Outsourcing increases data management risks: APRA

Outsourcing data management responsibilities may exacerbate the risk in an institution's data lifecycle controls, the Australian Prudential Regulatory Authority (APRA) has warned.

In its prudential practice guide on data management, APRA said regulated institutions needed to ensure the maintenance of the quality of critical and sensitive data when entering into a data outsourcing arrangement.

The partnership would need to demonstrate a lack of impediments to the regulator's duties as well as comply with legislative and prudential requirements, it said. 

Related News:

Institutions needed to show they could carry on with operations and core obligations if the provider experienced any loss of service, according to the guide.

APRA said offshoring could introduce even more risks including control framework variations, lack of proximity, reduced corporate allegiance, geopolitical risks and jurisdictional-specific requirements.

Institutions needed to make informed decisions about whether their risk appetite could handle the additional risks, it said.

APRA said it expected institutions to conduct a detailed risk analysis of the underlying service arrangement, including in the analysis the provider, its location, and the critical nature and sensitivity of the data involved.

It listed - as necessary steps to managing data outsourcing risks - enterprise frameworks such as IT security, project management, system development, business continuity management, outsourcing/offshoring management, risk management and delegation limits.

An understanding of the impacts on business processes and sensitivity of the data was also important in assessing a provider's suitability, APRA said.

APRA said it was necessary that board and senior management understood and accepted the risks involved, with the knowledge that any arrangements would be reviewed periodically in line with an institution's risk management framework.

APRA said it envisaged a regulated institution would ensure that appropriate controls were implemented to ensure data quality requirements were met at each stage of its lifecycle.

Recommended for you



Add new comment