The most effective chief risk officers don’t just see threats, they see themselves. They understand that their character, their style, and their approach to people are as critical as any technical skill. This is where the power of chief risk officer archetypes comes into play.

By exploring these universal models of leadership, you can unlock another level of self-awareness allowing you to not only understand your natural strengths but also strategically adapt your approach to master the ever-evolving landscape of risk.

What is an Archetype?

An archetype is a universal model or pattern. Think of an archetype as a basic blueprint for a character, idea, or behaviour that appears again and again across different cultures and stories.

In business, archetypes are often applied to brands to help companies define their identity, guide strategy, and connect with customers on a deeper, more emotional level. They serve as psychological shortcuts that make complex ideas more relatable and memorable.  For example, “The Hero” archetype is used for brands that empower customers to be their best. Think of Nike and its “Just Do It” slogan. Another example is “The Outlaw” archetype that is used for brands that challenge the status quo and empower rebellion. Harley-Davidson and Virgin are well-known for this.

Archetypes can also be used to understand and categorise leadership styles and professional roles. This helps in talent management, team building, personal development and recruiting the “right” person.

For example, when recruiting a new Chief Executive Officer (CEO), archetypes help identify which leader fits the company’s current stage of growth. The Fix-It Leader, or Change-Catalyst, is a specialised archetype used for company turnarounds. This leader is not a builder or innovator. They are a turnaround expert whose main goal is to diagnose problems, make difficult decisions and start the changes to restore a company’s health.

Using Chief Risk Officer Archetypes

By categorising risk leaders into archetypes, it may help the board and  CEO understand what kind of expertise and risk leadership is required to manage complex challenges. This approach allows for a more intentional and strategic approach to talent management and organisational design within the C-suite.

Warning, archetypes are not static “personality types” as we see in the The Myers-Briggs Type Indicator (MBTI) tool for understanding personality. The MBTI’s goal is to sort people into one of 16 distinct, static “personality types” (like INTJ or ESFP) based on their preferences in four dichotomous categories. In contrast, archetypes are more dynamic and symbolic. An individual may be influenced by several archetypes at different times and in different ways.

The 4 Chief Risk Officer Archetypes

From our literary review, there are a handful of chief risk officer archetypes already identified mainly from large and credible consulting firms.  Most of these models have presented three archetypes for risk leadership.

Deeper research into these models and a reflection from our real-world experience that include our assessment of various risk management frameworks, risk leadership, risk culture, risk maturity and risk capability across public and private sector organisations has revealed a fourth, distinct profile. In total, we have identified four chief risk officer archetypes that serve as strategic blueprints for how a risk leader operates within an organisation. And remember, a risk leader may be influenced by several archetypes at different times and in different ways.

These archetypes aren’t about a person’s personality type. They describe a leader’s primary focus, motivation, and style. Leaders can tailor these approaches to a company’s specific needs at different stages of its risk maturity.

1. The Innovator

The Innovator is a risk leader who see risk as strategic tool for growth and competitive advantage, not a barrier.

They are not just managing risk but actively using it to drive the business forward.  They are forward-looking, visionary, and a strong partner to the business.

Innovators work hand-in-hand with the business to help drive growth and capture new opportunities. Instead of focusing solely on protection, they are visionaries who use advanced technology, risk models and a higher risk appetite to help the C-suite build new business models, launch ventures, and expand into new markets.

They have a higher tolerance for risk and focus on identifying opportunities within higher levels of uncertainty and complexity.   Operating in higher levels of uncertainty is their comfort zone.

Their key questions are “How can we use risk to our advantage?” and “What’s the best way to take a calculated risk?”

As their core motivation is value creation, Innovators are ideal for high-growth companies, start-ups, new product launches, market expansion, M&A projects or supporting innovation within a larger corporation.

2. The Guardian

The Guardians are risk leaders who prioritise building a resilient and sustainable organisation. They see themselves as the ultimate protectors of the organisation.

Their primary focus is on long-term protection, sustainability and resilience – not just short-term problem solving. They typically create strong and stable foundations to withstand future shocks.

Guardians methodically structure their work and focus heavily on risk governance. They build robust frameworks, embed a strong risk culture, and ensure compliance with regulations. Their main concern is with what could go wrong and how to prevent it.

In essence, the Guardians’ mission is to safeguard the organisation from the ground up, thereby making sure it can weather any storm and any emerging risk.

They often ask, “Are we prepared for the future?” and “What safeguards do we need?”

Guardians thrive in established, risk-averse, and highly regulated organisations. In these environments, long-term stability and resilience matter more than aggressive growth. Consequently, the Guardian’s methodical and protective nature perfectly suits sectors where failure is costly and compliance is mandatory. This is why Guardians are prominent in financial services, healthcare, and public sector agencies.

3. The Operator

The Operators are the risk leaders who excel at the practical, day-to-day management of risk. They are pragmatic problem-solvers who excel at managing the day-to-day realities of risk. They are very hands-on and focus on efficiency, crisis management, and immediate results.

Operators thrive in situations demanding efficiency, decisive action, and stability.

They are action-oriented and decisive, with a strong focus on the present. For this reason, they are often brought in to help stabilise a business, resolve a crisis, or streamline operations. Furthermore, they prioritise getting the fundamentals right and aren’t afraid to make tough, unpopular decisions. Ultimately, Operators are all about managing immediate challenges, whether they’re navigating a crisis or ensuring smooth, efficient operations by de-risking them.

Their key questions are “How can we fix this right now?” and “What is the most efficient way to manage this?”

Their value lies in their ability to handle real-world challenges with speed and precision, ensuring the company remains stable and on course.

Operators are ideal for organisations facing a range of immediate risks and resilience challenges, undergoing restructuring, or those that prioritise efficiency and stability over radical growth. They excel in environments where direct problem-solving is a top priority. Operators thrive in organisations with known risk management issues, companies in crisis, and highly regulated industries. Their pragmatic, action-oriented approach helps them solve problems directly.

4. The Influencer

The Influencers are risk leaders who rely on collaboration and communication to achieve their goals. Instead of using a top-down, command-and-control approach, they use soft power to build consensus and unite disparate teams. In other words, they don’t lead through authority, but through collaboration and persuasion.

Influencers are catalysts for change, focusing on uniting people and building a shared understanding of risk across the entire organisation.

They are collaborative, communicative, and empathetic. They build strong networks, facilitate cross-functional dialogue, and empower others to take ownership of risk.

Their primary question is “How can we get everyone on the same page?” and “How do we build trust?”

Therefore, they are natural facilitators who create open dialogue and a common language around risk, ensuring that risk management becomes a collective responsibility rather than a siloed function.

The Influencer archetype is ideal for organisations that need to foster a collaborative risk culture, break down silos, or manage complex transformations where buy-in from multiple stakeholders is critical. Their strength lies in their ability to unite disparate teams and build consensus. Influencers thrive in large, complex organisations, companies undergoing major transformations, and industries where collaboration, project-based work, and teamwork are critical to success.

Final Thoughts

These four archetypes provide a powerful lens for understanding different styles, moving beyond a one-size-fits-all approach to risk leadership.

It is possible for a chief risk officer to possess elements of all four archetypes, but it’s highly unlikely they will master them all equally. Most individuals have a dominant, natural style they rely on, with secondary styles they can develop and use when a situation calls for it.

Ultimately, by recognising if you’re predominantly an Innovator, Guardian, Operator, or Influencer, you can leverage your natural strengths and identify your blind spots. In turn, this allows you to intentionally adapt your approach to fit your organisation’s specific needs.

These archetypes transform the abstract idea of a “risk personality” into a practical framework for self-awareness and professional growth. This lets you do more than just manage risk. It also helps you engage better with key stakeholders and master your role in shaping a resilient, successful future.

The goal isn’t to be all four at once, but to understand which style a given situation demands and to be flexible enough to apply it.

How We Can Help You Take Better Risks

We are here to help strengthen your risk management capabilities, systems and processes.  Our risk management capabilities include:

• Providing an interim Chief Risk Officer to backfill a vacancy.
• Providing a dedicated Risk Officer on demand through our Virtual Risk Officer service.
• Helping organisations take their first steps towards implementing a formal and proactive enterprise-wide risk management framework.
• Performing an independent review or health check of your existing risk management framework to identify gaps and level of maturity.
• Conducting risk workshops covering strategic, operational and project risks.
• Conducting risk culture assessments.
• Risk management transformation.
• Supporting you across a range of risk management services including business continuity, crisis management, cyber risk, climate change risk, third party risk and fraud risk.

Take risk management to the next level and contact us to discuss your needs.

In this article, our Risk and Resilience team explore:

• Common implementation challenges, including vendor assessments, contract reviews, and data limitations
• What insurers should be doing now to close gaps and embed good practice
• The uplift needed in business continuity and resilience planning under the new metrics (MTPD, RPO, MSL)
• The difference between BCP and Operational Risk scenario analysis
• The importance of strong incident management, training, and documentation

Who Does CPS 230 Apply To?

CPS 230 applies to all APRA-regulated entities, which includes:

• Banks and ADIs (Authorised Deposit-taking Institutions)
• Life, general, and private health insurers
• Reinsurers
• RSE licensees (superannuation trustees)

Importantly, CPS 230 also applies to intra-group service arrangements. Even where services are provided internally within a corporate group, entities must ensure that such arrangements are subject to the same level of governance, due diligence, monitoring, and exit planning as third-party providers.

This marks a notable shift, particularly for insurers who have historically relied heavily on group shared services or head office functions.

CPS 230 is a Catalyst for Building Resilience

While some feel that the focus of CPS 230 may be compliance, its intent is clear: to build genuine operational resilience across the financial services industry. For insurers, this is an opportunity to:

• Improve visibility and control over third-party dependencies
• Build capabilities in identifying and managing non-financial risks
• Strengthen the ability to withstand and recover from disruptions
• Align operational processes with risk appetite and strategic priorities

Insurers that take a proactive, integrated, and business-led approach to implementation will not only meet APRA’s requirements, but also enhance long-term resilience and stakeholder confidence.

CPS 230 Challenges Experienced in Implementation

Despite widespread awareness, many insurers are encountering similar roadblocks as they prepare for CPS 230. Some of the most common challenges include:

1. Identifying Material Service Providers

Identifying material service providers is proving difficult for many insurers. Applying consistent materiality criteria across business areas is challenging, particularly when vendor data is fragmented across multiple systems. In some cases, insurers are struggling to justify why certain providers have not been deemed material, exposing them to regulatory scrutiny.

2. Contract Reviews and Negotiations

Contract reviews and negotiations have emerged as another pressure point. Many legacy agreements lack critical provisions such as audit rights, sub-outsourcing controls, and exit terms that support resilience. Renegotiating contracts is often slow and complex—smaller or offshore vendors may resist changes, while in-house legal and procurement teams are stretched thin trying to manage the volume. These challenges are compounded by the heightened expectations around due diligence and ongoing monitoring, which are now more intrusive and resource-intensive than ever before.

3. Siloed Risk and Continuity Practices

A long-standing issue in many insurers is the siloed nature of operational risk, business continuity, and vendor management. These areas have historically operated independently, with limited cross-functional coordination. CPS 230 demands integration across these domains—an organisational and cultural shift that is both significant and resource-intensive. Further complicating matters, insurers are finding that critical operations do not always align neatly with existing business units or reporting lines, requiring rethinking of roles and responsibilities.

