Embed Size (px)
DESCRIPTION
Citation preview
1
ACHMEARisk Based Data Governance
Pieter Ettes
Summary
• Achmea did develop the Achmea Data Governance Framework as a generic ‘shopping list’ to improve data governance measures
• From theory and perfection to a practical approach
• The Bizzarrini moment
• Fundamental is the risk based approach, a fine balance between effort, efficiency and compliance based on operational risk
• Continuous improvement : more measures, other business areas, higher amount of data logistic processes
3
Context :THIS IS ACHMEA
4
5
Achmea Brands*
6
Merger timeline
7
Achmea outside the Netherlands
8
Our key figures
9
Short Overview
Drivers Achmea Data Governance Framework
• External drivers
• Upcoming Solvency II (insurance) legislation
• Demands by the Supervisor (Eiopa and DNB)
• Audit issues
“Achmea has to fully document and implement the processes that are aimed at the demonstrability of data quality, including related reports, within the set timeframe”
“Based on the criteria of “accuracy”, “completeness” and “appropriateness”, and consistent with the basic interpretations given, the undertaking shall further specify its own concept of data quality.”
“The theme for the observations at division level is the widely communicated need for centralized guidelines, standards and or guidance”
Drivers Achmea Data Governance Framework
• Internal drivers
• Focus on data governance financial and actuarial data in use for (external and internal) reporting and management decision processes
• Business case : less workload in data quality control
• Need for consistency company wide ; one data governance cookbook which works as a shopping list
• Need for centralized guidance to all Achmea divisions (NL) and European companies
“6 layers model” structure
Each layer consists of specific measures.
The entire model has 69 measures.
Data Ownership
Process Controls
Data Definition
Data Logistic Chain
Data Monitoring
Big
G Data Management
Assiging responsibilities for data, processes, systems and decision-making
Managing specific types of data (master data, organisational structure data) that require centralized co-ordination
Speaking one language. Enabling operations on data, comparing data, etc.
Managing changes to data in the processes by means of measures.
Managing the transfer of data from department A and system B to department C and system D.
Monitoring the actual quality of data based on validation rules.
LitlleG
“69 measures” seems a lot but..........
• BigG implemented top-down company wide
• Content : Partly policy documents, partly measures enforced by central IT and Finance departments.
• Re-use of existing policies, processes and other evidence
• LittleG implemented in the various organizational units
• Large scale re-use of existing evidence
• Risk-based approach : to be executed if needed
Practical and pragmatic approach based on gradual improvement
The 69 measures in the Achmea Data Governance Framework
• Legal requirements Solvency II /IFRS4 etc.
• Market and proprietary models (DGI, DAMA DMBOK, KPMG, Deloitte, E&Y etc)
• Best Practices Achmea and Achmea Strategy/ Identity
• Existing Achmea policies
6 layers in model
69 measures(= data governance
cookbook)
Data Governance Framework
Data quality = defined by the degree of implementation of the 69 measures.
The Bizzarrini moment is coming………..
15
Implementation
2011 Starting with a generic framework2012 Learning by doing2013 Improved framework, embedded in business
2011 Implementation
• Preparation early 2011
• Jan 2011 start creation Data Governance Framework to fit all requirements in one initiative
• April 2011 approval Finance Directors Board for plan
• May 2011 version 1.0, preperation for roll-out
• Roll-out second half 2011
• Aug 2011 Formation of Data Governance Taskforce
• Sept 2011 start of execution fase, concentrating on 11 most important LittleG measures (next slide)
• Audit on results early 2012
2011 : Basic set of 11 in data logistic chain
Primarysystem
System 1 System 2FormalOutput
interface interfaceinterface
11
22 77
1111
1010
88
33 33
44
66
55 77
99
22
1010
44
66
55
99
Description of overall reconciliation processInterface list per source systemExport files data definition listData definition list per source systemSystem documentation per source systemInfrastructure SLA per source systemData Delivery Agreement per system (including frequency)Business Continuity PlanQuality policy per systemCIA-triad (Confidentiality, Integrity, Availability) classification per systemData quality assurance policy/process
11
22
33
44
55
66
77
88
99
1111
1010
77
33
22
1010
44
66
55
99
Basic Data Quality in data logistic chain
2011 Findings Implementation
• Findings audits end 2011/early 2012
• Audits revealed need for improvement plans for most divisions
• Also the generic BigG measures needed improvement
