FSA data review stock take. Dean Buckner Financial Services Authority March 2012

Similar documents
Outstanding issues in Solvency II data management requirements

SPREADSHEETS AND SOLVENCY II

Certified Information Security Manager (CISM) Course Overview

EXAM PREPARATION GUIDE

CERTIFIED FINANCIAL PLANNER BOARD OF STANDARDS, INC. ANONYMOUS CASE HISTORIES NUMBER 30648

How WhereScape Data Automation Ensures You Are GDPR Compliant

COSO Enterprise Risk Management

Reference Framework for the FERMA Certification Programme

Work Breakdown Structure

EXAM PREPARATION GUIDE

EXAM PREPARATION GUIDE

REPORT 2015/149 INTERNAL AUDIT DIVISION

Modern Database Architectures Demand Modern Data Security Measures

Code Administration Code of Practice

EXAM PREPARATION GUIDE

Business Requirements Document (BRD) Template

PEFC Certification System Netherlands - Certification Procedures

RED HAT ENTERPRISE LINUX. STANDARDIZE & SAVE.

Heads of Internal Audit Webinar. Integrated Assurance. 24 July In partnership with

This tutorial has been prepared for computer science graduates to help them understand the basic-to-advanced concepts related to data mining.

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

REPORT 2015/010 INTERNAL AUDIT DIVISION

COMPLIANCE BRIEF: VARONIS AND THE US SECURITY AND EXCHANGE COMMISSION S OFFICE OF COMPLIANCE INSPECTIONS AND EXAMINATIONS (SEC OCIE)

Enabling Data Governance Leveraging Critical Data Elements

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager.

EXAM PREPARATION GUIDE

APPROVAL SHEET PROCEDURE INFORMATION SECURITY MANAGEMENT SYSTEM CERTIFICATION. PT. TÜV NORD Indonesia PS - TNI 001 Rev.05

M&A Cyber Security Due Diligence

Regulating Cyber: the UK s plans for the NIS Directive

GUIDELINES ON THE CONTINUING PROFESSIONAL DEVELOPMENT (CPD) HOURS. Appendix I. Guidelines on the Continuing Professional Development (CPD) Hours

Global Statement of Business Continuity

RSB Standard for participating operators

PRIVACY AND ONLINE DATA: CAN WE HAVE BOTH?

NHS Fife. 2015/16 Audit Computer Service Review Follow Up

Achieving regulatory compliance by improving data quality

Cybersecurity and Examinations

Overview. Consolidating SCM Infrastructures - Migrating between Tools -

EXAM PREPARATION GUIDE

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Xcelerated Business Insights (xbi): Going beyond business intelligence to drive information value

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

Technical Security Standard

GOAL BASED NEW SHIP CONSTRUCTION STANDARDS. Development of the Interim guidelines for goal-based standards safety level approach SUMMARY

The Data Organization

OUR FINAL ASSURANCE PLAN FOR PR19

Agenda. Bibliography

REPORT 2015/186 INTERNAL AUDIT DIVISION

Solvency II Data quality and controls

ITG. Information Security Management System Manual

COMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1

AUDIT OF ICT STRATEGY IMPLEMENTATION

MedDRA BEST PRACTICES. Maintenance and Support Services Organization s (MSSO) Recommendations for Implementation and Use of MedDRA

POLICY FOR THE USE OF THE LIFE CERTIFICATION LOGO AND LIFE CERTIFYING BODIES ACCREDITATION LOGO. Version 2.0 International - English LIFE-IN-MP03-2.