4. Underdeveloped Scenario Analysis

Scenario analysis is another area where insurers are still finding their footing. Many have limited experience in designing and executing operational risk scenarios, particularly ones that are both severe and plausible. Some struggle to engage the business meaningfully in defining these scenarios, while others lack the data and methodologies to assess financial and operational impacts with confidence.

5. Board and Executive Readiness

Board and executive readiness is variable. While some organisations have invested in targeted education, others are still bringing their Boards up to speed. There is a risk that senior leaders perceive CPS 230 as a compliance exercise, rather than a driver of resilience and strategic capability. Bridging this perception gap is essential to unlocking the full value of the standard.

6. System and Data Constraints

Technical and data limitations also persist. Many insurers continue to rely on legacy systems that do not support an integrated view of operational risk or enable effective ongoing monitoring. Risk registers are often inconsistent or incomplete, and insights may be limited due to a lack of automation, data visualisation, or access to timely information. These constraints hinder the ability to track emerging issues and manage risks proactively. In some cases, the design of the risk register itself is a limiting factor—too high-level to be useful, failing to capture critical details such as root causes, risk events, and consequences. The absence of robust quality control further undermines the reliability and value of these tools in decision-making and assurance.

7. Change Fatigue and Competing Priorities

Finally, the broader regulatory landscape is creating significant resourcing and sequencing challenges. CPS 230 is just one of several major reforms impacting the insurance sector. Insurers are also contending with the Financial Accountability Regime (FAR), CPS 511 on remuneration, and evolving expectations around climate and cyber risk management. While CPS 190 (Recovery Planning) has been in place for some time, CPS 900 (Exit Planning) currently applies only to larger, more complex institutions—yet its principles still influence industry expectations. Juggling these overlapping requirements with finite resources is proving difficult for many insurers. The result is mounting change fatigue, blurred priorities, and transformation programs that risk becoming reactive and fragmented rather than strategic and integrated.

What Insurers Should Be Doing Now

By April 2025, insurers should be approaching the final stretch of their CPS 230 implementation journey. This phase should focus on closing identified gaps, embedding new risk management practices into business-as-usual, and stress-testing systems and processes through robust scenario analysis.

1. Hurry up and Finalise the CPS 230 Gap Analysis

An essential starting point is finalising a detailed and well-evidenced gap analysis. Insurers should have already reviewed their existing operational risk frameworks and supporting documentation against the new CPS 230 requirements. This exercise must go beyond simply identifying missing processes—it should also assess whether existing practices are effective, integrated, and appropriately scaled to the organisation’s operational risk profile. A common shortfall is the disconnect between documented operational risk tolerances and the broader risk appetite framework. In some cases, tolerances exist but are not clearly linked to strategic objectives or appetite statements approved by the Board, undermining their usefulness in decision-making.

Additionally, many insurers are still maturing their understanding and articulation of disruption-related thresholds, such as Maximum Tolerable Period of Disruption (MTPD), Recovery Point Objectives (RPO), and Minimum Service Levels (MSL). These parameters are often treated as technical recovery targets rather than key inputs into business continuity planning and resilience assessment. CPS 230 requires insurers to bridge these conceptual and practical gaps to ensure that operational risk tolerances, resilience metrics, and risk appetite are aligned and meaningful in guiding business operations and continuity planning.

2. Executing the CPS 230 Implementation Plan

With gaps identified, a carefully structured and well-governed implementation plan is essential. This roadmap should set out clear priorities, responsibilities, deliverables, and milestones. Crucially, Board and executive buy-in is not optional. Active sponsorship from senior leadership, including regular progress reviews and resourcing decisions, is necessary to ensure momentum is sustained and the program does not become a compliance tick-box exercise.

3. Enhancing the Operational Risk Framework

The operational risk framework itself must evolve into a dynamic, forward-looking system. Insurers should be refreshing their risk definitions, control libraries, and taxonomies to reflect the operational risk profile unique to their business. The framework must clearly articulate who is responsible for identifying, assessing, monitoring, and mitigating operational risks. It should support strategic and operational decision-making, rather than sit in isolation.

4. Material Service Provider Register and Oversight

A core requirement under CPS 230 is the creation and ongoing maintenance of a register of material service providers, but this is just one element of a much broader uplift in third-party risk management. Identifying material providers is not simply a procurement or data exercise—it requires sound judgement, clear and consistently applied criteria, robust documentation of materiality decisions, and the ability to justify these determinations to APRA. Both external and intra-group providers may be material where their failure could significantly impact critical operations. However, beyond the register itself, insurers must also develop or strengthen Business Rules that articulate the minimum standards expected of service providers. These rules should serve as the foundation for legally binding contractual agreements, ensuring alignment with CPS 230 expectations around resilience, audit rights, performance management, data access, sub-outsourcing, and termination provisions.

Additionally, a comprehensive Service Provider Monitoring Framework must be in place to ensure ongoing oversight throughout the lifecycle of each relationship. This includes setting key performance and resilience metrics, monitoring adherence, conducting periodic reviews, and ensuring timely remediation of deficiencies. Together, the register, business rules, contracts, and monitoring arrangements form a cohesive control environment that demonstrates to APRA that third-party risks are being actively managed and governed.

5. Strengthening Business Continuity and Resilience Planning

Business continuity and resilience planning also require significant uplift under the new standard. Insurers must ensure that continuity plans are not only comprehensive and up-to-date but also tested against realistic and severe disruption scenarios. These plans should cover critical operations, supporting systems, data, people, facilities, and third-party dependencies.

CPS 230 introduces a more granular approach to continuity metrics, shifting away from the traditional Recovery Time Objective (RTO) and instead requiring entities to define the Maximum Tolerable Period of Disruption (MTPD or MAO), Recovery Point Objective (RPO), and Minimum Service Levels (MSL) for each critical operation. These parameters must be justified, achievable, and aligned with the insurer’s operational risk appetite and capabilities. Importantly, business continuity plans should not be owned solely by risk teams—they must be embedded in business operations, with clear accountability and awareness across the first line. This cultural shift is critical to ensuring resilience is operationalised and not just documented.

6. Increasing Board and Executive Engagement

Governance plays a pivotal role in the successful implementation of CPS 230. Boards and senior executives are not only expected to be informed and engaged, but also personally accountable for how operational risk is managed within their areas of responsibility. Under the Financial Accountability Regime (FAR), individuals in accountable roles must act with due skill, care, and diligence—and failure to do so may result in personal liability, including civil penalties of up to $1.53 million. As a result, effective oversight is not optional.

Boards must receive regular, high-quality updates on CPS 230 implementation and interrogate whether the organisation’s operational risk exposures are being managed within the established risk appetite. Where needed, targeted upskilling at both Board and executive levels should be undertaken to ensure the necessary capability exists to discharge these responsibilities.

In practical terms, accountable persons under FAR are expected to ensure that operational risks within their domain are identified, assessed, and mitigated; that material control weaknesses and incidents are reported and remediated promptly; and that risks related to service providers and potential disruptions are appropriately managed. This includes maintaining the operational risk management framework and strategy, reviewing and challenging the strength of control environments, facilitating the business continuity management program, and evaluating the operational risk profile against the Board’s stated appetite. Active governance—backed by clear accountability—is central to embedding CPS 230 in a meaningful and sustainable way.

7. Improving Incident Management and Logging

Incident management processes also require strengthening. Beyond logging and resolving issues, organisations must develop a learning mindset. This means analysing root causes, assessing control failures, identifying trends, and sharing insights across the business. Escalation thresholds and communication protocols should be refined to promote timely and appropriate response.

8. Conducting Scenario Analysis

Scenario analysis is another area where many insurers are still developing maturity. Under CPS 230, APRA expects insurers to assess the impact of plausible but severe disruptions on their operations—yet many organisations still treat this as a compliance formality rather than a strategic exercise. It’s important to distinguish between business continuity planning (BCP) scenarios and operational risk (OpRisk) scenarios.

BCP scenarios typically focus on testing the organisation’s ability to respond to and recover from specific disruption events—such as a data centre outage, cyberattack, or critical third-party failure. These exercises tend to be operationally driven and centred on continuity procedures, decision-making processes, and coordination under stress.

In contrast, OpRisk scenario analysis is a forward-looking risk management technique used to identify and quantify the financial and operational impact of extreme but plausible operational risk events. These scenarios are broader in scope, involve cross-functional input, and are often used to support capital assessments and risk appetite calibration.

CPS 230 challenges insurers to bridge the gap between these approaches—ensuring that both types of scenarios are aligned, relevant to the actual business model, and meaningfully integrated into resilience planning. Insurers should be able to demonstrate how scenario outcomes influence control improvements, response strategies, and operational risk capital decisions, rather than treating them as parallel, siloed activities.

9. Training and Awareness

Training and awareness efforts should now shift from general updates to targeted, role-specific education. Operational leaders, risk owners, and vendor managers must understand their obligations under CPS 230 and how these translate into their day-to-day responsibilities. Building a culture of operational resilience will only be possible if staff at all levels understand and own their part in the process.

10. Documenting Everything

Finally, documentation is key. APRA expects a comprehensive and auditable record of all frameworks, policies, registers, assessments, and decision-making processes. Insurers should not only be preparing to evidence compliance in July 2025, but also to demonstrate a process of continuous improvement over time.

Final Thoughts

CPS 230 is not just another compliance standard—it’s a framework for safeguarding trust, reputation, and stability in an increasingly complex risk landscape.

As the July 2025 deadline approaches, insurers must act decisively. A last-minute, compliance-only approach will not be sufficient to meet APRA’s expectations or to build the resilience that CPS 230 is designed to foster. The most effective implementation efforts are those that are embedded, Board-supported, and strategically aligned.

Can We Help?

Working with over 40 APRA regulated entities, the InConsult team has a deep understanding of financial services and the APRA prudential standards.  Since the implementation of the revised APRA Prudential Framework in 2001, we have helped our APRA-regulated clients navigate through the myriad of regulatory compliance requirements. We can assist in the review, redesign and uplift of internal policies, procedures, frameworks and training initiatives.

If you have any questions, or would like to know how we can help, contact us to discuss your needs.

The new standard introduces fresh operational risk management requirements and consolidates and improves existing requirements around third-party risk management, outsourcing, and business continuity.

CPS 230 is cross-industry prudential standard that applies to all APRA-regulated institutions, including banks, insurers (general, life, and health), and registrable superannuation entity licensees.

From 1 July 2025, it will replace 5 current prudential standards – CPS/SPS/HPS 231 Outsourcing and CPS/SPS 232 Business Continuity.

CPS230 will help strengthen and compliment other critical APRA prudential standards including CPS 220 and SPS 220 relating to Risk Management and CPS 234 relating to Information Security.

Implementing CPS 230 is a large body of work, even for the most risk mature financial institutions.  That’s because those larger entities can be more complex by their size and operating model.  Less risk mature organisations who flew under the radar in respect to operational risk and resilience, will need to step up.

The InConsult risk and resilience team take a close look at CPS 230 from a different perspective.  We look at the different roles and responsibilities impacted and the impact on the risk management function. We draft a base line CPS 230 implementation road map to help guide financial institutions to successful implementation and avoid the pitfalls.

Why is CPS 230 Important?

