This document discusses how to validate risk data from various sources. It recommends auditing risk data to ensure accuracy, completeness, and relevancy. Some techniques mentioned include stratifying data ranges to identify outliers, sampling data to compare against real-world evidence, and checking for missing or incorrect values. The document also discusses characteristics to audit like metadata, data sources, and access logs. Overall it emphasizes assigning data ownership, automating validation rules, and defining processes to accept and cleanse risk data entering models.

1. Prof. Hernan Huwyler, MBA CPA
How to validate
your risk data

2. Matching your risk
management approach
and your data reality

3. TARGET
Acquired or
generated risk and
incident data
should be audited
BIG or BAD
DATA?
PROBLEM
Adding a new risk
caused by
uncertainties on
data quality
01
Risk data should be
relevant for the
decision-making
02
Trash in, trash out
03

4. Stratify ranges and correlate
variables to idenfity outliners and
anormalities
Select samples to compare against
real-world evidence
Check categories with unassigned,
wrong formats or null values
Accuracy

5. Find gaps, index duplications
and missing data
Match categories against the
risk assessment scope >
encompass all sites, assets and
periods
Address data invisibles
Completeness

6. Depurate risk data from cases
which are not relevent to
predict risks > not longer
present risk sources
Remove outdated data
Detect noises from risk datasets
Relevancy

7. How to audit
Characteristics
Metadata
Reperform
extraction,
transformation and
loading rules
Data assets
Identify sources,
owners and
functional
descriptions
Test locations,
conditions and
values
Test that metadata is
operational for the risk
assessments
Converstion

8. How to audit
Logs
Documentation
Test the efective
deletion of non-used
risk data
Access
Review reasons for
write and read
accesses
Ensure that logs for
changes and
interfaces are
reviewed
Trace back risk data to
the evidence of events
with time stamps
Retention

9. Tips
Ownership
Assign the custody of risk data to continuously
ensure quality standards and business definitions
Automation
Create data queries with repeatable validation rules
when risk data is created or acquired
Enrichment
Revalidate rules for enriching, aggregating and
profiling risk data while considering biases
Cleansing and backtesting
Define a centralized process to accept the risk data
populating the model
Poor data quality is
the hidden Nemesis
of risk model s
Extend financial
controls tp risk data
is a good idea

10. Basel Committee Principles for effective risk data aggregation and risk reporting BCBS 239
34. Roles and responsibilities should be established as they relate to the ownership and
quality of risk data and information for both the business and IT functions. The owners
(business and IT functions), in partnership with risk managers, should ensure there are
adequate controls throughout the lifecycle of the data and for all aspects of the technology
infrastructure. The role of the business owner includes ensuring data is correctly entered by he relevant
front office unit, kept current and aligned with the data definitions, and also
ensuring that risk data aggregation capabilities and risk reporting practices are consistent
with firms’ policies.
40. Supervisors expect banks to measure and monitor the accuracy of data and to
develop appropriate escalation channels and action plans to be in place to rectify poor data
quality.
43. Supervisors expect banks to produce aggregated risk data that is complete and to
measure and monitor the completeness of their risk data. Where risk data is not entirely
complete, the impact should not be critical to the bank’s ability to manage its risks effectively.
Supervisors expect banks’ data to be materially complete, with any exceptions identified and
explained.
Compliance requirements

11. Let’s connect
@hewyler
@hewyler
in/hernanwyler/

12. Risk, Data, Decisions -
Making Risk Management
Work from "No Data" to
"Big Data"