Data governance for banks: From defense to offense

When a football team is struggling to win games and a new manager is appointed, the first thing they aim to improve is often the defense. This makes sense... you can’t win games if you’re conceding 5 goals every game (just ask Arsenal).

Our experience in the field has taught us that banks tend to tackle data governance in much the same fashion. They often start a data governance programme in a defensive manner because they are facing threats – in this case it isn’t rivals scoring goals, but data regulations. BCBS239 (Basel IV), GDPR (general data protection regulation) and the EU’s new AI regulation are the most notable of these regulations. Banks are right to tackle these as fines for non-compliance can be huge.

Annoying regulations or common sense?

One of the issues we tend to see, is that data governance is seen only as a way to be compliant with these regulations. But let me challenge that vision... does data governance need to be a cost instead of an opportunity?

Let’s take a brief look at these regulations and how they affect companies in the banking sector

• GDPR
  

  Granting rights to people regarding their personal data and requiring data controllers to act responsibly with personal data.

• BCBS239
  

  To have well governed and accurate risk reporting, in contrast to manual, error-prone ad-hoc reports. And also govern data aggregation for risk data in a good way, ensuring good data sourcing is essential too.

• AI regulation
  

  Handling AI models that are stamped as “high” risk in a responsible way

So, as a result, what many companies have done to tackle these requirements is the following:

• Identifying the critical (personal and risk) data they have in the company
• Making sure that they have an overview of important risk-related reports
• Documented data lineage and identified where points of risk are in the data chain
• Put some organizational structures in place to ensure good ownership of these reports and high-risk AI-models.

Now, a lot of these steps seem like common sense, don't they? As a modern company, wouldn't you want to be in control of your reporting and know which reports you have and which ones are critical to your business? Wouldn't you want to know which data is used in which models and reports to ensure you're making quality of decisions? 

If you have critical data stored in your company, whether it's business critical or sensitive data, you'd want to manage that data with care. And most of all, you want to have a data-driven organizational structure with clear roles and responsibilities defined for certain parts of your data landscape, be it report owners, application owners, model owners, ...

That’s what data governance is all about. But despite all these efforts, we tend to see that it stops there.

We’re compliant, job done. 

Leverage your data governance efforts

As we like to say at Datashift, think possibilities! 

Don’t let your hard work go to waste. The most important structures are already in place! You have been able to identify important data in the company. You have assigned ownership on some critical reports or maybe on AI models as well.

So why stop there?

As with the football team, you probably have your defense in place. Now it’s time to gear up and switch to offense. Make use of the governance structures you’ve built and have them generate real value for your company. Help your data users to find, understand and use their data in an efficient way.

In other words, why only care about the risk reports? The principles are in place to easily try to govern other important reports. You’ve got a catalog, all that’s left now is to fill it with more information.

The same goes for the high-risk AI models. The regulator required you to make an inventory of the important models and to keep diligent documentation about them. The same way of working can be used to keep an inventory of all AI models. It can be very handy for your data scientists that they have a quick overview of all the models that have been developed, which ones are deemed as high risk, and what each of them does.

This and so much more can be achieved by following the same steps you took before to comply with regulations – assign ownership on your data, build a catalog and put structures in place that ensure that these are kept up to date.

Need help?

Are you curious to see how we can help you take your data governance program to the next level? Don’t hesitate to reach out!