Data and Model Risk Assurance

Data Governance and Model Risk Assurance

Poor data governance is the risk that sits underneath almost every other risk. When the data feeding your models, your regulatory returns, and your management information cannot be trusted, everything built on top of it is compromised. We provide independent assurance over data quality, governance, and model risk controls.

Data risk has regulatory consequences. BCBS 239 requires banks to demonstrate accurate, timely and complete risk data aggregation. The PRA's model risk supervisory statement (SS1/23) sets expectations for model governance, validation and audit coverage. The FCA expects firms to have data they can rely on for regulatory reporting and conduct risk management. Internal audit that does not cover data governance and model risk is leaving a significant gap.

Where most audit plans fall short

Data governance typically appears in audit plans as a one-off thematic review that checks whether a data governance policy exists and whether a data owner has been assigned. That is a process audit. It does not tell you whether the data the firm relies on for key decisions is accurate, complete, and timely, or whether the models consuming that data are producing reliable outputs.

The regulators care about the latter. BCBS 239 supervisory reviews, PRA model risk examinations, and FCA conduct risk assessments all probe the quality of underlying data and the governance of models that depend on it. Internal audit needs to get there first.

Our approach

We treat data governance and model risk as connected disciplines, not separate silos. Data quality failures create model risk. Model governance gaps create regulatory reporting risk. Our assurance work is designed to surface the connections between these risks rather than audit them in isolation.

Regulatory context

BCBS 239Risk data aggregation and reporting principles. Systemic banks and many others are in scope.

PRA SS1/23Model risk management: development, validation, approval, use and audit coverage expectations.

UK GDPR and data qualityData accuracy obligations apply to personal data used in automated and manual decision-making.

Regulatory reportingFCA and PRA returns depend on data quality. Errors attract regulatory scrutiny and remediation requirements.

AI Act readinessHigh-risk AI systems require documented data governance. Data quality underpins model compliance.

Speak to us →

What we deliver

Assurance across data governance and model risk

From data quality audits to full model risk programme reviews, structured around your regulatory obligations.

Data governance framework audit

Assessment of your data governance framework: ownership accountabilities, data quality controls, lineage, metadata management and the governance bodies responsible for data risk decisions. Tests whether the framework is operating or just documented.

Data quality and integrity review

Targeted testing of data quality in critical processes: regulatory reporting, risk management MI, customer records, and systems feeding models or automated decisions. Identifies where data quality failures are creating downstream risk before they create regulatory problems.

Model risk programme audit

Full audit of your model risk management programme against PRA SS1/23, covering model inventory completeness, development standards, independent validation processes, approval governance, ongoing monitoring, and the role of internal audit in the three lines of defence.

BCBS 239 compliance assurance

For banks and significant subsidiaries in scope of BCBS 239, independent assurance over the firm's compliance programme and the completeness of risk data aggregation and reporting capabilities. Includes gap analysis against the fourteen principles and readiness assessment for supervisory review.

Regulatory reporting data audit

Targeted assurance over the data feeding key regulatory returns, including COREP, FINREP, PRA and FCA returns. Tests completeness, accuracy and timeliness of source data, the controls in the reporting process, and the governance over sign-off and attestation.

Data governance and AI readiness

For firms preparing to deploy AI or facing regulatory scrutiny over existing AI systems, assessment of whether the underlying data governance is adequate to support model compliance. Connects to our AI governance audit practice for end-to-end technology risk assurance.

Who this serves

Firms where data quality and model risk are material

Banks and large financial institutions subject to BCBS 239 risk data aggregation requirements
Firms subject to PRA SS1/23 model risk management expectations
Internal audit functions that need to build data governance and model risk into their annual plan
Firms where regulatory reporting errors have attracted FCA or PRA scrutiny
Any firm using models in credit, pricing, fraud detection or AML that needs independent validation coverage
Firms preparing for AI deployment that need to validate their data governance is adequate

Related services

Technology Risk

AI Governance and Technology Risk

Data governance feeds directly into AI model risk. We cover both as connected disciplines.

Advisory

Risk and Regulatory Advisory

Regulatory reporting failures and data quality remediation sit within our broader risk advisory practice.

Assurance

Internal Audit Consulting

Data governance and model risk can be scoped into a wider internal audit co-sourcing arrangement.

Get in touch

Data governance or model risk in your sights?

Whether it is BCBS 239 readiness, a model risk programme review, or targeted data quality assurance, we scope the right work for your situation and regulatory obligations.

Speak to us → All services