APRA Operational Risk Reviews

APRA periodically conducts operational risk reviews of Australian FSIs. These are conducted across the full suite of business and technology related functions.

For a technolgy specific review APRA requests evidence on how the FSI manages domains including:

  • strategy
  • organisation
  • risk management
  • infrastructure & operations
  • security
  • recovery
  • project / program management
  • application
  • data and
  • vendor management

1. APRA PRE-READ SOURCING:

We work with leads and SMEs across your business to source the required ~500 evidence artefacts covering all the required domains and topic areas

2. PRE-READ DOCUMENT REVIEW:

We review all materials for quality, currency and completeness. We identify and raise gaps and concerns early with SMEs so weaknesses are understood. 

3. PRESENTATION PREPARATION:

Customised presentation templates are built for your senior execs and SMEs, aligned to APRA’s expectations and the artefacts collated.
Our team also support execs and SMEs with their rehearsal preparation, so they are well prepared to present to APRA.

folders-colourful-sm

A Typical Risk Review Includes

0 +
Documents and evidence points collated for APRA's pre-read
0
Risk domain areas covering technology, vendor and support functions
0
Days of deep dive APRA face to face sessions

Case Study

Major Wealth & Superannuation Organisation

The Situation

A large wealth and superannuation organisation was advised by APRA that they would undertake an operational risk review of the entire IT division. The scope of the risk review covered over 100 specific requests across 13 IT and related service domains.

The review included providing support material and evidence of compliance, as well as 5 days of on-site presentations and interviews with over 20 executives and subject matter experts. The organisation had little experience with APRA IT operational risk reviews and very little capacity in preparing for and conducting the review.

What We Did

Capital Consult established a working group with key SMEs and executives from the IT division, group risk, reg affairs and support functions. Reporting of progress and potential gaps was conducted weekly to ensure visibility of progress and issues.

We managed the collection, collation and assurance of 466 artefacts across all 13 scope domains as required by APRA, over a 4 month period. We managed and assisted with the creation of all 13 domain presentations and supporting material to ensure coverage across APRA’s requirements.

Capital Consult also conducted executive and presenter coaching and rehearsals for the 5 days of APRA onsite interviews and participated as APRA specialist SMEs.

The Outcome

A successful review was followed up with a formal response by APRA of 0 actions, 4 recommendations and 2 suggestions across the entire IT operating model and support functions.

The process, templates, plans and support material were captured in a sustainable and re-useable framework to be applied for all future APRA operational risk reviews for the client.

Capital Consult has been engaged  in four additional APRA risk reviews for the organization, across Australia and New Zealand.

Want to know more?

Contact Us