Topics
- Compliance and Regulation
Introduction
The Australian Prudential Regulatory Authority (APRA) published a draft of their Consolidated Prudential Standard (CPS) 230 for Operational Risk Management in late 2022. This Standard is currently undergoing finalisation and will be published alongside a prudential guideline sometime during 2023 ahead of an effective date of 1 July 2025. The Standard is intended to:
- Complement CPS 220 Risk Management
- Replace CPS 231 Outsourcing (and the superannuation and private health insurance equivalents)
- Replace CPS 232 Business Continuity (and the superannuation and private health insurance equivalents)
In order to assist Amstelveen clients with preparing to comply with the new requirements, on top of the summary below, we have prepared a detailed gap analysis of the changes with CPS 230 as compared to APRA’s existing standards. Please reach out to us at info@amstelveen.com if you would like access.
Executive summary
The new standard is divided into three domains: operational risk management, business continuity management and service provider management. The following provides a high-level summary of the changed requirements and recommended activities to prepare to comply across each of these domains.
Operational Risk Management
These requirements complement those of CPS 220 but are focused specifically on Operational Risk, which APRA defines as including (but not limited to) legal, regulatory, compliance, conduct, technology, data, reputational and change management risk that “may result from inadequate or failed internal processes or systems, the actions or inactions of people or external drivers and events.”
In order to meet the new requirements, entities should:
- Ensure the Board dedicates sufficient time and receives reporting on the operational risk profile, including risk indicators, control effectiveness and major incidents/issues.
- Update the Risk Appetite Statement, Risk Management Strategy, Risk Taxonomy and any other framework documents to align with APRA’s operational risk definition and requirements.
- Review and potentially uplift risk and compliance processes, including:
- Risk in Change process should assess the impact of major changes (e.g. new products, mergers/acquisitions, etc) on the operational risk profile and organisational resiliency.
- Onboarding process for material customers should consider the ability to address key risks and obligations.
- Control testing should assess control design and operating effectiveness.
- Issue management should be in place to address the root cause of control gaps and weaknesses.
- Incident management processes should record and manage the response to incidents and near misses, and report material incidents to APRA within 72 hours.
- Scenario analysis should include severe but plausible operational risk events.
- Document the processes, risks, controls and required dependencies for critical operations (in alignment with BCM) ensuring the active involvement and ownership of line management.
- Update (or implement) Integrated Risk Management systems to ensure the required operational risk data is captured, data quality managed and insights reported effectively.
Business Continuity Management (BCM)
Requirements are largely consistent with CPS 232, with some changes that better align to established standards (e.g. ISO 22301) and to shift the focus from recovering from disruptions to instead minimising the overall impact of disruptions. In order to meet the new requirements, entities should:
- Update the Business Impact Analysis[1] approach to ensure critical operations are aligned with those prescribed by APRA and capture Maximum Tolerable Period of Disruption, Maximum Tolerable Data Loss and Minimum Business Continuity Objective for each. The BIA should align with, or be, the source of truth for “critical operations”.
- Ensure the Business Continuity Plan(s) include new requirements for activation triggers and procedures, execution risks, dependencies and a process for notifying APRA within 24 hours of activation.
- Seek Board approval of the Business Impact Analysis for critical operations and Business Continuity Plan(s) initially and in future on refresh at least annually. The BCP will also need to be submitted to APRA.
- Ensure there is alignment and integration between BCM processes and registers, and in particular the “critical operations” register, and operational risk requirements to ensure that the likelihood and impact of disruptions is minimised in a coordinated way.
- Conduct multi-year BCP test planning to ensure testing cycles through various relevant scenarios over time, including disruption to material service providers. Ensure test results are periodically reported to the Board.
Service Provider Management
Where previously CPS 231 was targeted to material outsourcing arrangements, CPS 230 has expanded its scope to capture material service providers more broadly with requirements also covering the end-to-end management of arrangements. This is likely to have a significant impact both in terms of upfront and ongoing resource needs to maintain compliance.
In order to meet the new requirements, entities should:
- Update their Outsourcing Policy to be a Service Provider Management Policy which meets the updated requirements. There may be an opportunity to consolidate different policies as part of this (e.g. procurement, supplier governance etc).
- Update the frameworks/processes for assessing the risk and materiality of arrangements in line with the new requirements, and ensure this is embedded within the existing procurement and supplier onboarding and renewal processes.
- Review all existing arrangements in the context of the updated materiality assessment, and uplift those now deemed material on contract renewal (or earlier if possible).
- Update standard contract templates and gap assess existing material contracts against the new requirements to determine where contractual uplift is required.
- Ensure any reliance on related bodies corporate for critical operations is reviewed in the context of the new requirements – these are to be treated the same as regular service providers with a legally binding agreement in place.
- Define and implement a process for managing fourth party risk.
- Review processes in place for monitoring service providers and ensure that it includes reporting to senior management on control effectiveness and contractual compliance (as well as performance). Monitoring should also consider risks, contingencies and business continuity on an ongoing basis.
- Ensure there is a register of material service providers in place, which must be submitted to APRA on an annual basis.
About Amstelveen
We have extensive experience in financial services and are specialists in the areas of risk transformation, business risk & resilience, technology & cyber risk, assurance and compliance & regulation. We are well positioned to help entities comply with APRA’s new CPS 230 requirements. Reach out at info@amstelveen.com for enquiries or find out more at www.amstelveen.com.
[1] While CPS 230 does away with the term “Business Impact Analysis” it is an industry standard term, which the requirements still infer a need for in order to define critical operations and their tolerance levels