The Australian Prudential Regulation Authority (APRA) has kicked off the consultation process on a new prudential standard – CPS 230 – designed to strengthen operational risk management.
The standard introduces new operational risk management requirements and consolidates and improves existing requirements around third-party risk management, outsourcing, and business continuity.
CPS 230 will be a new cross-industry prudential standard for all APRA-regulated institutions, including banks, insurers (general, life, and health), and registrable superannuation entity licensees.
It will replace 5 current prudential standards – CPS/SPS/HPS 231 and CPS/SPS 232.
The new standard is scheduled to come into force from 1 January 2024 and the consultation package is available on the APRA website at Operational risk management.
Operational Risk & Resilience
Operational resilience is crucial to financial institution stability. With a growing number of risks and incidents around supply chain interruptions, cybersecurity, and geopolitical and economic instability, the concerns for APRA has increased in recent years.
APRA recognises that disruptions to financial services – even temporarily – can have a major detrimental impact on the community, depositors, policyholders, beneficiaries or other customers.
Draft CPS 230 establishes new and expanded standards to bolster operational resilience and improve how entities manage their operational risks.
By strengthening how entities identify, manage and respond to operational risk events, APRA is aiming to enhance operational and financial resilience, and in turn financial stability.
CPS 230 Key Requirements
At the heart of the proposed new standard are core requirements for APRA-regulated entities to:
- identify, assess and manage operational risks, with effective internal controls, monitoring and remediation.
- be able to continue to deliver critical operations within tolerance levels through severe disruptions, with a credible business continuity plan (BCP).
- effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements and robust monitoring.
Operational Risk Management
Looking at the details, APRA has strengthened and reinforced important operational risk controls. For example, an APRA-regulated entity will need to:
- maintain a comprehensive assessment of its operational risk profile.
- manage its full range of operational risks, including but not limited to legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk, reputational risk and change management risk.
- maintain appropriate and sound information and information technology (IT) infrastructure to meet its current and projected business requirements and to support its critical operations and risk management.
- assess the impact of its business and strategic decisions on its operational risk profile and operational resilience, as part of its business and strategic planning processes.
- conduct a comprehensive risk assessment before providing a material service to another party to ensure that it is able to continue to meet its prudential obligations after entering into the arrangement.
- design, implement and embed internal controls to mitigate its operational risks in line with its risk appetite and meet its compliance obligations.
- monitor, review and test controls for design and operating effectiveness, the frequency of which must be commensurate with the materiality of the risks being controlled.
- remediate material weaknesses in its operational risk management, including control gaps, weaknesses and failures.
- ensure that operational risk incidents and near misses are identified, escalated, recorded and addressed in a timely manner.
- notify APRA as soon as possible, and not later than 72 hours, after becoming aware of an operational risk incident that can have a material financial impact or a material impact on critical operations.
Business Continuity
The requirements around business continuity has also been strengthened. In short, an APRA-regulated entity will need to:
- have a comprehensive understanding of its critical operations and define, identify and maintain a register of its critical operations.
- implement controls to minimise the likelihood and impact of disruptions to its critical operations.
- maintain a credible Business Continuity Plan (BCP) that sets out how it would maintain its critical operations within tolerance levels through disruptions, including disaster recovery planning for critical information assets.
Material Service Providers
An APRA-regulated entity must also maintain a comprehensive service provider management policy that sets out how it will identify material service providers and manage the arrangements with such providers, including the management of material risks associated with the arrangement. Material service providers are those the entity relies to undertake a critical operation or that expose it to material operational risk. They include the following services:
- risk management
- core technology services
- Critical or sensitive information asset providers
- internal audit
- credit assessment
- funding and liquidity management
- mortgage brokerage
- underwriting
- claims management
- insurance brokerage
- reinsurance
- fund administration
- custodial services
- investment management
- arrangements with promoters and financial planners
An APRA-regulated entity must maintain a formal legally binding agreement with material service providers and submit its register of material service providers to APRA on an annual basis.
Critical Operations
So what is a critical operation? APRA defines critical operations as the processes undertaken by the entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on its depositors, policyholders, beneficiaries or other customers, or its role in the financial system. Examples include:
- payments
- deposit-taking and management
- custody
- settlements
- clearing
- claims processing
- investment management
- fund administration
- customer enquiries
- systems and infrastructure that support critical operations
Tolerance Levels
The proposed standard requires an APRA-regulated entity’s Board to approve tolerance levels for each critical operation. The tolerance levels include:
- the maximum period of time the entity would tolerate a disruption to the operation.
- the maximum extent of data loss the entity would accept as a result of a disruption.
- the minimum service levels the entity would maintain while operating under alternative arrangements during a disruption.
Responsibilities
The Board will be ultimately accountable for the oversight of an APRA-regulated entity’s operational risk management, including business continuity and the management of service provider arrangements. The Board must also approve tolerance levels.
Senior management of an APRA-regulated entity will need to provide clear and comprehensive information to the Board on the expected impacts on the entity’s critical operations when the Board is making decisions that could affect the resilience of critical operations.
Operational Risk Weakness
Operational risks will be subject to regular review and where APRA considers an entity’s operational risk management has material weaknesses, APRA can:
- require an independent review of the entity’s operational risk management
- mandate the entity to develop a remediation program
- require the entity to hold additional capital, as relevant
- impose conditions on the entity’s licence
- take other actions required in the supervision of this Prudential Standard
Next Steps
Although the new standard will not come into force until January 2024, APRA-regulated entities should understand the requirements of the standard and the implications on its risk management framework.
The new standard has strong links to other prudential standards and will also require alignment of the various risk categories and risk and resilience frameworks. The standard will require that operational risk management be integrated into:
- strategic planning
- the risk management framework and processes
- outsourcing/ third party/vendor risk management process
- contract management processes
- business continuity management
- business impact analysis
- disaster recovery & cyber security
- financial contingency planning
- incident & issues management
- board and management oversight
- line 1 monitoring assurance
- internal audit assurance
Need more guidance? Read about our 6 pillars of resilience and how to become a more resilient organisation.
Can We Help?
The InConsult team has a deep understanding of insurance and the APRA prudential standards. Since the implementation of the revised APRA Prudential Framework in 2001, we have helped APRA-regulated clients navigate through the myriad of regulatory compliance requirements. We can assist in the review, redesign and uplift of internal policies, procedures, frameworks and training initiatives.
If you have any questions, or would like to know how we can help, contact us to discuss your needs.