Operational risk is the broadest risk category that financial institutions often grapple with.  Operational risks are that ‘bucket’ of risks that are not directly financial in nature and includes internal fraud risk, external fraud risk, people and culture risk, systems and process risk, cyber security risk, data management and quality risk, business continuity risk, third party risk, compliance risk, reputational risk etc.

APRA recognises that disruptions to financial services – even temporarily – arising from systems and process failures can have a major detrimental impact on the community, depositors, policyholders, beneficiaries or other customers.

APRA also recognises the increasing reliance of financial institutions on third parties to help deliver those services to customers.

With a growing number of risks and incidents around supply chain interruptions, cybersecurity, and geopolitical and economic instability, the concerns for APRA have increased in recent years.

CPS 230 establishes new and expanded standards to bolster operational resilience and improve how entities manage their operational risks.

By strengthening how entities identify, manage and respond to operational risk events, APRA is aiming to enhance operational and financial resilience, and in turn financial stability.

CPS 230 Key Requirements

At the heart of the new standard are core requirements for APRA-regulated entities to:

• identify, assess and manage their operational risks, with effective internal controls, monitoring and remediation;
• be able to continue to deliver their critical operations within tolerance levels through severe disruptions, with a credible business continuity plan (BCP); and
• effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements and robust monitoring.

Therefore CPS 230 requires financial institutions  to strengthen these 4 pillars:

• Operational risk management.
• Business continuity management.
• Service provider management.
• Accountability.

What’s all the fuss about? Most financial institutions already have a risk management framework that covers operational risks, a business continuity plan and an outsourcing policy.

The answer is simple! The quality of the business continuity management plans and processes and outsourcing arrangements are often lacking and there is probably too much inconsistency between financial institutions.

To successfully implement CPS 230, financial institutions must invest significant effort in reviewing their existing capabilities, resources, documentation, and governance arrangements. This is necessary to redesign and enhance these aspects in order to meet the new requirements, ultimately improving the resilience and operational risk management posture of the entities.

CPS 230 strives to address gaps and establish a more uniform approach, akin to the successful outcomes facilitated by CPS 220 and CPS 234. The goal is to direct the boards’ attention towards enhancing operational resilience.

The Key Terms

Operational resilience is the outcome of prudent operational risk management: the ability to effectively manage and control operational risks and maintain critical operations through disruptions.

Critical operations are processes undertaken by a regulated entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on its depositors, policyholders, beneficiaries or other customers, or its role in the financial system.

Material service providers are those on which the entity relies to undertake a critical operation or that expose it to material operational risk.

Material arrangements are those on which the entity relies to undertake a critical operation or that expose it to material operational risk.

The Role of the Board

CPS 230 is very clear in respect to the boards responsibilities.  The board of an APRA-regulated entity is ultimately accountable for oversight of an entity’s operational risk management. Specific responsibilities include:

• Setting clear roles and responsibilities for senior managers for operational risk management.
• Overseeing operational risk management and the effectiveness of key internal controls.
• Reviewing regular updates from senior management and ensuring action is taken to remediate concerns.
• Approving the BCP
• Approving the tolerance levels for disruptions to critical operations.
• Reviewing the results of testing and overseeing the execution of any findings.
• Approving the service provider management policy and any material changes.
• Reviewing risk and performance reporting on material service providers.
• Understanding the expected impacts on the entity’s critical operations when making strategic decisions that could affect the resilience of critical operations.

The Role of Senior Management

Whilst the board is responsible for oversight, senior management are responsible for operational risk management across the end-to-end process for all business operations. Specific responsibilities include:

• Providing the board with regular updates on the entity’s operational risk profile.
• Receiving reports on material arrangements commensurate with the nature and usage of the service.
• Taking action as and when required to address any areas of concern, including remediation plans for failures to meet tolerance levels.
• Receiving reports designed to monitor operational risk and analyse operational risk data.
• Receiving reports on the results of testing of controls and any gaps or deficiencies in the control environment.

The Role of Internal Audit

Internal audit has an active role in CPS 230, beyond just assurance. Internal audit will be required to get closer to the outsourcing arrangements. Specific responsibilities include:

• Periodically reviewing the entity’s BCP and providing assurance to the board.
• Reviewing any proposed material arrangement involving the outsourcing of a critical operation.
• Regularly reporting to the board or board audit and risk committee on compliance with outsourcing arrangements to the entity’s service provider management policy.

Impact of CPS 230 on the Risk Management Function and Line Management

The biggest impact of CPS 230 is on the risk management function. That’s because the Standard mandates integration within the “risk management framework,” a domain shaped and overseen by the risk management function.

Operational Risk Management

For operational risk management, a regulated entity must:

• Develop and maintain governance arrangements for the oversight of operational risk.
• Align operational risk management to other frameworks including recovery and exit planning, information technology capabilities and information security.
• Maintain a comprehensive assessment of its operational risk profile.
• Reassess its operational risk profile, with a defined risk appetite supported by indicators, limits and tolerance levels.
• Maintaining appropriate information systems to monitor operational risk, compile and analyse operational risk data and facilitate reporting.
• Take incidents and near misses into account in the assessment of the operational risk profile and control effectiveness.
• Ensure internal controls that are designed to manage operational risks are operating effectively.
• Design, implement and embed internal controls to mitigate its operational risks in line with its risk appetite.
• Monitor, review and test controls for design and operating effectiveness and remediate material weaknesses in its operational risk management.
• Ensure appropriate monitoring, analysis and reporting of operational risks and escalation processes for operational incidents and events.

Business Continuity

For business continuity management, a regulated entity must:

• Maintain business continuity plan(s) (BCPs).
• Have a comprehensive understanding of its critical operations and define, identify and maintain a register of its critical operations.
• Identify and document the processes and resources needed to deliver critical operations.  This should include people, technology, information, facilities and service providers and the interdependencies across them.
• Undertake scenario analysis to identify and assess the potential impact of severe operational risk events, test its operational resilience and identify the need improve.
• Notify APRA as soon as possible and not later than 24 hours after an entity has suffered a disruption to a critical operation outside tolerance and the BCP is activated.

Service Provider Management

For service provider management, a regulated entity must:

• Have a Service Provider Management Policy.
• Maintain processes for the management of service provider arrangements.
• Conduct a comprehensive risk assessment before providing a material service to another party.
• Ensure the operational risks are included in the various reviews required by CPS 220.
• Notify APRA prior to entering into any material offshoring arrangement, or when there is a significant change proposed to the
  arrangement.
• Notify APRA as soon as possible and not more than 20 business days after entering into or materially changing an agreement for the provision of a service on which the entity relies to undertake a critical operation.
• Submit the register of material service providers to APRA on an annual basis.

Incident Management

For incident management, a regulated entity must:

• Identify, escalate, record and address operational risk incidents and near misses in a timely manner.
• Notify APRA as soon as possible, and not later than 72 hours, after becoming aware of an operational risk incident that it determines to be likely to have a material financial impact or a material impact on the ability of the entity to maintain its critical operations.
• Ensure remediation of gaps, weaknesses and incidents are supported by clear accountabilities and address the root causes of weaknesses.

A New CPS 230 Artefact

CPS 230 introduces at least one new artefact that will be required to support implementation and some artefacts will require enhancement.  The Service Provider Management Policy must cover how the entity will identify material service providers and manage service provider arrangements, including the management of material risks associated with the arrangements. This replaces the Outsourcing Policy required under CPS 231.

As part of developing a new service provider management policy, regulated entities will need to make sure that their policies include registers of material service providers, approaches to changes of such providers, and approaches to risks associated with such providers (and any fourth parties they rely on).

Other existing artefacts covered by CPS 230 include the business continuity plan (BCP), crisis management plan, recovery and exit plan, business and strategic plans, disaster recovery plan and remediation plan for failure to meet tolerance levels,

CPS 230 Implementation Road Map

CPS 230 amins to strengthen an entities operational risk practices. All APRA-regulated entities should understand the requirements of the standard and the implications on its risk management framework, business continuity management, information security, service provider arrangements and governance. Implementation and uplift of CPS 230 will vary depending on the size and complexity of each regulated entity, but here is our guide as a starting point.

September 2023 to December 2023

• Perform a CPS 230 gap analysis.
• Risk management to brief senior management and board on the key shortfalls and agree the actions, timeframes and responsibilities to close out these gaps.
• Risk management function to assess resourcing requirements and change management impacts of CPS 230.
• Update compliance register/ obligations library and tasks to include CPS 230 requirements.
• Update your operational risk profile.  Consider recent gaps, incidents, issues and weaknesses in operational risk controls.

January 2024 to June 2024

• Identify material service providers/critical operations…this may already be in your Business Impact Analysis (BIA) or outsourcing provider register.
• Refine your processes to promptly identify and remediate material weaknesses including performing root cause analysis and establishing clear accountabilities.
• Update you BIA templates to better align with and capture any additional CPS 230 requirements not included.
• Hold training and workshops to engage with the business and update your BIAs. The training will help ensure the business and managers understand key objectives of CPS 230 and remove uplift barriers.
• Identify sound measures of triggers and establish monitoring and reporting processes.
• Review board reporting processes and escalation triggers from senior management to the board.
• Review board papers to ensure ‘risk implications’ of strategic decisions include impacts on critical operations.
• Amend BCP and service provider management policy to include board approval.
• Amend BCP and incident management policy to include triggers for APRA reporting.
• Revise roles and responsibilities of senior managers and risk management function to ensure roles and responsibilities are aligned to CPS 230.
• Consider CPS 230 changes to Board Audit & Risk Committee charters and workplans.
• Liaise with Internal Audit to include CPS 230 requirements in workplans.
• Review all current contracts with service providers who provide a critical operation to ensure they meet CPS 230 requirements.

July 2024 to March 2025

• Update information assets register to include age and health and links to critical operations.
• Update BIA list of critical functions or create a register of critical operations and the tolerance levels for each critical operation.
• Establish the tolerance levels for each critical operation.
• Establish monitoring mechanisms for escalation and board reporting.
• At minimum, document/process map the processes and resources needed to deliver critical operations.
• Update key elements of your business continuity policy and governance to include regular review, monitoring and testing.
• Update supplier procurement, onboarding processes and ongoing management processes.

January to June 2025

• Schedule an independent review and gap analysis of CPS 230 to identify any final gaps prior to implementation.

1 July 2025

• CPS 230 comes into effect. CPS 231, CPS 232, SPS 231, SPS 232 and HPS 231 cease to operate.
• All independent CPS 220 reviews need to consider CPS 230 requirements.

1 July 2026

• Transitional period for pre-existing contractual arrangements with service providers now ends.

2028 to 2030

• Given the current third party and resilience landscape and APRA’s zero-tolerance approach to disruption related risks ​we predict APRA will require regulated entities to perform tripartite reviews to ensure that they maintain high standards of operational risk management and effectively manage critical operations and supplier risks. Any CPS 230 Tripartite Audit will be a one-off requirement mandating that regulated entities engage an independent auditor to report on the entity’s compliance against CPS 230.

Can We Help?

Working with over 40 APRA regulated entities, the InConsult team has a deep understanding of financial services and the APRA prudential standards.  Since the implementation of the revised APRA Prudential Framework in 2001, we have helped our APRA-regulated clients navigate through the myriad of regulatory compliance requirements. We can assist in the review, redesign and uplift of internal policies, procedures, frameworks and training initiatives.

