Building stronger resilience through compliance
APRA’s new Operational Risk Management Prudential Standard is designed to help organisations be more resilient in the face of new risks – taking steps to be compliant should start now.
Whether it be cyber hacks, system outages, or external events such as pandemics or geopolitical issues, the operational risks faced by banking, superannuation and insurance organisations are ever increasing. If an organisation isn’t prepared to manage these risks and an incident occurs, it can impact the experience and safety of employees, customers, and stakeholders. In turn, it can severely damage the business’s reputation. This is why having operational resilience across every corner of the organisation is important, with a focus on prevention of incidents rather than just recovery after things have gone wrong.
To support organisations to achieve operational resilience, the Australian Prudential Regulation Authority (APRA) is releasing a robust new Standard – Prudential Standard CPS 230 Operational Risk Management (CPS 230). Following industry consultation in 2022, the new Standard is set to commence in 2024.
Here are some of the key features to be aware of, and five ‘no regrets’ actions that you can take to be ready.
How CPS 230 fits in
Most APRA-regulated organisations are already doing a lot of work to firm up their operational risk management, business continuity planning, and service provider management. CPS 230 takes things further, increasing regulator expectations across these three areas. It replaces several existing standards: Prudential Standard CPS 231 Outsourcing, Prudential Standard CPS 232 Business Continuity Management, and the equivalent superannuation and health insurance standards. CPS 230 also serves to complement Prudential Standard CPS 234 Information Security, which focuses on defining information security-related roles and responsibilities, and maintaining security standards, testing and assurance in line with evolving threats. Together, CPS 230 and CPS 234 have been established todrive improved operational resilience outcomes in organisations.
Goals and benefits of CPS 230
CPS 230 is designed to help organisations achieve a strong position of operational resilience by focusing on organisations understanding their critical operations, improving operational risk frameworks, credible business continuity planning, and effectively managing risks associated with service providers. The Standard pushes organisations to be more specific around documenting operational risks, obligations, and controls, testing their effectiveness, and offering detailed reporting. It also requires organisations to set Board approved impact tolerances for its critical operations, validated through robust business continuity testing, as well as understanding and mitigating against service provider risk management – beyond third parties and deeper into the supply chain.
There are tangible benefits of complying to this Standard, with the most significant being a more operationally resilient organisation. There are also financial benefits, with ideally fewer incident response costs and potential regulatory sanctions. Importantly, compliance should drive customer safety and market stability, and a reduced risk of brand and reputational damage.
Three areas of focus
As mentioned, CPS 230 focuses on three areas to build up a strong foundation for operational resilience. They are:
CPS 230 expects organisations to understand and manage its full range of operational risks, covering legal, regulation, compliance, conduct, technology, data, reputation, and change management. Organisations need to know the functions that are critical to service customers, and how decision-making impacts their risk profile – in particular, the impact of new products, services, geographies, and technologies.
There is clearly no ‘one person’ in a large-scale organisation that can manage all operational risks. Therefore, CPS 230 makes it clear that the ultimate accountability for the oversight of operational risk management, business continuity planning, and service provider management sits with the Board. Day-to-day, the responsibility for ensuring compliance sits with senior managers across all departments. To support this, organisations need a comprehensive map of operational risk management responsibility across first, second and third lines of defence.
CPS 230 expects organisations to understand the risks in all third- and fourth-party material service providers - a broadened definition which includes any service providers that the entity relies on to undertake a critical operation, or that could expose it to material operational risk. Among other requirements, APRA’s expectations include a register of material service providers and any aligned risks, clarity around how risks will be monitored, and even a risk management plan for fourth-party service providers.
Defining accountability
There is clearly no ‘one person’ in a large-scale organisation that can manage all operational risks. Therefore, CPS 230 makes it clear that the ultimate accountability for the oversight of operational risk management, business continuity planning, and service provider management sits with the Board. Day-to-day, the responsibility for ensuring compliance sits with senior managers across all departments. To support this, organisations need a comprehensive map of operational risk management responsibility across first, second and third lines of defence.
Challenges to meet the standard
As you set out to meet CPS 230 expectations, it’s likely that you will already be doing work that you can amplify and consolidate. However, meeting the new regulations will require managing daily business pressures with the time and cost of preparing to be compliant. You may need to allocate more resources to the changes, as having team members try and meet the demands ‘off the side of their desks’ will not be sufficient. Leveraging technology will be necessary, to bring your risk management to the right level, and to drive sustainability and embedding of these activities.
5 ‘No regrets’ actions
To ensure that your organisation makes the most of CPS 230 to help build operational resilience, here are five ‘no regrets actions’ to take:
Define the roles and responsibilities to drive operational resilience. Ensure that your Board is clear that they are ultimately accountable, and that line management understands their day-to-day role in supporting this. Ask, is your second line of defence prepared for the increased monitoring and testing required; and your third line ready to provide assurance?
Identify your end-to-end critical operations. To do this, leverage your existing process maps and Business Impact Assessments (BIAs) to understand your critical operations, and what supports their delivery – such as technology, people, third parties, data and more.
Revisit your operational risk management framework. Put in place practices and controls to manage risks and obligations relevant to those critical operations. Part of this should be building a controls assurance program for seamless ongoing management.
Understand impact tolerances through a systematic testing program. Set your tolerance levels to the maximum disruption that you are willing and able to accept, including data loss, while keeping up critical services. Keep testing and adjusting.
Review your material service providers given the revised scope definition. Understand how your third parties (who may not be under the same stringent regulation) ensure that their service providers have robust operational resilience. Look into your contracts to understand what rights you have to audit your service providers for this reason. You will need to build a comprehensive outsourcing management policy, formal agreements, and robust service provider monitoring. You will need to understand the sensitivity and criticality of the data that each provider holds, and how a disruption will flow through to impact your operations and customers.
A necessary change
CPS 230 is an important step in helping to achieve the level of operational resilience that benefits organisations, customers, and broader markets. While the Standard is designed for financial services organisations, service providers to the sector can also benefit from adherence, as this will be increasingly expected from APRA-regulated organisations. If you need help to prepare for the changes, we have extensive experience from working with organisations to meet similar regulations globally. Our PwC global operational resilience community connects teams from the UK, US, Canada, and across Europe and Asia. We know what processes and technology can make this level of operational risk management sustainable. Reach out to find out more.
Related Content
Contact us
Susanna Chan
Partner, Cybersecurity & Digital Trust, PwC Australia
Tel: +61 414 544 066
