APRA has released for consultation a new industry standard CPS 230 – Operational Risk Management. This aims to strengthen the management of operational risk in the Financial Services industry including updated requirements to improve business continuity planning and enhance third-party risk management. CPS 230 is a broad framework that will replace five existing standards.
“In strengthening the ability of APRA-regulated entities to identify, manage and respond to operational risk events, APRA is seeking to enhance operational and financial resilience, as well as financial stability” says Wayne Byres, APRA Chair. CPS230 is a response to three key trends APRA has observed in recent years:
1. Control failures: Many operational risk events within industry have resulted from ineffective controls. This can be evidenced through findings from the Royal Commission into the Financial Services Industry and APRA Court-enforceable undertakings.
2. Low tolerance for disruptions: Given the importance of core financial services in everyday life and an expectation that services will always be available. There is an increasing expectation of high availability.
3. Increasing reliance on service providers: The expanded use of external providers (including cloud and other technology providers) extends beyond traditional outsourcing and is resulting in longer and more complex supply chains.
Key requirements of CPS 230
1. Operational Risk Management
The proposed standard outlines a minimum set of expectations to ensure that APRA-regulated entities effectively identify, assess, and manage operational risks. While highlighting the Board’s role, it also clearly places responsibility on senior management for the ownership and management of operational risk.
Under CPS230, the Board is ultimately accountable for the oversight of an entity’s operational risk management (including business continuity and the management of service provider arrangements). It must ensure clear roles and responsibilities for senior managers, must oversee operational risk management and the effectiveness of key controls in maintaining the risk profile within risk appetite. This includes ensuring senior management provides clear and comprehensive information to the Board and acts to address any areas of concern.
Senior managers are responsible for the ownership and management of operational risk across an entity’s end-to-end processes. The standard also sets specific requirements for technology risk management, such as monitoring system age, health and assessing the impact of new technologies on the operational risk profile.
CPS230 also sets out several requirements in the areas of risk management framework, operational risk profiles and assessments, controls and incidents. Notably, where APRA considers an APRA-regulated entity’s operational risk management has material weaknesses, it may consider actions including conditions on the entity’s licence.
AREAS TO CONSIDER:
- Ensure clear roles, responsibilities and governance arrangements for operational risk management
- Maintain end-to-end views of critical processes to inform identification of operational risks and controls
- Ensure operational risk controls are embedded, regularly tested, weaknesses reported & remediated
- Ensure operational risk incidents and events are identified, escalated, recorded and addressed
2. Business Continuity
APRA-regulated entities will be required to maintain critical operations within tolerance levels. This pertains to processes that, if disrupted beyond tolerance levels, would have a material adverse impact on customers or an entity’s role in the financial system. The register of critical operations includes those where the entity is wholly or partially reliant on service providers. APRA has also designated some specific processes as critical operations.
APRA-regulated entities will be required to set Board-approved tolerance levels for each of their critical operations. Tolerance levels should include aspects of maximum outage period, maximum extent of data loss and minimum service levels the entity would maintain while operating under alternative arrangements. APRA reserves the right to set tolerance levels.
Business continuity plans (BCP) will be required for all critical operations, with clear triggers for activation. There must be a systematic BCP testing program covering all critical operations which test the effectiveness of the BCP and the ability to meet tolerance levels for a range of severe but plausible scenarios. Periodic review by the internal audit function will also be required.
AREAS TO CONSIDER:
- Maintain a register of critical operations and consider plausible disruption scenarios
- Develop BCPs and tolerance levels that are Board approved
- Establish a systematic BCP testing program
- Ensure periodic review by the internal audit function of the BCP and testing regime
3. Service Provider Management
CPS 230 broadens previous standards from a focus on outsourcing to a wider variety of provider delivery models, and addresses risk management at all stages of a service provider arrangement. Approaches for managing risks associated with fourth parties will also be required.
APRA-regulated entities will be required to identify material service providers and manage the risks associated with the use of these providers. Material service providers are those on which the entity relies to undertake a critical operation or that expose it to material operational risk. This includes those that manage critical or sensitive information assets under CPS234. APRA has also designated providers of certain services as material (including core technology services). Notably, APRA may require changes to service provider arrangements where it identifies heightened prudential concerns.
Along with approving the policy associated with managing service providers, Boards will need to review the risk and performance reporting on material service provider arrangements. Internal audit must review proposed material service provider arrangements and regularly report to the Board on compliance to policy. Senior management must maintain oversight of provider performance, effectiveness of controls and compliance with the formal agreement.
In addition to notification requirements on entering or materially changing agreements, APRA requires a register of material service providers on an annual basis. This will assist APRA in identifying and responding to potential systemic issues (including concentration risks) to inform any potential regulatory intervention to mitigate risk or respond to issues as they arise.
AREAS TO CONSIDER:
- Maintain a register of material service providers
- Develop a Board approved policy that sets out management of arrangements and associated risks
- Define the method and process to identifying and managing fourth party risks
- Ensure service provider agreements meet the requirements outlined in CPS230
- Establish a reporting, monitoring and assurance regime for Boards and senior management to oversee service provider performance, risk and compliance to policy
CPS 230 Operational Risk Management has been tabled with industry for feedback until October 2022. APRA plans to finalise the standard in early 2023.
About the Authors: Mark Zanon and Andre Kreicers are from Capital Consult, a provider of specialist advice, consulting and services to the Financial Services industry since 2008. We assist organisations to interpret and achieve compliance with the APRA prudential standards, guidelines and supervisory directions. Capital Consult has worked with many FSI clients in managing their APRA and regulatory obligations. This includes understanding and managing risk paradigms introduced through technology developments such as outsourcing, cloud computing, digital transformation, AI and Banking as a Service.