If you have any questions, or would like to know how we can help, contact us to discuss your needs.

According to APRA, the disorderly failure of an APRA-regulated business might have serious consequences for the economy and society.  Crisis preparedness and resolution planning gets to the very heart of APRA’s purpose to protect the financial interests of bank depositors, insurance policyholders and superannuation members.

APRA recognises that although Australia has one of the strongest and most stable financial systems in the world, and failures are extremely rare, businesses in any competitive market can face financial difficulties. Should that happen, APRA want to be sure each entity has the capability to either recover, or manage an ‘orderly exit’ with the smallest possible impact on the community and the financial system as a whole.

Two New Prudential Practice Guides Released

It is important to note that prudential practice guides (PPGs) aim to provide guidance on APRA’s view of what is sound practice in the specific areas they address. PPGs can address the various legal requirements e.g. legislation, regulations or APRA’s prudential standards, but the PPGs do not create enforceable requirements.  Regulators will often ask the question, “if you do not follow the PPG, why not?”

The new Prudential Practice Guides CPG 190 Financial Contingency Planning and CPG 900 Resolution Planning set out principles and examples of better practice to assist entities meet their requirements under the proposed new standards, CPS 190 Financial Contingency Planning and CPS 900 Resolution Planning.

In developing the draft guidance, APRA has addressed areas where entities have requested greater clarity on the prudential standards.

Both CPS 190 and CPS 900 are intended to ensure that APRA-regulated entities are ready to handle challenges to their viability while minimising the repercussions of failing.  They aim to improve financial resilience and preparedness.

APRA have provided 2 versions of each CPG to download.

Source: APRA

We recommend downloading the ‘integrated version’ of each CPG as this includes references back to the relevant prudential standard for context.

Draft CPG 190 Financial Contingency Planning

CPG 190 is intended to assist entities in meeting the key requirements of the proposed new prudential standard CPS 190. It provides further explanation of the outcomes that APRA expects, so that entities can meet these expectations through their actions. It is principles-based, rather than prescriptive, and includes examples of better practice.

This CPG sets out the key areas that APRA supervisors will consider when assessing an entity’s financial contingency planning. The CPG provides specific guidance in 4 areas:

• Contingency planning in general including the indicative contingency planning lifecycle and key elements of the contingency plan.
• The role  and expectations of the Board when preparing for and responding to stress that could threaten financial viability.
• Guidance when developing the contingency plan including the purpose of the trigger framework and credible recovery and exit actions.
• Guidance on maintaining the plan and organisational capabilities to execute the plan.

Draft CPG 900 Resolution Planning

CPG 900 sets out a framework for how APRA expects to engage with entities in developing and implementing a resolution plan. The proposed draft guidance explains what is expected of entities in the resolution planning process and sets out the factors that APRA will have regard to in developing resolution plans for individual entities.

Resolution is the process of dealing with a failed regulated entity, led by APRA as the resolution authority.  It aims to minimise any adverse impact on depositors, insurance policyholders and superannuation fund members, i.e. APRA is looking for an ‘orderly failure’ rather than the HIH Insurance type of disorderly failure.

This CPG sets out the key areas that APRA supervisors will consider when assessing an entity’s resolution planning. This CPG also provides specific guidance in 4 areas:

• Resolution planning in general and the indicative resolution lifecycle.
• The process of developing a resolution plan including the role of the Board, the indicators of critical functions, resolvability assessment and potential resolution options.
• The need to develop and implement a pre-positioning plan for the measures identified in the resolvability assessment and consideration of the resolution capabilities.
• Expectations in respect to the review and notification requirements as APRA recognises that new strategic decisions can have a significant impact on the effectiveness of resolution planning.

APRA’s draft prudential practice guides, CPG 190 Financial Contingency Planning (CPG 190) and CPG 900 Resolution Planning (CPG 900), will undergo a three-month consultation process.

Update on CPS 190 and CPS 900

APRA is currently reviewing the issues raised by stakeholders through the consultation process on CPS 190 and CPS 900, and is preparing a response to submissions.

APRA’s initial analysis of stakeholder comments led APRA to the conclusion that no significant changes would be made to the draft recommendations for CPS 190. The proposed CPG 190 will take into account the fact that respondents predominantly sought clarification on a few elements while generally supporting the intent of CPS 190. Later this year, CPS 190 will be finalised by APRA.

The response from stakeholders to APRA on CPS 900 was more detailed, and in general, entities were less familiar with how resolution planning would actually work in practise. To ensure that resolution plans are suitable for each entity’s unique circumstances, APRA expects for CPS 900 to be implemented on an entity-by-entity basis. This would guarantee a more balanced approach and lessen overall burden, but it also means that it is impossible to predict in advance how the standard will affect particular entities. APRA plans to finalise CPS 900 in the first half of 2023, after reviewing feedback on the proposed draft guidance.

Can We Help?

The InConsult team has a deep understanding of insurance and the APRA prudential standards including CPS 190 Financial Contingency Planning and CPS 900 Resolution Planning. Since the implementation of the revised APRA Prudential Framework in 2001, we have helped APRA-regulated clients navigate through the myriad of regulatory compliance requirements.

We are here to help strengthen crisis preparedness and resilience.  Our resilience support capabilities include:

• Helping you prepare a contingency plan that is appropriate to your business environment and risk profile based on the APRA guidelines, CPS 190 and better practice guidelines.
• Helping you remediate any concerns or gaps identified by the regulator.
• Perform a comprehensive review of  the ICAAP and various response plans including BCP, IT-disaster recovery plan, incident response plan, contingency plan, recovery plan and pandemic plan to ensure it is in line with the APRA standards, guidelines and better practice.
• Conduct operational testing of the various response plans to identify opportunities for improvement.

Be more resilient to a crisis and financial stress and contact us to discuss your risk and resilience needs.

The standard introduces new operational risk management requirements and consolidates and improves existing requirements around third-party risk management, outsourcing, and business continuity.

CPS 230 will be a new cross-industry prudential standard for all APRA-regulated institutions, including banks, insurers (general, life, and health), and registrable superannuation entity licensees.

It will replace 5 current prudential standards – CPS/SPS/HPS 231 and CPS/SPS 232.

The new standard is scheduled to come into force from 1 January 2024 and the consultation package is available on the APRA website at Operational risk management.

Operational Risk & Resilience

Operational resilience is crucial to financial institution stability.  With a growing number of risks and incidents around supply chain interruptions, cybersecurity, and geopolitical and economic instability, the concerns for APRA has increased in recent years.

APRA recognises that disruptions to financial services – even temporarily – can have a major detrimental impact on the community, depositors, policyholders, beneficiaries or other customers.

Draft CPS 230 establishes new and expanded standards to bolster operational resilience and improve how entities manage their operational risks.

By strengthening how entities identify, manage and respond to operational risk events, APRA is aiming to enhance operational and financial resilience, and in turn financial stability.

CPS 230 Key Requirements

At the heart of the proposed new standard are core requirements for APRA-regulated entities to:

• identify, assess and manage operational risks, with effective internal controls, monitoring and remediation.
• be able to continue to deliver critical operations within tolerance levels through severe disruptions, with a credible business continuity plan (BCP).
• effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements and robust monitoring.

Operational Risk Management

Looking at the details, APRA has strengthened and reinforced important operational risk controls.  For example, an APRA-regulated entity will need to:

• maintain a comprehensive assessment of its operational risk profile.
• manage its full range of operational risks, including but not limited to legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk, reputational risk and change management risk.
• maintain appropriate and sound information and information technology (IT) infrastructure to meet its current and projected business requirements and to support its critical operations and risk management.
• assess the impact of its business and strategic decisions on its operational risk profile and operational resilience, as part of its business and strategic planning processes.
• conduct a comprehensive risk assessment before providing a material service to another party to ensure that it is able to continue to meet its prudential obligations after entering into the arrangement.
• design, implement and embed internal controls to mitigate its operational risks in line with its risk appetite and meet its compliance obligations.
• monitor, review and test controls for design and operating effectiveness, the frequency of which must be commensurate with the materiality of the risks being controlled.
• remediate material weaknesses in its operational risk management, including control gaps, weaknesses and failures.
• ensure that operational risk incidents and near misses are identified, escalated, recorded and addressed in a timely manner.
• notify APRA as soon as possible, and not later than 72 hours, after becoming aware of an operational risk incident that can have a material financial impact or a material impact on critical operations.

Business Continuity

The requirements around business continuity has also been strengthened.  In short, an APRA-regulated entity will need to:

• have a comprehensive understanding of its critical operations and define, identify and maintain a register of its critical operations.
• implement controls to minimise the likelihood and impact of disruptions to its critical operations.
• maintain a credible Business Continuity Plan (BCP) that sets out how it would maintain its critical operations within tolerance levels through disruptions, including disaster recovery planning for critical information assets.

Material Service Providers

An APRA-regulated entity must also maintain a comprehensive service provider management policy that sets out how it will identify material service providers and manage the arrangements with such providers, including the management of material risks associated with the arrangement. Material service providers are those the entity relies to undertake a critical operation or that expose it to material operational risk.  They include the following services:

• risk management
• core technology services
• Critical or sensitive information asset providers
• internal audit
• credit assessment
• funding and liquidity management
• mortgage brokerage
• underwriting
• claims management
• insurance brokerage
• reinsurance
• fund administration
• custodial services
• investment management
• arrangements with promoters and financial planners

An APRA-regulated entity must maintain a formal legally binding agreement with material service providers and submit its register of material service providers to APRA on an annual basis.

Critical Operations

So what is a critical operation?  APRA defines critical operations as the processes undertaken by the entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on its depositors, policyholders, beneficiaries or other customers, or its role in the financial system.  Examples include:

• payments
• deposit-taking and management
• custody
• settlements
• clearing
• claims processing
• investment management
• fund administration
• customer enquiries
• systems and infrastructure that support critical operations

 Tolerance Levels

The proposed standard requires an APRA-regulated entity’s Board to approve tolerance levels for each critical operation.  The tolerance levels include:

• the maximum period of time the entity would tolerate a disruption to the operation.
• the maximum extent of data loss the entity would accept as a result of a disruption.
• the minimum service levels the entity would maintain while operating under alternative arrangements during a disruption.

Responsibilities

The Board will be ultimately accountable for the oversight of an APRA-regulated entity’s operational risk management, including business continuity and the management of service provider arrangements.  The Board must also approve tolerance levels.

Senior management of an APRA-regulated entity will need to provide clear and comprehensive information to the Board on the expected impacts on the entity’s critical operations when the Board is making decisions that could affect the resilience of critical operations.

Operational Risk Weakness

Operational risks will be subject to regular review and where APRA considers an entity’s operational risk management has material weaknesses, APRA can:

• require an independent review of the entity’s operational risk management
• mandate the entity to develop a remediation program
• require the entity to hold additional capital, as relevant
• impose conditions on the entity’s licence
• take other actions required in the supervision of this Prudential Standard

Next Steps

Although the new standard will not come into force until January 2024, APRA-regulated entities should understand the requirements of the standard and the implications on its risk management framework.

