Lessons in resilience from the UK and Canada
Ahead of the new APRA CPS 230 regulation, there is value in learning how international organisations are meeting regulatory requirements and building operational resilience
The new APRA Prudential Standard CPS 230 Operational Risk Management is proposed to come into effect in 2025. The goal of the standard is to strengthen the management of operational risk in the banking, insurance, and superannuation industries, while also minimising the impact of disruptions to customers and the financial system. It focuses on three key areas – operational risk management, business continuity management, and service provider management. It is designed to ensure that organisations have robust resilience testing and incident mitigation strategies in place.
As Australian organisations prepare for the new requirements, we held a virtual webcast themed A Global View on Operational Resilience, to understand the progress, challenges and lessons learned from UK and Canadian organisations in their resilience pursuits. We invited our international colleagues Duncan Scott, Operational Resilience Banking Leader, PwC UK; and Mark Barboza, Director in Operational and Technology Resilience, PwC Canada, to share insights. Here are some key takeaways.
An Australian overview
We shared an overview of the progress already underway in Australia in terms of building resilience, and what still needs to be done ahead of the proposed CPS 230 coming into effect. Key points included:Asia Pacific businesses in the following categories will be impacted and must comply at a legal entity and/or a consolidated level:
- Preparing: Organisations need to identify, assess, and manage their operational risks with effective internal controls, monitoring, and remediation. They need to be ready to deliver critical operations through severe disruptions
- Service provider risk in focus: Central to CPS 230 is the requirement to understand risk to critical operations via service providers. To achieve this, organisations will need comprehensive provider management agreements and robust provider monitoring.
- Data and analytics: The standard requires the maintenance of appropriate and effective information systems to monitor operational risk, and the ability to report efficiently to the board and APRA. Sophisticated data and analytics tools will be essential.
- Incident reporting: Organisations will need to be ready to identify, escalate, record, and address any risk incidents in a timely manner.
- Culture shift: To get the most out of the potential of CPS 230 to build resilience, organisations will need to build a culture and mindset of resilience from the board through to the front line.
Lessons from the UK
As Australian organisations build resilience, there are many lessons to be learned from the experiences of organisations in the UK. UK organisations have been on a resilience journey since the global financial crisis of 2008, with the topic coming into sharper focus in 2012 when RBS experienced a payments outage that impacted 6.5 million customers for a month. Duncan explained that the Prudential Regulation Authority (PRA) was initially most concerned that organisations had appropriate levels of holding capital and liquidity. Next, it turned attention to conducting risk and making sure banks were operating in the right way to benefit the customer. Now, UK organisations are preparing for new resilience regulations, on top of regulations that have already come into effect, in 2025.
Some key lessons and experiences of UK organisations regarding resilience so far include:
- Compliance versus real resilience: Some firms have debated whether to invest in compliance versus building real resilience. It has become evident that firms that do the former often lack strategy for their BAU operational resilience. Therefore, resourcing and investment need to be key considerations.
- Board engagement: Organisations that have made the most progress have boards that are highly engaged in the resilience journey. These firms recognise the commercial, reputational and trust benefits to be gained from the effort.
- Service focus: Financial services organisations have recently focused on customer centricity, and now have more integrated systems and processes. This interconnected approach, while vital, has increased the complexity of understanding and quantifying the impact of disruptions on customers.
- Broadening testing: There has been a lot of focus on testing localised risk scenarios with very specific impacts on individual services. However, that is not how disruption typically manifests. Therefore, organisations are realising that they need to test broader-impact scenarios.
- Number of scenarios: UK firms have been grappling with the number of scenarios to test, and there is no straightforward answer. In a small organisation the right amount could be under 10 scenarios, but in a larger international bank it could be more than 50.
- Understanding service providers: UK firms are unearthing third parties, fourth parties and more that are essential to how they deliver critical services. They are realising the extent of work required to understand the services provided, the contracts, and potential impact of an incident on resilience.
- Collaboration helps: In the UK, the Operational Resilience Collaboration Group is creating approaches to resilience and sharing those ideas to help everyone reach best practice.
Lessons from Canada
In Canada, the focus on resilience heightened in 2019 to meet emerging standards in the UK and US. Canada’s own regulations are still to be confirmed, but are believed to be imminent. Mark explained that amid growing regulation, Canadian organisations have been establishing their operational resilience frameworks as a supplement to operational risk, and developing the roles and responsibilities for resilience from both first- and second-line perspectives.
Some key lessons and experiences of Canadian organisations so far include:
- Risk and controlled self-assessments: Canadian firms are leveraging the controls they already have to identify operational resilience gaps or vulnerabilities. They are taking a service-based view to ensure that they have mapped the technology, the third parties, and the people that support an end-to-end service.
- Testing priorities: Organisations have been developing their initial tolerances for disruption and are performing initial scenario testing. They are learning that it is difficult to test every scenario, so they are starting small and prioritising. Banking firms tend to start with payment rails; insurance firms with their claims processing services; and wealth management firms with their inbound and outbound redemption processes.
- Documentation and detail: Firms are finding it challenging to document the rationale for their tolerances for disruption, as well as working out the specificity required when defining their critical operations. This remains a work in progress.
- Building a sustainable resilience program: Firms have been exploring how to make their resilience and compliance programs sustainable to manage long-term. There has been focus on exploring the software and tools that can help achieve this.
- Investment recognition: Some Canadian organisations have identified the investment they need to put into improving their resilience posture from 2024 onward, and are building that into annual budget and investment rounds. Many have increased headcounts to support their resilience efforts.
In summary
As Australian organisations get to work on resilience to meet the requirements of CPS 230 while also protecting their business, customers, and the market, our discussion showed that there is plenty to learn from the work already underway in the UK, Canada and globally. To recap just a few of the lessons, we heard that Australian organisations will benefit from:
- Early Board and executive engagement - Early engagement of board members and executives is important through awareness sessions as they are ultimately accountable, and will be the drivers for how it cascades through the rest of the organisation.
- Running a pilot over a critical operation - Select a critical operation and implement it end-to-end from critical operation mapping, to tolerance determination, through to scenario testing and material service provider identification.
- Not just a compliance exercise - Whilst there is an obligation to comply to regulatory requirements, building resilience has great benefits through reduced and better managed disruptions and providing a better service to your customers and members.
- Three lines of defence - Build adequate and effective layers of risk management and assurance across the three lines of defence to embed effective risk management and continuous assurance and monitoring.
If you need support in preparing for CPS 230 and building operational resilience into your organisation, we are here to help.
Contact us
Susanna Chan
Partner, Cybersecurity & Digital Trust, PwC Australia
Tel: +61 414 544 066
