What questions will Regulators ask about data?

Given the failure of Financial Regulators to prevent the financial crisis, the pendulum of regulation is expected to swing from a “principles-based, light-touch” regulation, to a more restrictive rules-based philosophy.

Regulatory Requirements Pendulum swinging towards rules based

Regulation across all industries is likely to follow suit, as regulators seek to ensure their industry is not the next to collapse due to a failure to regulate.

Increasingly, regulators will ask questions about the data underpinning the regulatory submissions, and the governance processes applied to that data.

What questions do you believe regulators will ask?

9 thoughts on “What questions will Regulators ask about data?

  1. Ken

    Excellent question. I think the first thing they’ll ask is for organisations to prove compliance to policies and rules with some clear metrics.

    I’m actually preparing a post on this aspect for the company site to publish next week…

    The second thing they’ll probably ask is for you to demonstrate that your people know what they are doing, both in terms of your BAU process people knowing what the rules of the process are, but also from the point of view of your “control” staff understanding information/data, being able to define and test business rules etc.

    Thirdly, they’ll probably want to see how you “act on fact” and deal with red flags that are raised (internal whistleblowing about poor quality) or manage discrepancies between internal management reports and published information.

    Very little of this is technology driven (but it can be technology enabled/supported) and instead goes to the fundamentals of quality:

    What is the expectation of the end customer, are you meeting that expectation, and have you got all the ducks lined up towards that purpose?

  2. As a self-professed data geek, I like this post. I think regulation puts attention back on data and ultimately will lead to the reallocation of budget dollars into data focused efforts rather than on UI related projects.
    I believe the one question, that is at the heart of all other questions, that will be asked is “How do we know this fact (fact x, if you will) is true & not the result of some underlying error?”
    In this way, all of the data disciplines (MDM, DQ, AML, AFT, etc …) will benefit and see enormous growth in the coming years.
    Great post Ken! I’ll be checking in regularly, as I often do.
    Regards,
    William

  3. Hi Ken,

    The point Daragh made about being able to demonstrate that your people know what they are doing is a good one. Particularly when it comes to business rules, and anything that may impact data.

    Personally I think Data transparency is very important. Being able to account for data, with sign-offs at each touchpoint along the journey, much like a form of Passport Control at airports, is essential.

  4. Thanks Daragh, William and Phil, for your comments.

    Daragh – I agree….the regulator will first ask for compliance to policies and rules with some clear metrics….

    I just want to explore this further for a moment. In SOX (Sarbanes Oxley) terms, every process must have an owner, and if a process is not written down, it doesn’t exist.

    So…
    1. What are your Data Governance policies?
    (See Data Governance Issue Assessment Process for suggested policies)
    2. Who is responsible for Data Governance policies?
    3. Where are your Data Governance policies documented?
    4. How are they maintained?
    5. What controls are within them?
    6. What happens when a control event occurs?
    7. What evidence (metrics) have you got to show that these policies are in place, the process is followed, and that the control procedures are followed?

    I think the Regulator will agree with William – there is one question at the heart of all other questions, “How do we know this fact (fact x, if you will) is true & not the result of some underlying error?”.

    The UK Financial Services Authority proposed a “Data Accuracy Scorecard” or “DAS”. Specifically, in CP189 they proposed “a relatively formalised approach to data quality”, to include:
    – a risk control environment with ‘key risk indicators’ for data accuracy measures;
    – a demonstrably robust business and IT infrastructure with fully documented processes;
    – clear standards on timeliness of current data (daily, monthly, real time); and
    – a comprehensive ‘numbers based’ audit programme.

    Phil has hit the nail on the head regarding Data Transparency, and I like the airport analogy “Being able to account for data, with sign-offs at each touchpoint along the journey, much like a form of Passport Control at airports, is essential.”

    Thanks again for your input,

    Ken

  5. Pingback: Craig Newmark on Information Quality « Ken O'Connor Data Consultant

  6. Ken,
    I recently gave a presentation on behalf of the Institute of Asset Management looking at regulation and compliance in the asset intensive sector.
    Here regulators are increasingly requiring companies to ‘act on facts’ and to be able to demonstrate the evidence chain for decision making (which is verified by independent reporters). There is also growing awareness of the role that assurance plays in compliance, leading to an increasing profile of assurance teams.
    Additionally, in the water sector Ofwat require companies to provide confidence grades for data covering a grade for the source of the data and a grade for the accurracy of the data.
    At this presentation I asked delegates to consider how well their organisations would fare if SarbOx type regulation (and associated penalties) were to apply in the sector. This question was posed, not as a serious suggestion, but to get organisations to consider how far they may be away from such levels of compliance.

    • Julian,

      Thanks for the excellent examples in “Asset Management” and the “Water Sector” – much appreciated. You appear to believe that SOX type regulation is unlikely? Am I correct?

      SOX regulation may not be necessary. Existing regulation already requires organisations to provide “information”. I believe it is a “given” that the Regulator expects the information to be “fit for purpose”.

      When performing a financial audit, it is a “given”, that an organisation maintains a complete audit trail to enable the auditor to “follow the money”. Similarly, most people assume it is a “given” that Regulators can “follow the data”.

      I suspect most people, regulators included, are unaware of the complexities large organisations face locating the underlying data required to satisfy ever increasing regulatory requirements.

      I suspect most people, regulators (and senior management in the organisation) included, would be shocked to learn that details of transformations performed along the “data gathering” journey, are often not recorded, and often have no business owner. (See Craigslist founder on Information Quality)

      The above are examples of “sins of omission” rather than “sins of commission”. Nonetheless, the GIGO (Garbage In, Garbage Out) rule applies – Information provided to the regulator will be Garbage unless the underlying data is “fit for purpose”.

      We are beginning to see instances in which “the quality and reliability” of data is coming under scrutiny. This will increase.

      Just last week (Feb 2010), it was reported that “the EU Commission is seeking a change in EU law to give the European statistical agency Eurostat the right to audit national statistical agencies, following widespread criticism of the quality and reliability of Greek economic data”

      Julian, I agree with your conclusion:

      Organisations need to consider how far they may be away from such (Sarbox like) levels of compliance”

      To help organisations assess their own level of compliance, I have provided a Data Governance Issue Assessment Process elsewhere on my blog.

      Ken

      • Ken,

        One of the key questions here is the balance between cost of regulation and business risk. Arguably, the cost of complying with SOX type legislation will be similar, if not higher, than in financial institutions, due to the complexity of modelling and decision making and the multi-faceted nature of the asset intensive organisations.

        However, the consequence of failure is very different – in the finance world, failure can have significant adverse impacts on individuals, companies and the wider economy. For asset intensive organisations, failures of business planning may reduce profitability through incurring a higher than expected level of poorly targeted capital improvements and higher levels of unplanned maintenance. There is also far less likelihood of fraud in these cases, as the opportunities for personal gain are small.

        For these reasons, the application of rigorous SOX type regulation is unlikely, however, there is still a likelihood of tighter regulation.

  7. Ken,
    I’ve seen time and time again people sign off on important data that they knew to be incorrect. This can only be rooted out with significant backing from senior management – who don’t know that this is happening – as Craig has said (seen this too). Middle management are too worried about not upsetting the apple cart that they are suppressing the “bad news” time and time again.

    The regulators might well force senior management to properly audit data trails to prove that the data is correct – and not just rely on the signatures of those who will sign anything they are told to sign…

    Sean

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s