The new standard has strong links to other prudential standards and will also require alignment of the various risk categories and risk and resilience frameworks.  The standard will require that operational risk management be integrated into:

• strategic planning
• the risk management framework and processes
• outsourcing/ third party/vendor risk management process
• contract management processes
• business continuity management
• business impact analysis
• disaster recovery & cyber security
• financial contingency planning
• incident & issues management
• board and management oversight
• line 1 monitoring assurance
• internal audit assurance

Need more guidance? Read about our 6 pillars of resilience and how to become a more resilient organisation.

Can We Help?

The InConsult team has a deep understanding of insurance and the APRA prudential standards.  Since the implementation of the revised APRA Prudential Framework in 2001, we have helped APRA-regulated clients navigate through the myriad of regulatory compliance requirements. We can assist in the review, redesign and uplift of internal policies, procedures, frameworks and training initiatives.

If you have any questions, or would like to know how we can help, contact us to discuss your needs.

APRAs focus on resilience is not new

There are already many prudential standards and guidelines that address different elements of operational resilience and financial resilience.  They include:

• CPG 110 Internal Capital Adequacy Assessment Process and Supervisory Review
• CPS 232 Business Continuity Management
• CPS 234 Information Security
• CPG 233 Pandemic Planning
• CPG 229 Climate Change Financial Risks
• CPS 231 Outsourcing

In recent years, APRA has also worked directly with major banks, general, life and health insurers to ensure they develop Recovery Plans (despite not having a formal standard). APRA have provided some good guidance in the Discussion Paper – Strengthen Crisis Preparedness.

APRA has now begun consulting on 2 new proposed prudential standards to help strengthen the preparedness of financial institutions to respond to future financial crises.

• CPS 190 Financial Contingency Planning PDF
• CPS 900 Resolution Planning PDF

The two proposed standards are aimed at ensuring entities are prepared to deal with the threats to their financial viability, thereby reducing the negative consequences resulting from failure.  Remember, APRA has zero appetite for a disorderly failure of a financial entity that can have a significant impact on financial system stability and the broader economy.  APRA and the federal government have no appetite to use taxpayer funds to stabilise the financial systems, thereby creating a moral hazard and pressures on federal government finances.

CPS 190 Financial Contingency Planning

CPS 190 Financial Contingency Planning (CPS 190) seeks to minimise the risk of entity failure by ensuring all APRA-regulated entities have plans for responding to severe financial stress.  CPS 190 will require all APRA-regulated entities to:

• Develop and maintain credible financial contingency plans for managing stress that may threaten their financial viability; this includes plans for rebuilding financial resilience or effecting an orderly exit. These plans would set out actions they would take in stress to restore financial resilience or exit the industry safely, while protecting depositors, insurance policyholders and superannuation fund members.
• Monitor indicators of potential stress and be ready to trigger activation of the contingency plan or the specific actions within it.
• Being able to effect an orderly exit from the industry, if recovery actions are not effective.  This is achieved through a credible plan, appropriate governance arrangements, maintaining sufficient resources to support the implementation of recovery and exit and periodic review and testing.

The proposed CPS 190 will apply to an entity whilst it is still a going concern to reduce the likelihood of entity failure.

CPS 190 will apply to smaller entities, but will be subject to less onerous requirements, in line with their size, complexity and business models. Entities determined to be significant financial institutions (SFIs) would be subject to higher requirements. APRA have defined the thresholds for significant financial institutions subject to higher requirements as follows:

Source: APRA

CPS 900 Resolution Planning

CPS 900 Resolution Planning (CPS 900) aims to minimise the impact of entity failure.  CPS 900 would require large or complex APRA-regulated entities to take pre-emptive actions so that, in the event of their failure, APRA can resolve them with limited adverse impacts on the community and the financial system.

Key requirements of CPS 900 will include:

• Conduct a resolvability assessment to identify any barriers to resolution. The resolvability assessment will typically assess any legal, structural, operational or regulatory barriers to implementation,  timelines for implementation and any execution risks to effectively execute the options.
• Develop and implement a pre-positioning plan to remove any barriers to resolution. The Board must provide oversight of and approve the resolvability assessment and the pre-positioning plan.
• Maintain capabilities to support APRA in effecting a resolution so that critical financial services can continue to be provided with minimal disruption. This may include the identification of all material business activities of the entity, and an assessment of whether any of these activities are critical functions based on their systemic impact, customer impact and the substitutability by other providers if they were to cease.
• Review and update the resolvability assessment at least every three years.

CPS 900 will only apply to an entity as a gone concern (after failure) to minimise the adverse impact of the entity failure.

As CPS 900 would only apply to large or complex APRA-regulated entities, APRA has sought to minimise any adverse impacts on smaller and/or less complex entities such as Australian branches of larger international financial entities.

Planned implementation

There will be a 5 month consultation period on CPS 190 and CPS 900. The consultation closes on 29 April 2022.

Following the initial consultation period, APRA will also consult on the supporting guidance material in 2022.

For banking and insurance entities, APRA proposes that the new prudential standards would come into force from 1 January 2024.

How we can help you on your resilience and crisis preparedness journey

InConsult previously published The Recovery Plan – A Guideline for Insurers which explained regulatory expectations and how it was intended to integrate and align with the ICAAP, Business Continuity Plan and other aspects of the risk management framework. It is pleasing to see that APRA has now relabelled the Recovery Plan as Financial Contingency Plan to avoid confusion with a type of Business Continuity Plan.

Aspects of CPS 190 will apply to all financial institutions. In order to support preparation for CPS 190,  all insurers should as part of their annual review of their ICAAP Summary Statement consider conduct a benchmarking exercise against GPS 110 Capital Adequacy and CPG 110 ICAAP and Supervisory Review. Remember, the ICAAP Summary Statement is intended to be a high-level document that summarises processes therefore documentation of detailed processes (business planning, capital monitoring and reporting and recovery action) is important to ensure conducted in a timely, consistent manner.

We are here to help strengthen crisis preparedness and resilience.  Our resilience support capabilities include:

• Helping you prepare a contingency plan (recovery plan) that is appropriate to your business environment and risk profile based on the APRA guidelines, CPS 190 and better practice guidelines.
• Helping you remediate any concerns or gaps identified by the regulator.
• Perform a comprehensive review of  the ICAAP and various response plans including BCP, IT-disaster recovery plan, incident response plan, contingency plan, recovery plan and pandemic plan to ensure it is in line with the APRA standards, guidelines and better practice.
• Conduct operational testing of the various response plans to identify opportunities for improvement.

Be more resilient to a crisis and financial stress and contact us to discuss your risk and resilience needs.

Recovery planning is now being incorporated into the Australian Prudential Regulation Authority’s (APRA) supervisory approach for regulated institutions.  In order to prepare a credible recovery plan, an insurer will need to do a lot of analysis, workshops, communication, framework alignment and both strategic and tactical thinking.  Lets tackle some important questions:

• What are the objectives of the recovery plan?
• What should the recovery plan include?
• Where does it fit into resilience spectrum?
• How will regulators evaluate the quality of the recovery plan?

Regulators have no appetite for failures

Since the collapse of HIH Insurance in 2001, APRA has been one of the world’s most proactive and forward looking financial regulators. APRA’s vision is “to deliver a sound and resilient financial system, founded on excellence in prudential supervision”.

Many have said that APRA’s prudential standards and proactive regulatory approach helped minimise the impact of the GFC on the Australian economy from mid 2007 to early 2009 when, around the world, millions of people lost their jobs as the largest and most sophisticated and advanced economies experienced their deepest recessions since the Great Depression of the 1930s.

To help achieve its vision, each year APRA reveals it’s policy and supervision priorities or key actions. For 2021 and 2022, APRA will continue to develop policies to strengthen an institution’s resilience and preparedness for managing through periods of stress, including recovery and resolution planning, operational resilience, stress testing and climate-related financial risks.

For APRA, the resilience and recovery planning journey started back in 2018/2019.  APRA required all health insurers develop a recovery plan. Also on the agenda is the development of a new prudential standard on resolution and recovery planning, taking into account the results of a thematic review with a group of large and medium-sized general insurers and life insurers and lessons learnt from the COVID-19 pandemic.

The financial stress continuum

Organisations should understand the relationships between financial viability, early warning indicators, recovery triggers, the respective plans invoked, and the actions taken by the regulator.  This relationship is illustrated in figure 1 below as a guide – note the sample triggers are examples only.

Clearly, organisations should operate in the viable stage which is business as usual.  In this stage, the risk of failure is low, all triggers are within risk appetite and the normal target range.

As adverse events occur, organisations may move into the early stress stage or extreme stress range where the early triggers and warnings are outside risk appetite or the target operating range.  In this environment, a range of plans will come into play including the recovery plan.  Regulator monitoring is now more intensive.

Where recovery is not possible, the resolution plan is activated by the regulator. At this point, the insurer is no longer viable and has no reasonable prospect of becoming viable.

What is recovery planning

As defined in the IAIS glossary, a “recovery plan” is a plan that “identifies in advance options to restore the financial position and viability if the insurer comes under severe stress”. A recovery plan should at minimum cover three elements:

1. Credible options (menu of actions) to cope with a range of severe stress scenarios.
2. Scenarios that address capital shortfall and liquidity pressures.
3. Processes to ensure timely implementation of effective recovery options in a range of severe stress situations.

The recovery plan is developed, implemented, maintained, reviewed and tested by the insurer. For the plan to be appropriate and credible, additional analysis and information is required.

Recovery plan content

From our experience, better practice guidelines such as the IAIS Application Paper on Recovery Planning 2019 and APRA guidelines, we suggest the recovery plan cover, at minimum, the following sections:

Executive summary
This is a standalone summary of the material components of the recovery plan, including an overview of governance arrangements, early warning indicators and trigger framework, recovery options and communication strategy.

Background information
A brief overview of the organisation including core business, business model, structure, and interdependencies.  This helps to contextualise the recovery plan to the organisation.

The background information section will also help the regulator better understand the organisation to help assess the appropriateness of the trigger framework, scenario tests performed and recovery options included.

Governance
This section should include a description of the monitoring, review and testing activities, plan ownership, related frameworks, and respective roles and responsibilities of key stakeholders (and alternates) during the business-as-usual phase and the recovery phase.

Effective governance arrangements are critical when developing, maintaining and invoking the recovery plan.  It outlines responsibilities for monitoring and timely escalation processes for starting the implementation of recovery options.

Plan ownership should be clear, as well as all other responsibilities for key activities.

The recovery plan should be approved by the Board or  Senior Officer outside Australia for a branch general insurer.

The recovery plan should be integrated and aligned to other plans and frameworks an organisation has in place e.g. risk management framework, capital management plans, liquidity management, crisis management plan, business continuity plan, etc.

The plan should be be reviewed regularly and updated for material changes to the environment, strategy, structure or activities of the organisation.

Will the plan work when it’s activated?  At minimum, it is good practice the plan be operationally tested annually and any opportunities for improvement be incorporated in the recovery plan.  The key benefit of testing is to help calibrate triggers, scenarios and recovery options.

Trigger framework
A trigger is an early warning indicator to a potential issue.  Triggers are a red flag to a potential issue, but triggers may not result in activation of the plan.

This section should include a sufficient range of relevant early warning indicators and triggers, including both qualitative and quantitative metrics to allow timely escalation, decision-making and invoking the recovery plan.

In line with good practice, the key here is to have a range of metrics and timely trigger points in place to alert management, escalate if required and start the recovery planning process.