Frequently Asked Questions

Audit Report. Chartered Management Institute (CMI)

THE CYBERSECURITY LITERACY CONFIDENCE GAP

Best Practices in Data Governance

Building Information Modeling and Digital Data Exhibit

Getting Started with IT Service Management

CPA Exam and Licensure Information and FAQs

MOBILE VOICE SERVICE SCHEDULE

White Paper: FSA Data Audit

Directive on Security of Network and Information Systems

Trillium Consulting. Data Governance. Optimizing Business Outcomes through Data and Information Assets

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

FIBO Operational Ontologies Briefing for the Object Management Group

Comprehensive Data Quality Improvement through Data Governance An Executive Overview

EXAM PREPARATION GUIDE

EXAM PREPARATION GUIDE

MATLAB-Based Policy Simulator

Announcement date: December 1, 2009 New program launch date: May 1, 2010

HCS 2012 and the June 2015 Deadline

OCM ACADEMIC SERVICES PROJECT INITIATION DOCUMENT. Project Title: Online Coursework Management

CYBERCRIME AS A NEW FORM OF CONTEMPORARY CRIME

Request for Qualifications for Audit Services March 25, 2015

-archiving. project roadmap CHAPTER 1. archiving Planning, policies and product selection

EXAM PREPARATION GUIDE

Data Protection Policy

CLEARING THE PATH: PREVENTING THE BLOCKS TO CYBERSECURITY IN BUSINESS

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

WIRELESS DEVICES: ACCEPTABLE USE AND GUIDELINES

EXAM PREPARATION GUIDE

EXAM PREPARATION GUIDE

WHEN THE GOING GETS TOUGH, THE TOUGH GET GOING

Chapter 10. Administration

European Risk Management Certification. Candidate Information Guide

Early Intervention Indiana First Steps Indiana First Steps HIPAA Testing Plan

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

Understanding Software Engineering

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Green Governance Growth

Validation of a CMS Software

Important Information

SC32 WG2 Metadata Standards Tutorial

TEL2813/IS2820 Security Management

DATA PROTECTION POLICY THE HOLST GROUP

EXIN BCS SIAM Foundation. Sample Exam. Edition

California Independent System Operator Corporation Fifth Replacement Electronic Tariff

XBRL US Domain Steering Committee Taxonomy Review

EXAM PREPARATION GUIDE

Transcription:

FSA data review stock take Dean Buckner Financial Services Authority March 2012

Agenda FSA data review process Common themes Next steps

FSA data review In three acts Act 1 Review of approx. 25 firms Objective: Determine dependencies in data & Systems work stream. Understand material data flows, agree scope and timing of external review Act 2 Scene 1 Firm s internal audit performs review Scene 2 FSA review of the review Act 3 Selective deep dive

Timings Act 1 September 2011 April 2012 Act 2 March 2012 Q1 2013 Act 3 Q2 2012 Q3 2013

Common themes (Act 1) Data governance operating model Data directory maintenance Data transformation Pervasive use of spreadsheets Data semantics Dependency on IT

Data operating model Needs careful design Design of operating model /= policy design Needs a manager! Some firms have appointed permanent managers Others are using the project manager until bau Others are using their existing governance frameworks and applying it to data risk & controls.

Other issues with data governance Inconsistent definition of data classification, ownership and responsibility Impact and materiality assessment firms are slowly getting to grips with this and there is no consistent approach.

Data directory maintenance Three different approaches. Tight coupling Structured directory, updated automatically Loose coupling Structured directory, semi-automatic update No coupling Freeform, unstructured, updated manually

Directory maintenance trade offs Tight coupling Benefit hardly any maintenance, automatic update Cost a pain to build, dependent on IT Loose coupling Benefit relationships can be accurately represented Cost Highly skilled maintenance No coupling Benefit no dependence on IT, flexibility Cost doesn t reflect reality, staff costs may prove prohibitive, possibly error prone FSA will not be prescriptive

Data transformation

Data is not just moved The idea of data movement is from IT N bytes of data are copied from system A to system B This kind of movement is trivial and uninteresting Typically when data passes from A to B, stuff happens Data sets are joined, merged, mapped Often transformed in exotic and interesting ways Data is operated on

Examples of data transformation Extrapolation, interpolation Extraction of key economic features A bond position is turned into a sensitivity calibration of risk factor stress

