data creation and ownership extend fully into your business, to an individual and team level. For example, anyone who has worked in retail will be familiar with a “stock check” and why it’s important, which is a form of data quality or governance process; what are the stock checks for the data in each area of your business that you create or maintain?
- Serve your users and get critical momentum: Are your data quality and data governance initiatives user-focused? Do they create a value exchange with their end-users? The most successful products prioritise usability and offer a value exchange for the user; in the case of data quality or governance, the value exchange is: “if I invest time in fixing data, or recording metadata, how does that quickly make my job easier or mitigate personal risk?”. As a user, if it doesn’t make my job easier, I won’t do it unless I’m told to; if it does make my job easier, or reduces the potential for making an error with personal repercussions, I’ll more than likely adopt it rapidly. Consider maximising the usability of data dashboards and data catalogues to offer end-user value. Increase tailored education and training linking the impact of data quality back to the individuals’ ability to perform their jobs effectively and the inherent risks of basing decisions and performing critical processes on poor quality and ill-governed data. If you find yourself in a crisis situation, data you can trust, and a clear view of data lineage can be the difference between damage limitation and amplification. Also consider reward and recognition for those who are embracing accountability for data quality and governance fundamentals. Engaged users are the fuel for effective data programmes.
Is time running out to become data-driven?
Whilst compliance can often be seen as the cost of doing business, listening to APRA’s recommendations is actually the key to unlocking a generational data opportunity that is now starting to mature, AI. Failing to heed their recommendations will be an existential threat to many organisations, whichever sector they are in.
It is clear to all that a major shift is underway with the emergence of democratised AI; AI technology that any organisation can leverage, and to say that it has captured the imagination (and expectations) of consumers is an under-statement. However, as many organisations are finding out, deploying AI effectively can be a double-edged sword without large amounts of good quality data.
Of those organisations that effectively turn AI into a market-shifting competitive advantage and avoid falling to irrelevance, truly data-driven organisations will be the majority. There may be some data luddites that fortuitously survive due to their market position or other reasons, but for those who are not on a journey to becoming data-driven, time is running out.