The trigger framework should be appropriate to the organisation, and hence the importance of the background information section.  The scenario analysis helps to inform the trigger framework.

Some examples of triggers that insurers may consider:

• large insurance losses
• catastrophic losses over the reinsurance limits
• failure or downgrade of a reinsurer
• large investment losses or deterioration in investment values
• deteriorating capital
• reduction in capital ratio’s
• material increase in minimum capital requirements
• material reduction in new business or renewals
• sustained decrease in profitability
• deterioration in liquidity
• credit rating downgrade
• operational event that threatens financial viability or severe financial loss e.g. cyber attack
• adverse judicial interpretations
• external market forces e.g. aggressive competition, new market entrant
• adverse macroeconomic factors e.g. changing interest rate, change in government regulation and fiscal policy
• any sudden change in net assets

Insurers should not rely on just one hard trigger.  Rather, a range of triggers that have a knock on effect are considered better practice.

Recovery options
This section would have to be the most important part of the recovery plan.  Why? This is where the insurer should outline the range of credible recovery options which aim to enhance its ability to restore itself to financial soundness and meet policyholder expectations.

APRA expects the menu of recovery options to be comprehensive and generate financial benefits to quickly restore the insurer to a sound financial position.

The combination of scenario analysis and regular testing will help ensure that the menu of recovery options are well and truly exhausted i.e. comprehensive.

Some examples of recovery options may include:

• raising non-equity capital
• raising equity capital
• reducing or suspending dividend payments
• reducing or suspending cash repatriation to holding company
• improving liquidity
• buying more reinsurance
• restructuring reinsurance arrangements
• restructuring the investment portfolio
• management actions such as restructure, cost savings initiatives
• exit unprofitable product lines
• partial or full portfolio transfer/sale
• partial or full portfolio run-off

Simply listing the recovery options is not enough.  Each option should contain assumptions, implications on strategy, details as to how it will be operationally implemented and the expected financial benefits.

Communication strategy
Ideally, the insurer should include tailored communication strategies which recognise the different communication needs depending on the recovery option(s) being taken. Timely communication helps maintain stakeholder trust and confidence.

The communication strategy should cover both internal communication e.g. board, staff, and external communication e.g. policyholders, agents, brokers, regulators, key third parties.

Insurers should also consider appropriate disclosure obligations under the Corporations Act 2001 and Australian Securities Exchange Listing Rules where applicable.

Scenario analysis
Scenario analysis helps assess the credibility of the recovery plan, and helps to inform and establish the trigger framework and feasibility of the recovery options.

This section of the plan includes a summary of a range of scenarios used, including the estimated financial impacts.

The scenarios should be tailored to the insurer’s business, risk profile, business model, group structure and needs to be adequate to help to activate the recovery plan.  In fact, severe but plausible stress scenarios that may ultimately affect the viability of the insurer are preferred.

When choosing scenarios, they should cover appropriately defined events that are most relevant to the insurer, taking into account the insurer’s risk profile, business model, group structure (if applicable) and other relevant factors.  Scenarios can include:

• Idiosyncratic stress events, where the negative impact is specific to an insurer or group.  For example:
  • mass lapse of policies
  • failure of material counterparties
  • severe losses through a rogue trader or another conduct risk
  • a material major cyber-security breach
• Market-wide stress events and/or macroeconomic events affecting the financial system and/or economy. For example:
  • a significant loss or stress in financial markets
  • a major change to the interest rate environment
  • a high-impact catastrophic event, such as a pandemic or climate-related event
  • a significant increase in longevity following a medical breakthrough
  • a spike in claims following and unfavourable judicial decision
• A combination of idiosyncratic and market-wide stress events
• Both slow-moving and fast-moving adverse events

Appendix
An appendix of relevant information that may be important to the effective execution of the recovery plan.  This may include detailed scenarios, key assumptions, sample communication templates that can be tailored once the plan is activated, a table of scheduled activities etc.

What will regulators look for in a recovery plan?

Regulators like APRA will review and challenge insurers and they will provide feedback.  Regulators will review a wide range of recovery plans and set some peer benchmarks.

Regulators will regularly undertake resolvability assessments that evaluate the feasibility of recovery and resolution strategies and their credibility in light of the likely impact of the entity’s failure on the financial system and the overall economy. Regulators will typically assess:

• the extent to which critical financial services, and payment, clearing and settlement functions can continue to be performed
• the nature and extent of intra-group exposures and their impact on recovery and resolution if they need to be unwound
• the capacity of the entity to deliver sufficiently detailed accurate and timely information to support recovery
• the robustness of cross-border cooperation and information sharing arrangements

Where insurers fail to achieve the benchmark or meet the guidelines, regulators will ask them to remediate the gaps and resubmit the recovery plan.

In their assessment of the recovery plan, regulators will typically ask the following questions:

• Is the recovery plan clear, comprehensive and complete?
• Is the plan appropriate and relevant considering the insurers risk profile?
• Is the plan well aligned to the risk management and capital management frameworks?
• Is the menu of recovery options sufficient i.e. wide enough range?
• Are recovery options credible?
• Are the recovery assumptions reasonable?
• Are the stress scenarios sufficiently severe?
• Are the early warning indicators and triggers appropriate for invoking the plan?
• Are the triggers aligned to the results of scenario analysis and stress tests?
• Can the recovery options be implemented in a timely manner?
• Are the execution timeframes feasible?
• Are the roles and responsibilities of the Board and Senior Management clearly defined?
• What evidence is there of engagement with the Board and Senior management?
• Does the communication include all key stakeholders?
• Is the recovery plan regularly reviewed and updated?
• Is the recovery plan tested annually?

What is a resolution plan?

This is really the last resort on the resilience spectrum. The resolution plans kicks in when recovery planning fails.

The resolution plan establishes how the regulator would use their powers to achieve an orderly resolution of the failed institution where recovery is not possible and institution has no reasonable prospect of returning to viability.  The resolution plan identifies in advance options for resolving all or part(s) of an institution to maximise the likelihood of an orderly resolution.

The development of the resolution plan is led by the regulator (APRA) and/or resolution authority in consultation with the insurer in advance of any circumstances warranting resolution.

How we can help you on your recovery planning journey

We are here to help strengthen organisational resilience.  Our recovery planning capabilities include:

• Helping you prepare a recovery plan that is appropriate to your business environment and risk profile based on the APRA guidelines and better practice guidelines.
• Helping you remediate any concerns or gaps identified by the regulator.
• Perform a comprehensive review of your recovery plan to ensure it is in line with the APRA guideline and better practice guidelines.
• Conduct testing of the recovery plan to identify opportunities for improvement.

Be more resilient to financial stress and contact us to discuss your recovery planning needs.

Importantly, CPG 229 does not impose any additional obligations on institutions in relation to climate risks. APRA has drafted the guide for the purpose of assisting APRA-regulated institutions to comply with the existing risk management and governance requirements in Prudential Standards CPS 220 Risk Management (CPS 220), SPS 220 Risk Management (SPS 220), CPS 510 Governance (CPS 510), SPS 510 Governance (SPS 510). It also provides suggestions that APRA considers are prudent practices in managing to climate change financial risks.

CPG 229’s governance, risk management, scenario analysis and reporting guidance reflects the widely accepted climate-risk disclosure framework developed by the Taskforce on Climate Financial Disclosures (TCFD ) for guiding institutions in the consideration and management of climate risk.

Whilst CPG 229 is only a guideline, APRA considers that prudent institutions should consider the opportunities and the financial risks of climate change in business and strategic decision-making. Institutions, particularly those in financial, banking and insurance should be looking at this in the context of international movement towards mandating climate risk disclosures and Australian legal expectations around how directors discharge their duties when it comes to climate change risks.

The international context

Around the world regulators and governments are taking strong action to address the growing threats of climate change including setting emissions targets and making climate risk disclosures mandatory for some entities. The TCFD disclosure framework has gained global recognition and support as the foundational framework for climate risk reporting with many jurisdictions moving to make TCFD-aligned disclosures mandatory. Amongst Australia’s trading partners taking such action are the United Kingdom, New Zealand and Hong Kong.

The New Zealand government is working towards making climate-related disclosures mandatory through introducing an amendment to the Financial Markets Conduct Act 2013 to Parliament. If approved, from 2022 FMC-reporting institutions will need to start making climate-related disclosures.

The UK Treasury has published a strategy towards mandatory climate-related disclosures which will also be aligned to the TCFD recommendations for disclosures (A Roadmap towards mandatory climate related disclosures. November 2020). This proposal for mandatory disclosures quickly follows the expectation set out by the UK in 2019 in the Government’s Green Finance Strategy for listed issuers and large asset owners to make voluntary disclosures. A cross UK Government and regulator Taskforce (the UK Taskforce) determined that the urgency of the climate threat means that a voluntary approach may be insufficient.

Hong Kong’s Green and Sustainable Finance Cross-Agency Steering Group (Steering Group) has developed a Strategic Plan setting out 6 key focus areas for strengthening Hong Kong’s financial system to support a more sustainable future. Among other things, the plan includes making TCFD- aligned climate-related disclosures mandatory across relevant sectors no later than 2025.

The Australian legal context

Australian barristers Noel Hutley SC and Sebastian Hartford Davis have recently written a second supplementary memorandum of opinion to their original 2016 legal opinion on climate change and directors’ duties. They conclude that, whereas in 2016 their opinion was based around what directors could and should be doing, in 2019 they observed an exponentially rising risk of liability for directors and now, with the growing regulatory, investor and community pressure, they found the focus was on how directors are discharging their duty.

Hutley and Hartford Davis are of the opinion that, it is no longer safe to assume that directors adequately discharge their duties simply by considering and disclosing climate-related trends and risks. In relevant sectors, directors of listed companies must also take reasonable steps to see that positive action is being taken to identify and manage risks, to design and implement strategies, to select and use appropriate standards, to make accurate assessments and disclosures, and to deliver on their company’s public commitments and targets.

They also found a risk that if companies and directors make inaccurate climate-related statements and disclosures, including flawed climate scenario analysis and making “net zero” commitments that are misleading or made without a reasonable basis, they will breach a number of Acts including the Corporations Act 2001, ASIC Act 2001 and Australian Consumer Law. To avoid falling foul of these laws, a company and its directors, must have a genuine intention, on reasonable grounds, to follow through with reasonable strategic efforts and commitment of to fulfil the intent implied by announced targets.

What is the purpose of CPG 229?

CP229 was drafted to assist APRA-regulated institutions to develop processes to:

1. Understand the risks and opportunities of climate change and the transition to a low carbon economy;
2. Ensure investment, lending and underwriting decisions are well-informed; and
3. Implement proportionate governance, risk management, scenario analysis and disclosure practices in line with the TCFD recommendations.

APRA acknowledges that while climate risks can be managed within broader risk management frameworks, because the financial risks associated with climate change can differ from other financial risks a different management strategy may need to be developed to deal with climate risks.

The particularities of climate risks and risk management can include:

1. The uncertainty of future events, systemic, globally disperse and long-term nature of climate risks make the identification and quantification of risks and understanding the potential impacts on the business difficult.
2. Changes which may be irreversible and difficult to mitigate.
3. The uncertainty of future events making it necessary to monitor the risks through regularly upgraded qualitative and quantitative metrics.
4. The use of scenario analysis to inform the understanding of potential long term risks and opportunities. The unprecedented nature of climate change, means that historical data and backward-looking risk assessment methods are unlikely to adequately anticipate future impacts and as new data is collected, future impacts are revised.
5. The importance of reporting relevant information to the board and senior management to enable fully informed decision-making and response strategies, and where needed, in making external disclosures of material risks.

What should APRA- regulated institutions be doing to meet CPG 229 recommendations for best practice?

GOVERNANCE

With board oversight, climate change risks should have sufficient standing in the institution and an institution-wide consistent strategic response.

There is a strong emphasis on the Board’s ultimate responsibility and the importance of the directors seeking to understand and regularly assess the financial risks arising from climate change that affect the institution now and in the future. The Board will need to be able to provide evidence that it has appropriate oversight of material risks.

This means having appropriate board training, regular reporting as risks, metrics and data evolve, ensuring processes for monitoring the exercise of climate change risk management functions delegated to senior managers.

CLIMATE CHANGE RISK MANAGEMENT

APRA-regulated institutions are guided to take a strategic and risk-based approach to managing climate change risk and there is an emphasis on the need for the Board to understand the interaction between climate risks and their business activities, and the compounding effect climate risks may have on an institution’s other risks.

Although the precise form and extent to which climate risks will materialise cannot be predicted, financial risks certainly will materialise as a result of climate change. The magnitude of the financial impacts of these risks can be managed and mitigated, and opportunities from the transition to a low-carbon economy taken, through understanding the potential risks.

Polices & Procedures

Include steps for considering and management of climate risks in written policies and procedures developed under the institution’s normal risk management framework.

Risk Identification

APRA notes that it is prudent to seek to understand climate risks and how they may affect the business model, including being able to identify material climate risks and assess the potential impact on the institution.

It is recommended institutions conduct scenario analyses, with both a short- and long-term time horizon and record how you determined the materiality of climate risk within each of the risk categories identified in CPS 220 and SPS 220.

An Internal Capital Adequacy Assessment Process (ICAAP) is considered to be an appropriate framework to consider and record the material impact on capital adequacy of climate risks for those institutions required to complete an ICAAP. An institution that is not required to complete an ICAAP may also benefit from adopting a similarly formal approach to recording material exposures and how the assessment of those exposures is considered.

Risk Monitoring

APRA noted that the better practice in monitoring climate risks is to include both a qualitative and quantitative approach using metrics that are appropriate to the institution’s circumstances to gain understanding of the potential current and future impacts of climate risks on its customers, counterparties, and institutions to which the institution has an exposure.

Regularly update climate risk data and metrics. Consider triggers to initiate a review of strategy or engagement with customers and counterparties. Monitor the impacts that climate risks may have on outsourcing arrangements, service providers, supply chains and business continuity planning.

Risk Management

Where climate risks are identified as material to the include them in risk mitigation and exposure plans. Regularly review and assess the effectiveness of those plans.

APRA expects institutions to work with customers, counterparties and organisations that face higher climate risks, to help improve the risk profile of those institutions. If the risks cannot be removed they should look at other ways to mitigate any third party risks imposed on the APRA -regulated institution.

Consider financial assistance to the stakeholder and if risks remain, limiting exposure to the entity or sector or discontinuing the relationship.

Climate Change Risk Reporting

The Board and senior management need relevant, up to date information to make informed decisions. The extent and frequency of reporting will depend on nature and magnitude of risk exposure.

Develop and implement procedures to routinely provide relevant information on material climate risk exposures, including monitoring and mitigation actions to the Board and senior management.

SCENARIO ANALYSIS

Institutions should use scenario analysis and stress testing capabilities to inform their risk identification in both the short and long term. They can either develop expertise in-house or use third party services. APRA recognises that this is a developing and complex area.

For an APRA-regulated institution required to complete an ICAAP, APRA considers a narrative-driven process to be a useful approach to considering climate risk scenario analysis and stress testing to assess potential risk exposures and available capital resources.

Maintain appropriate documentation of the process and results of climate risk scenario analysis and stress testing. Report material risks to the Board and senior management. Use the outcomes of the scenario analysis of stress testing to inform business planning and strategy development.

CLIMATE CHANGE DISCLOSURE

The demand for reliable and timely climate risk disclosure will increase over time, and for institutions with international activities there is a need to be prepared to comply with mandatory climate risk disclosures in other jurisdictions.

The TCFD framework is becoming the standard format for disclosure of climate change risks for consistency in Australia and other jurisdictions.

Next steps

What actions should the Board or Senior Officer Outside Australia (for a local Branch) be taking?

1. Include climate risk on the agenda at the Board and sub-committee levels including appropriate training for Board members;
2. Set clear roles and responsibilities for senior management in the management of climate risks, and hold them accountable for fulfilling these responsibilities;
3. Regularly re-assess the short and long term climate change risks and ensure these are considered in approving the institution’s strategies and business plans; and
4. Ensure that the institution’s risk appetite framework incorporates the risk exposure limits and thresholds for the financial risks that the institution is willing to bear from climate change, particularly in respect to climate risks considered to be material.

What actions should Senior Management be taking?

1. Assess and manage climate risk exposures using and adapting the existing risk management framework, including developing and implementing appropriate policies;
2. Review the effectiveness of the framework, policies, tools and metrics on a regular basis and revise as needed;
3. Make timely recommendations to the Board on the institutional objectives, plans, strategic options and policies as they relate to climate risks that are assessed to be material, including development and use of relevant tools, models and metrics to monitor exposures to climate risks; and
4. Ensure adequate resources, skills and expertise are allocated to the management of climate risks, including through training, development of senior staff and use of qualified advisers.

In developing the above strategies to satisfy CPG 229, the Board and Senior Management need to be able to demonstrate that they had reasonable grounds for making future representations, including of climate risk and mitigation effects, in setting emissions reduction targets and making net zero claims.

To avoid the risk of litigation for misrepresentation, directors and senior management should:

1. Integrate decarbonisation targets into the institution’s operational strategy, rather than relying on outside contingencies and the supply chain decarbonising their operations.
2. Record the drivers and assumptions that underpin the decarbonisation strategy, paying particular attention to reliance on carbon offset schemes.
3. Test the assumptions and document the decision-making process.
4. Detail which type of emissions are included in carbon reductions commitments and zero emissions claims.
5. Promptly disclose information that makes reaching the claimed target unfulfilled or untenable.

How we can help you on your climate change journey

We are here to help in a number of ways as your organisation starts, or continues, its climate change risk journey. This can include:

• Climate-risk awareness and TCFD compliance training.
• Facilitating workshops and financial climate change impact assessments to identify and understand the threats that climate change pose to your organisation.
• Perform scenario analyses of the threats identified looking at different possible scenarios over the short, medium and long term over a particular asset, activity or area.
• Provide a roadmap to enhance the organisation’s climate change risk management strategy.
• Conduct reviews to ensure regulatory disclosures are robust and relevant.

How far do you want to go to minimise the impact of climate change on your business? Be more resilient and contact us to discuss your needs.

As a company director, you have a duty of care and diligence under section 180 of the Corporations Act 2001 and under the common law. Organisations are increasingly focusing on the impact of climate change and environmental issues on current and future corporate performance. The Board, CEO and leaders have started to realise that climate risks and opportunities are not abstract concepts, but are essential for creating a sustainable business model that delivers long-term value.

This guide aims to help directors understand their climate risk responsibilities, ask questions and take steps in the right direction. The guide includes:

• a valuable checklist that directors can use to evaluate their climate risk posture.
• a summary of the legal and regulatory climate reporting and disclosure requirements.
• typical climate risk assessment challenges that are often experienced.

What’s inside the Climate Risk Guide

• The Consequences for Breaching Directors’ Duties.
• The Regulatory Landscape and Climate Change.
• Recognising and Managing Climate Risks and Opportunities.
• Disclosing Climate Related Risks.
• Beware the Challenges Ahead.
• The Board’s Climate Risk Checklist

Download today

Our Climate Risk Guide is complimentary, download your copy.

How we can help you manage climate risk

We are here to help you on your climate change risk journey. Our services include:

• Climate-risk awareness and TCFD compliance training.
• Facilitating workshops and financial climate change impact assessments to identify and understand the threats that climate change pose to your organisation.
• Perform scenario analyses of the threats identified looking at different possible scenarios over the short, medium and long term over a particular asset, activity or area.
• Provide a roadmap to enhance the organisation’s climate change risk management strategy.
• Conduct reviews to ensure regulatory disclosures are robust and relevant.

How far do you want to go to minimise the impact of climate change on your business? Be more resilient and contact us to discuss your needs.

What does cyber resilience really mean? How is it different to cyber security? What are the essential elements of cyber resilience?  At InConsult, we help build more resilient organisations. So in this publication, we take a deep dive into the topic of cyber resilience.

What is cyber resilience?

The US National Institute for Standards in Technology (NIST) defines cyber resilience as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that include cyber resources.”

At its core, cyber resilience is the ability to anticipate, prepare for, respond to and recover from cyber attacks or disruptions impacting information technology. It acknowledges that cyber security on its own is not enough. Cyber resilience is built on the premise that disruptions, attacks and incidents are bound to occur and availability should continue even when affected by adverse cyber events. So, while it would be great to prevent them, organisations should take time to plan how they will detect, respond and successfully recover.

Cyber security is a sub-set of cyber resilience that focusses on preventing cyber attacks and incidents. It consists of technologies, processes and measures that are designed to protect systems, networks and data from cyber attacks. It’s proactive and aims to significantly reduce the likelihood and impact of bad things from ever happening in the first place.

Hackers are always looking for the vulnerabilities or weak points to opportunistically pursue.  These weaknesses are not always ineffective cyber security, they can be weaknesses in human psychology or simple human errors.  In fact, according to Gartner, system misconfigurations accounted for over 75% of breaches.  In another study, 40% of breaches occurred due to human error. So it is reasonable to assume that misconfigurations, human errors and disruptions will occur and hackers will eventually gain access to your network, systems and data, and therefore you should always prepare for the worst.

Accepting that a cyber attack will occur does not mean you are giving in to hackers. It does not mean you should be complacent about your cyber security.  It simply means you are prepared and ready.

What are the benefits of cyber resilience?

As a result of developing a robust cyber resilience framework, organisations will have in place layers and layers of internal controls, across all information systems, at different levels in an organisation and at different stages of preparedness.  Done well, an effective cyber resilience framework delivers many benefits:

• Improves overall cyber risk governance and culture
• Proactively anticipates the types of cyber risks
• Strengthens internal systems, plans and processes to prevent, detect and recover from a cyber attack
• Enhances existing controls through continual review and improvement
• Enhances compliance to regulatory requirements
• Reduces financial costs and productivity losses
• Protects the organisation’s brand and reputation

What are the key elements of cyber resilience?

After an in-depth, literary review of several cyber resilience frameworks and from our own experience working with a range of clients, we have proposed a cyber resilience framework containing 6 essential elements.

No framework will ever be perfect or be suitable to every organisation.  However, our cyber resilience framework has a number of subtle differences from the current frameworks we observed such as:

• Governance is the first step and forms the foundations of cyber resilience.  Governance exists across all elements of the framework.
• We separate resilience into 2 states – (1) pre incident state and (2) post incident state.
• We include ‘refine’ as a centrepiece of the framework to ensure continuous improvement is considered before and after an incident.