Scope of data transformation All material transformations of data outside the IM Kernel are in scope of the review. This includes Testing to confirm that the implementation (e.g. using spreadsheets, ETL, etc) complies with its design specifications Data Quality checks to ensure that the output of the transformation reflects the input data Where the transformation is functional, and its design involves expert judgment, the design or methodology or functional specification of the transformation is out of scope

Data semantics

What is semantics Semantics = fancy word for meaning Data records are made up of symbols which have a syntax and a meaning The same term can have a different meaning for different systems Different terms can have the same meaning for different systems

Meaning and translation Human dictionaries translate a term in one language into a term in another language with the same meaning omnis in Latin has the same meaning as the English quantifier every So different computer systems need translation or mapping tables

Semantic errors Many errors result from changes in the upstream meaning or basis of a term not being appropriately reflected downstream Basis is the hardest data characteristic to document and may well be the most frequent or material cause of error (See war stories below)

War story 1 A firm thought that its bodily injury motor claims estimates were not keeping pace with rapid inflation, so changed its claims diary from 12 months to 6 months Claims would be reviewed every six months, ensuring that case reserves were updated for claims inflation more frequently. The effect of reviewing small claims more often led to smaller claims being settled earlier and the surplus in the case estimates being released more quickly. Staff change meant loss of knowledge about the change so reason for distortion of claims data not understood. Result: significant underestimation of claims reserves. So an action that was intended to be prudent resulted in material under-reserving.

War story 2 Upstream system was sending credit swap positions using a single column Long position positive, short position negative For the new implementation, the one column was changed to two Amount of position now always positive, new column has B (buy) and S (sold) flag. Downstream system was never notified The first column remained the same, so nothing broke, and no preventative alarm was raised. Result: the downstream system thought all the short positions were really long positions. This led to a material mis-estimation of the firm s exposure.

War story 3 Upstream system didn t understand inflation bonds. These pay a fixed coupon plus an inflation factor computed using external data So they were booked as standard bonds, with the coupon adjusted upwards to compensate for the inflation factor This is very common practice for old systems which cannot represent new products without major engineering works. But the downstream system did understand inflation bonds, and assumed the upstream coupon amount was merely the fixed coupon component. So it added on an extra inflation factor which had already been included in the artificially adjusted coupon. Result: more material mis-estimation of exposure.

Controls over basis change Genuinely very difficult Getting computer systems to communicate with one another is one of the great unsolved problems of computer science Common methods include Quantitative change analysis Impact assessment Corporate memory Basic reconciliation or reasonableness checks

Dependency on IT

Impact of major IT implementations Key principle What we review is what you apply for If we review a tactical solution, then that is what you are applying for But what if there is a major strategic solution in the pipeline? Then we still review the tactical, and the strategic solution is model change

What is model change Change policy is key what items, systems, transformations related to data are part of the model change policy? change of platform only (same software and methodology)? Change of software only, no methodology change? Change of methodology?

Next steps

Act 2 Act 2 is marking the completed external reviews as they are returned by the firms Criteria Geographical, legal entity and systems scope should be proportionate [rewrite] Impact of finding should be clear and unequivocal Due dates must be consistent with application process Was there sufficient operational testing (one endto-end flow is probably not enough)

Materiality What materiality criteria were used to determine the scope of the audit and to assess impact of a finding / residual risk? Has audit considered: justification for determining materiality thresholds? consistency of materiality assessment with other policies? identification of future risks? possibility of material error caused by aggregation of errors which are not material singly?

External review format No precise criteria, except that it must include the FSA schedule at the top (as specified on our website). As per the scoping document, Act 2 results submission should include an executive summary, the FSA schedule, followed by details of each finding. Nice to have: Appendix of detailed findings, cross-referenced from main schedule Detailed findings to include rating, observation, clear articulation of impact and consequence, recommendation and management action plan with precise dates. Mitigating factors?

Act 3 Act 3 is optional deep dive following Act 3 is optional deep dive following themes identified by Act 2

Questions & Comments

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback