Data Governance From the Actuary and Risk Management Perspectives

Considering the practices and current and future legislation in Turkey and around the world, the Solvency II framework¹ and new International Financial Reporting Standards (IFRS) regulations² (especially IFRS 9 and IFRS 17) are areas where there has been discussion recently from the actuary and risk management perspectives as well as the data dimension. Given that the framework and regulations are data-focused, and the right way to apply them depends on data quality, the importance of data governance can be seen. Figure 1 summarizes the framework and regulations.

Considering the responsibilities of actuary and risk management functions within the Solvency II framework and IFRS regulations, and risk managers’ general job description, the quality of the data used for all calculations, modeling and reporting is very important and critical to outcomes. Since the data used for calculations, modeling and reporting are kept on information systems in all institutions, ensuring data quality is mainly the data owner’s job, but the IT department is also responsible because it retains the data.

Actuaries and risk managers, the parties who use the data produced by the business functions and employ the data to produce new data, are indirectly responsible for assessing and questioning data quality. Their responsibilities continue as data owners when they create, model and report the data.

Since data are created, processed, kept, reported and archived in a distributed way in information systems (i.e., applications, databases, data warehouses and spreadsheets kept in file servers) and in processes and used for different purposes such as product management, policy production, claims, accounting and legal activities, data governance on a corporate level becomes very important from actuary and risk management perspectives. Because data may be created internally and/or obtained externally, and external stakeholders in the insurance sector are varied and include sector and economic data providers as well as agencies, service organizations and lawyers, the need for ensuring data governance rises.

From the risk management perspective, the need for data governance exists not only in the insurance sector, but also in all sectors affected by IFRS regulations. Complex information systems structures increase the need for data governance. These structures are composed of expert/source systems and accounting/reporting systems, peripheral systems for data management and reporting positioned around these systems, as well as interfaces and integrations ensuring the proper functioning of these systems.

Data governance comprises a holistic management system that describes, coordinates and manages how data move in the organization, responsibilities and data flows, and all risk and actions related to data. Therefore, data from different sources can be managed in line with the organization’s needs on the corporate level, using holistic and coordinated approaches.

Data that must be kept, processed and reported differently to meet the requirements of the Solvency II framework and IFRS regulations must comply with this framework and these regulations. In addition, a robust data governance structure must be created to meet all the organization’s business and technological needs related to data.

One of the important frameworks guiding organizations in relation to data governance is the COBIT 5 framework for the governance and management of enterprise IT (figure 2),³ which aims to manage all IT on a corporate level in a way that adds value.

The COBIT 5 framework guides the building of IT processes and structures at the corporate level in line with good practices. In this framework, data governance is handled across the organization within the framework of these processes and structures. Since data are considered to be important sources in all business and IT functions (as inputs, as parts of the process, and as outputs), IT processes and structures defined within the COBIT 5 framework have been built from this perspective.

The following parts of the COBIT 5 framework are examples of important process descriptions, management practices and activities from the data governance perspective where they mention the importance of data, information and knowledge. These selected processes, practices and activities explain the core objectives or expectations of the COBIT 5 framework from the data governance perspective and the use of data, information and knowledge in IT governance from the effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability perspectives:

• APO01 Manage the IT management framework: APO01.06 Define information (data) and system ownership—Define and maintain responsibilities for ownership of information (data) and information systems. Ensure that owners make decisions about classifying information and systems and protecting them in line with this classification.
• APO03 Manage enterprise architecture—Establish a common architecture consisting of business process, information, data, application and technology architecture layers for effectively and efficiently realizing enterprise and IT strategies.
• APO13 Manage security—Define, operate and monitor a system for information security management.
• BAI02 Manage requirements definition—Identify solutions and analyze requirements before acquisition or creation to ensure that they are in line with enterprise strategic requirements covering business processes, applications, information/data, infrastructure and services.
• BAI03 Manage solutions identification and build—Manage configuration, test preparation, testing, requirements management and maintenance of business processes, applications, information/data, infrastructure and services.
• BAI07 Manage change acceptance and transitioning—Formally accept and make operational new solutions, including implementation planning, system and data conversion, acceptance testing, communication, release preparation, promotion to production of new or changed business processes and IT services, early production support, and a post-implementation review.
• DSS01 Manage operations: DSS01.01 Perform operational procedures—activity 3—Verify that all data expected for processing are received and processed completely, accurately and in a timely manner.
• DSS04 Manage continuity: DSS04.03 Develop and implement a business continuity response— activity 4—Define the conditions and recovery procedures that would enable resumption of business processing, including updating and reconciliation of information databases to preserve information integrity.
• DSS04 Manage continuity: DSS04.07 Manage backup arrangements—Maintain availability of business-critical information.
• DSS05 Manage security services—Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy.
• DSS06 Manage business process controls: DSS06.02 Control the processing of information—Operate the execution of the business process activities and related controls, based on enterprise risk, to ensure that information processing is valid, complete, accurate, timely and secure (i.e., reflects legitimate and authorized business use).

