Remember Sarbanes-Oxley (SOX)? It was supposed to ensure that controls were in place to make certain that a publicly traded company’s stated finances were in line with their actual finances. A provision of the law, SOX 404 was responsible for billions of dollars of remedial data and technology documentation and controls. If you work in an environment large enough to warrant a mainframe, chances are SOX 404 impacted how your department works with data.
The funny thing about SOX is that it had a ripple effect on IT groups. Some organizations that weren’t subject to SOX touched the data of affected organizations, and therefore, had to attest and prove they also had effective controls in place. And once the concept of attestations (the declarations of accountable parties) were introduced into IT departments for the purpose of SOX compliance, a lot of organizations started using them for other purposes. In other words, it was no longer good enough for managers and architects to write “no problems” in their status reports. They were required to attest they knew what their objectives were and that they had personal knowledge of the actual state of progress against control objectives. IT people weren’t subject to jail time for lying the way CEOs and CFOs were. But still, employment for some IT staff hinged on these attestations.
But SOX is old news. The new news is Solvency II. It’s focused on the rationalization, harmonization, and modernization of insurance regulation in the European Union (EU).
Solvency II’s primary objective is to strengthen policyholder protection by aligning a firm’s capital requirements (the money they must have available) more closely with their risk profile. This directive seeks to instill risk awareness into the governance, operations, and decision-making of the business. And it has huge ramifications for how data is managed within the organization.
Not in Europe? Not in insurance? Think this has nothing to do with you? Think again. Solvency II requirements are providing a type of framework that’s often getting embedded into organizations’ larger Governance, Risk, and Compliance (GRC) efforts. The data portion is so common-sense that it may become a defacto standard in GRC parlance. Why should you care? GRC frameworks are used by senior leadership to align projects, processes, human resources (jobs!), and systems. IT-focused frameworks generally need to align to GRC frameworks, rather than vice versa. So, it would behoove you to know what Solvency II data ramifications include.
Here are some regulatory requirements and European Insurance and Occupational Pensions Authority (EIOPA) comments in relation to data quality, courtesy of Ernst & Young’s guide, “Getting Up to Speed: Solvency II Data and Systems.”
Key activity and regulatory driver:
- Data scoping and prioritization. EIOPA advises compiling a directory of data used in the internal model and applying the principle of proportionality when considering data quality.
- Data lineage. EIOPA highlights the importance of understanding and monitoring the systems and processes used to collect, store, transmit, and process data.
- Data quality assessment. EIOPA states that internal and external data must be demonstrably appropriate, accurate, and complete.
- Data governance. EIOPA states that “data quality management is a continuous process” that should be supported by formal procedures around data definition, data quality assessment, problem and deficiency resolution, and ongoing data quality monitoring.
- Third-party dependencies. EIOPA states that internal data should be treated in the same way as external data when assessing data quality, and that the collection, storage, transmission, and processing of third-party data should be given particular focus.
Look familiar? I’ll bet these are what you’ve been preaching about your entire career! Well, now might be the time to write a memo about what needs to be done about them in your environment.