The new Prudential Standard CPS 230 Operational Risk Management

Written By Gus Agra

Why now?

Globally, regulatory and supervisory standards are increasingly focussed on improving operational resilience (e.g. Digital Operational Resilience Act, EU and PS21/3 Building Operational Resilience, FCA, and Principles for Operational Resilience, BIS). 

This shift in regulatory posture seeks to promote more effective management of operational risks arising from disruptions caused by such events as financial crises, pandemics, natural disasters, cyber attacks and technology failures. It also recognises an increasing dependence on third parties for the provision of critical services [1][2]. 

Locally, APRA has expressed impatience with the slow progress towards implementing minimum information security requirements under CPS 234 Information Security, against an evolving cyber threat landscape, and technological innovation [3].

There are several prominent Australian examples of material business disruptions such as the Medicare data breach, and the Optus outage, which highlight a lack of proactive planning for, and or ability to respond to, severe but plausible business disruptions. Media and community responses also indicate decreasing tolerance for these events. 

Background

The purpose of the new standard is to ensure APRA-regulated entities are resilient to operational risks and disruptions. APRA considers operational resilience as the outcome of prudent operational risk management; the ability to effectively manage and control operational risks and maintain critical operations through disruptions [4].

 

Some highlights of the new standard [5]:

  • Board accountability for operational risk management.

  • Operational risk management across an end to end process view.

  • New requirements covering control effectiveness, testing and remediation.

  • Key principles:

    • Entities must: 

      • effectively manage operational risk, and set and maintain standards for conduct and compliance. 

      • maintain critical operational within tolerance levels through severe disruptions, and 

      • manage the risks associated with the use of service providers. 

    • Entities must identify, assess and manage operational risk that result from inadequate or failed internal processes or systems, the actions or inactions of people, or external drivers and events. Operational risk is inherent in all products, activities, processes and systems. 

    • Entities must, to the extent practicable, prevent disruption to critical operations, adapt processes and systems to continue to operate within tolerance levels in the event of a disruption and return to normal operations promptly once a disruption is over.

    • Entities must not rely on a service provider unless it can ensure that in doing so it can continue to meet its prudential obligations in full and effectively manage the associated risks.  

  • APRA has granted itself enhanced regulatory powers that allow it to intervene where it considers that an entity's operational risk management has material weaknesses. These powers include: to require independent review, implement a remediation program, hold more capital, and or impose conditions on a license.

Implementation

Figure 1. APRA Timeline [6]

A robust approach to implementation should include [3]: 

  1. Board governance that includes oversight of a formal change management plan.  

  2. A formal change management plan that will plan for adequate financial capacity, and skills and expertise.

  3. A gap analysis against the requirements of the Prudential Standard.

  4. A transition plan for demonstrating compliance against the requirements of the Standard.

  5. Monitoring of progress against the transition and change management plans.

During the proactive transition period, entities can expect APRA to engage and query CPS 230 readiness, with an emphasis on adequate and effective governance. 

Gus Agra
Previous

Scope 3 emissions and increased disclosures; a source of heightened transition risk