1. Governance

Achieving cyber resilience is unlikely to happen unless there is a formal and proactive governance framework in place that outlines the organisations intent, commitment, practices, plans and responsibilities for achieving cyber resilience.  The level of governance will vary depending on the size, complexity and nature of each organisation.

The cyber resilience framework can be stand alone or be part of a broader resilience framework.  Whatever you choose, it should be aligned to the overall governance and risk management framework of the organisation.  This means documented strategies, principles, policies, rules and procedures are in line with the overall governance framework as well as the organisations IT Strategy.

The board

Cyber resilience must be a primary focus of the board (or governing body) and senior management. They must provide leadership and commitment to help define the organisations culture.  It is not something that can be left solely to the Chief Information Officer, security team or incident response team.

Boards should take ownership of cyber resilience oversight and ensure key policies and written directions are reviewed on a periodic basis. The board should also support and participate in key cyber risk management decisions, and receive regular updates on security issues, risks and overall compliance.

Accountability

Roles and responsibilities within the framework should be well defined. At minimum, roles and responsibilities should be defined across the three lines e.g. the board and committees, senior management, risk management and internal and external audit.

It is important to also identify the key stakeholders within the cyber resilience framework to ensure their needs are addressed. Stakeholders will be internal and external – including vendors, security analysts and threat intelligence agencies.

Continual improvement

A process for monitoring, reviewing, exercising and continually improving the resilience framework should also be in place.  This can include well-known improvement practices such as PDCA (Plan-Do-Check-Act) or ITIL’s Continual Service Improvement.

2. Identify

Once the base line governance structures are in place, the next step is to anticipate and recognise the range of possible cyber risks, their causes and consequences.  This step is about better understanding your organisation’s environment and cyber risk posture.

Risk assessment

A formal cyber risk assessment is used to identify, analyse, evaluate, and prioritize risk arising from the operation and use of information systems and network, including key vendors across the supply chain.  The risk assessment should:

• Consider the information assets and owners.
• Consider the value of information.  If boards and senior management understand the value of their data to those with malicious intent, if they know where that data is, how it is protected, and who has access to it (including external sub-contractors), then they are in a stronger position to implement a cyber resilient business model.
• Identify and prioritise information assets e.g. hardware, software, data and processes.
• Identify the compliance obligations across the legal jurisdictions you operate in.
• Identify cyber risks and sources e.g. unauthorised access, service disruption, human error.
• Identify and evaluate the many layers of controls that currently exist and the effectiveness of their assurance.
• Determine the level of risk that remains after the controls are considered.
• Prioritise risks and develop additional risk treatments as required.

Risk identification

There are many ways to identify cyber risks.  Typically, organisations use several methods including:

• Brainstorming
• Focus groups
• Experience and knowledge
• Scenario analysis
• Incident analysis
• Data analytics
• Penetration test results
• External security experts
• Industry experts

The risk assessment process should follow good practice standards such as ISO 31000 Risk management – Guidelines or The Committee of Sponsoring Organizations of the Treadway Commission (COSO) guides which address how companies can use ERM Frameworks to assess cyber risks.

Identification of the risks is not a one off activity. Since hackers are continually finding new ways of penetrating systems and escaping detection, it is critical that risks and controls are evaluated regularly.

3. Protect

Now that the risks are known, this element is about implementing the right controls (policies, procedures, plans, activities) to either prevent or mitigate the impact of a cyber risk.

What are we protecting?  What are we trying to achieve? At this point, lets look at the Cyber Security CIA Triad.

Confidentiality, integrity and availability

The CIA Triad is a security model that aims to help people think about various elements of IT security. It comprises of three elements:

• Confidentiality – the set of rules that restricts access to information to the right people
• Integrity – ensures the information is trustworthy and accurate
• Availability – a guarantee that the information is readily available to authorised people when needed

These elements of the CIA Triad security model are considered the three most important concepts within information security

Types of controls

To protect the organisation, layers, and layers, and layers of rigorous controls are needed. Why? In the event one layer fails, there are other layers that work to reduce the cyber risks. In fact, good cyber security will require a wide range of controls that work in different ways and at different points.  Controls will have different characteristics such as:

• Preventative controls e.g. passwords or passphrases
• Detective controls e.g. intrusion detection systems
• Corrective controls e.g. data back up and recovery
• Hard controls e.g. user access logs
• Soft controls e.g. policies, training

Layers of controls

Now that we know the characteristics of internal controls, here are some examples of controls that help protect from cyber risks:

• Information and security policies covering data, computers and devices, emails and internet sites
• Physical and environmental security
• Network and communications security
• Network segmentation and segregation procedures
• Data encryption at rest and in transmission
• Patch management
• Configuration and change management
• Application controls
• User application hardening
• Enforce strong password policy
• Use passphrases instead of passwords to protect highly sensitive data
• Systems security
• Email and web content filtering
• TLS encryption between email servers
• Asset classification and management
• Endpoint security & intrusion detection
• Identity and user access control
• Email spoofing policies (e.g. DMARC)
• Multi-factor authentication
• Review and secure administrative privileges
• Security team competence and regular training
• Redundancy and backup systems of data and applications
• Decommissioning of systems no longer needed
• Crisis management team exercises
• Cyber security staff awareness training
• Conduct of email phishing simulations
• Vendor risk assessment and formal risk management
• Formal incident response and recovery plans
• Cyber liability insurance

The bottom line is, every layer counts and every layer is important.

Control monitoring

Final warning! Just because you have layers of controls to protect the organisation does not mean you can stop thinking about cyber risks.  Effective cyber resilience requires continuous monitoring, review and investment in upgrading and refining of these protective systems as a normal part of business.  An appropriate budget is therefore critical.

4. Detect & Refine

Having effective controls to protect against cyber risks is only part of the solution.  Ongoing, active and continual monitoring of the wider network and information systems to detect and escalate issues and potential cyber security incidents quickly is a key element of cyber resilience.

Early warning systems

Organisation-wide continuous monitoring and incident detection systems are implemented to monitor incidents on the organisation’s network and systems using Intrusion Detection Systems and Security Information and Event Management (SIEM) technologies. They are designed to detect and alert management to anomalies including user behaviour and abnormal changes in information across the networks, measured against a baseline reference of ‘normal’ activity.

It is good practice to have automated dynamic analysis of email and web content that blocks suspicious behaviour when identified.

Penetration testing

Using information security specialists to attempt to break into an organisation’s networks e.g. penetration testing, engaging ethical ‘white hat’ hackers or ‘red teaming’ also helps to detect weaknesses.

Vendor monitoring

Don’t forget about your vendors!  Vendor monitoring tools are becoming increasingly important to detect breaches as they are reported.

Stay up to date with the latest cyber scams and security risks by subscribing to cyber security newsletters and other news sources.

Audit and assurance

Internal Audit can also add value at a technical and non technical level.  Some audit departments have strong IT audit and Artificial Intelligence capabilities to interrogate data and security logs.  Internal auditors are also excellent at identifying gaps in processes, control design weaknesses and unmanaged risks.

Keep your finger on the pulse

Stay on top of the latest developments in cyber security by joining professional associations, subscribing to newsletters from different sources and following thought leaders on social media.

Exercise your plans

World champion boxer, Mike Tyson once said “everyone has a plan until they get punched in the mouth”. What he was saying is basically – plans are useful until you have to put them into action in the real world.  That is why regular exercising of the various response plans is important.

Refine

Adaptability is important.  Once vulnerabilities have been detected after a penetration test, audit or exercise or after a cyber incident has been resolved, refinements need to be made to better protect the information assets and systems.

5. Respond

If a cyber incident is detected…the time starts ticking instantly.  Depending on the type of cyber attack, the sooner you start the response, the less impact the attack is likely to have and the better the chance of a successful recovery.

A prompt response will help an organisation to continue to operate and get back to business as usual as quickly and efficiently as possible after a cyber attack or major disruption.

Incident response plan

In order to respond quickly, a well documented, rehearsed and tested Incident Response Plan is critical. Remember, the worst time to develop a response plan is during an actual incident, so good planning and preparation is good practice.

Other sub-plans may also assist in the response to a cyber incident e.g. Crisis Management Plan, Communication Plan.

The Incident Response Plan should be executed by a capable Incident Response Team with clearly defined roles and responsibilities.  The Incident Response Plan should:

• Cover a range of cyber incidents
• List specific activities
• Define roles and responsibilities
• Establish invocation and escalation protocols
• List key contacts
• Outline communication protocols
• Be aligned to the organisation Crisis Plan and Business Continuity Plan

As part of the response, organisations should notify their insurer, anti-virus provider, cyber security experts and/or other cyber security service providers as a means of preventing further spread. Timely reporting also assists them to develop and deliver new solutions to manage and neutralise malicious intrusions in the future.

For some organisations, depending on the size, industry and geographic location, it is mandatory to report information security breaches to stakeholders impacted and/or a regulator.

Event log

During the response, it is important to keep an event log, copy of all emails, copy of communications and situation reports in a single folder to help you in the next stage – the lessons learned.

6. Recover

This  final phase aims to restore data and services after a cyber attack or disruption to the pre-incident state.

Ideally, the organisation will have a number of pre-existing and pre-tested recovery sub-plans that are clear and thorough to execute an effective response. These recovery sub-plans typically include:

• IT Disaster Recovery Plan
• Elements of the Business Continuity Plan
• Crisis Management Plan
• Communication Plan

Lessons learned

Once the recovery is complete, a lessons learned debrief should be scheduled to identify what went well and what can be done differently so that elements of the cyber resilience framework are refined and enhanced.

The lessons learned report should document exactly what happened, what impact it had and what actions you took for future reference and potentially claiming on any cyber insurance policy.

The actions from the lessons learned will be used to further refine your cyber security controls.

Antifragile

Our final thought. Author of the popular 2007 book The Black Swan: The Impact of the Highly Improbable Nassim Nicholas Taleb wrote another book in 2012 called Antifragile: Things That Gain from Disorder.  This is a great book about “resilience plus”.  The key theme of this book is that unlike fragile systems, which break when put under stress, antifragile systems actually benefit from volatility and shock. Shocks and stressors strengthen antifragile systems by forcing them to build up extra capacity. Antifragile systems don’t bounce back to normal, but better and stronger.

Cyber security is excellent defence, but cyber resilience is a much broader concept. When you’re developing your cyber resilience framework, ask yourself how can you recover faster, stronger and better as an organisation.

Are you cyber resilient and ready?

Information assets are valuable and information technology is at the heart of all successful organisations. As clients and customers grow more and more accustomed to sharing highly sensitive personal information online, effective systems to govern, manage, detect, respond and recover from cyber risks are more important than ever.

It is now widely accepted that it’s no longer a matter of ‘if’ but ‘when’ an organisation will suffer a cyber attack or major disruption. Cyber resilience provides an organisation with an opportunity to look at and manage cyber risks from the top down and across different elements.

How we can help you achieve cyber resilience

Now is the time to move beyond cyber security to cyber resilience. InConsult is committed to helping organisations manage cyber risks and opportunities.  We have extensive experience in audit and assurance, risk management, cyber risk management, climate risk, crisis management, business continuity, third party risk assessment, emergency management, disaster management and pandemic planning.

If you would like support in becoming a more cyber resilient organisation, contact us to discuss your needs.