• Need for detailling :
> More guidance on how to implement
> Risk based approach needed : not every measure is always applicable
> Embedding of measures in existing control framework
2012 Implementation
• Jan 2012 delivery first batch BigG measures, complete end 2012
• June 2012 delivery of improved 11 measures ending in a re-audit
• June 2012 start rest of the LittleG measures
The Bizzarrini moment
ClickClickThisThisbuttonbutton
2012 Risk Based approach Data quality assurance cycle
• Determine scope (which systems?)Determine scope (which systems?)• Determine quality/ acceptance criteriaDetermine quality/ acceptance criteria
Assess current Assess current set of (key) set of (key) controls controls
PeriodicPeriodicrisk self-risk self-assessmentassessment(+ improvement (+ improvement plan)plan)
Implement planImplement plan
• Provide evidence for (key) controlsProvide evidence for (key) controls• Monitor data qualityMonitor data quality• Monitor effects of improvement planMonitor effects of improvement plan
Current “mix of measures”
Decision on which “mix” is necessary
periodic cycle for securing data quality at a detailed level
2012 Data quality assurance cycle
• Key aspects:
• Data quality is actively monitored
• A “mix of measures” is used for monitoring data quality
• “Mix of measures” is determined based on the specific risk profile of each system
• A limited number of measures in the Achmea Data Governance Framework is obligatory
• By means of “risk self assessment” the mix of controls will be reviewed and updated
2012 Inclusion in our Control Framework
• Problem : How to ensure that measures will stay active
• Solution : Inclusion of measures in existing control framework
• control checks that will be periodically examined
• Checking of the data governance measures of the 11 measures and the data quality assurance cycle is embedded in this framework
• Inclusion in the framework assures the continuity of the data governance measures.
2013
• Formal governance in place (board level)
• Doing on group level what needs to be done
• On division level implementation
• ADGF Version ADGF 2.0
• Embedded in normal business control processes, operational risk department and audit helping in imposing discipline
• Alliance with IT department : quality gates in IT proces, inclusion in formal IT proces guidelines
• ADGF fundamental part of other initiatives : Data Asset Management, CRM, IT roadmap
25
Lessons learned
Lessons learned
• Remember Bizzarrini
• Learn!
• The Data Governance Framework cannot be succesfully imposed on a complex organization from a purely top-down perspective.
• In many aspects it has to be explored and discovered (within clear boundaries top-down) by all concerned
• The Achmea Data Governance Framework is a living collection of knowledge ; it should be evaluated and improved on a periodic basis.
Lessons learned
• Team up!
• Multi disciplinary team with sufficient “soft” and “hard” skills
• Business and problem driven, IT is just a part of the team
• Cooperation of the ‘willing’ key persons
• Need to combine skills from IT, Business, Control, Audit etc
• Need a shared drive to learn while building
• Small project organization: activities will be executed as part of normal business routine as much as possible
Lessons learned
• Make friends!
• Pragmatism and buy-in
• Data governance is not new : already 200 year of data governance (from founding of Achmea till now)
• Let IT volunteer for what they can archive
• KISS. We are not aiming for perfection.
• Maximum use of existing information, knowing that this will not always fit the measures as planned
• Explain that with respect to current practices improvement is needed to meet new requirements
Lessons learned
• White and blue collar!
• BigG (company wide governance) involves management at higher level
• LittleG mainly involves people who do operational work
• Each level needs its own communication and decision strategy
Lessons learned
• Focus!
• Risk based approach
• Involve internal audit to do assesments
• Aim at accepting improvement plans for repairing issues
• Continuous improvement and versioning
• Not all data processes are really important so do a triage and focus on the important ones
Lessons learned
• Routine!
• Cyclic character of data governance
• It’s not about the one-time status of data governance
• It has to become part of daily business
• So incorporate it as much als possible in the normal process cycles
• And use the exisiting control processes to assure compliance to your data governance measures
Lessons learned
• Proportionality!
• Not all data needs to be ruled by data governance, only data that’s being shared enterprise wide or reported externally
• Size and maturity level of each organizational unit ruling ambition level
• Take the theoretical ADG down to the level of what each unit can handle
