CPG 235 is Australia’s prudential practice guide for managing data risk: the risk of loss arising from inadequate or failed internal processes, people, systems or external events impacting data. Issued in 2013 by the Australian Prudential Regulation Authority (APRA), it has gained renewed attention following high-profile data breaches that exposed millions of citizens’ personal information and highlighted systemic weaknesses in data control.
Unlike BCBS 239, which focuses on risk data and financial risk reporting, CPG 235 addresses the broader challenge of managing risks associated with enterprise data itself. Data risk management is not a one-off compliance exercise; it is an ongoing discipline aimed at ensuring business objectives are met and stakeholders are protected. Organisations must assess their current capabilities, identify gaps, assign accountability, and implement structured controls embedded into change management and business-as-usual processes.
CPG 235 was informed by the Enterprise Data Management Council’s Data Management Capability Assessment Model (DCAM). DCAM provides an audit-ready capability framework across people, processes, data, and technology, enabling organisations to measure maturity, prioritise improvements, and demonstrate regulatory alignment. A core principle is that the business process generating data owns it, while metadata—everything required to understand and control that data—forms the foundation for accountability and oversight.
Modern data catalogs operationalise this approach. They enable organisations to inventory and classify data assets, assign owners and stewards, document risk assessments, monitor change, analyse usage, and provide lineage and reporting. Automation and analytics support scale and auditability, helping organisations maintain control in complex and evolving data environments.
Ultimately, CPG 235 provides a structured roadmap for embedding data risk management into enterprise governance. While designed for Australian regulated entities, its principles apply broadly to any organisation seeking stronger transparency, accountability, and resilience in managing data risk.
This whitepaper was written in collaboration with Alation.