When these practices, processes and activities mentioned in the COBIT 5 framework are evaluated, the importance and criticality of data quality can be seen in every phase, from planning to acquiring, from building to operating, and from managing to monitoring the IT function that adds value to business processes and the organization. Thus, important steps to be taken in the IT environment are becoming more obvious to ensure data quality. As a result of managing data in line with the data-related requirements defined in the COBIT 5 framework, IT structures will serve for calculating and reporting from the actuary or risk management perspectives in addition to financial reporting in a robust way. Additionally, it is possible to build a data governance structure at the corporate level that will support analytic work. This analytic work will add value to business processes and organization and accomplish various aims.

After building an efficient data governance system, structures such as an information security management system (ISMS)⁴ and business continuity management system (BCMS)⁵ based on the relevant International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) standards can be built in a way that meets the organization’s needs regarding data security and continuity and is in line with the global standards. Similarly, although the Communiqués on Information Systems Management and Independent Audit published by the Capital Markets Board of Turkey^{6, 7} do not require certification of compliance with the mentioned standards, they demonstrate the requirements and the expectations related to these subjects.

In addition to operational requirements and reporting requirements, local and global legislation on data protection, such as Turkish Personal Data Protection Law⁸ and the EU General Data Protection Regulation (GDPR),⁹ also require the implementation of steps for data governance processes; thus, they accelerate and guide the related processes.

Consequently, data governance is becoming more important from the actuary and risk management perspectives, and the need for organizations to develop an approach that considers legislation and regulations related to this issue has arisen. In this regard, the COBIT 5 framework offers a data governance approach to guide organizations.

Therefore, it is advisable that a data governance structure be built, and data ownership, responsibilities and criteria be determined to meet direct and indirect requirements defined in the Solvency II framework and IFRS regulations in a way that complies with the COBIT 5 framework’s data governance requirements and covers all stakeholders. The current data governance approach should be revised accordingly and current data should also be tackled and reorganized under this approach. Meanwhile, other compliance and organization targets must be taken into account and compliance must be ensured at the corporate level.

Endnotes

¹ European Insurance and Occupational Pensions Authority, “Solvency II,” eiopa.europa.eu/regulation-supervision/insurance/solvency-ii
² International Financial Reporting Standards, List of IFRS Standards, www.ifrs.org/issued-standards/list-of-standards/
³ ISACA, COBIT 5, USA, 2012
⁴ International Organization for Standardization/ International Electrotechnical Commission, ISO/IEC 27001:2013, Information technology—Security techniques—Information security management systems—Requirements, 2013, www.iso.org/standard/54534.html
⁵ International Organization for Standardization/International Electrotechnical Commission, ISO/IEC 22301:2012, Societal security—Business continuity management systems—Requirements, 2012, www.iso.org/standard/50038.html
⁶ Capital Markets Board of Turkey, Bilgi Sistemleri Yönetimi Tebliği, Turkey, 2018, mevzuat.spk.gov.tr/
⁷ Bilgi Sistemleri Bağımsız Denetim Tebliği, Turkey, 2018, mevzuat.spk.gov.tr/
⁸ Personal Data Protection Agency of Turkey, Personal Data Protection Law, Turkey, 2016, www.mevzuat.gov.tr/Metin1.Aspx?MevzuatKod=1.5.6698&MevzuatIliski=0&sourceXmlSearch=6698&Tur=1&Tertip=5&No=6698
⁹ European Parliament, General Data Protection Regulation, 2016, gdpr-info.eu/