Insight

Operational Resilience: APRA’s CPS 230 key areas of focus

insight featured image
APRA has released draft Prudential Standard CPS 230 Operational Risk Management for comment. The comment period is open until 12 October 2022, with the standard due to be effective from 1 January 2024.
Contents

In our series of technical articles designed to provide guidance to support your implementation of CPS 230, we provide an overview of the key points of focus along with some insights from other jurisdictions where similar requirements are in place.

Key areas of focus

CPS 230 will replace CPS 231: Outsourcing and CPS 232: Business Continuity, and the sector specific standards HPS 231, SPS 231 and SPS 232.

In consolidating requirements relating to operational risk management, business continuity planning and third-party service providers, CPS 230 establishes APRA’s expectations regarding operational resilience – defined as: “the ability to effectively manage and control operational risk and maintain critical operations through disruption”.

Key points of focus include:

  • A requirement to strengthen operational risk management – this will require entities to prioritise process and control mapping, profiling of operational risks and control assurance programs.
  • Expanding BCP obligations from a focus on physical resources to digital assets and third parties.
  • Acknowledgement that third party service providers are an integral and established component of business models and service delivery.
  • Focusing the Board on the importance of operational resilience through requiring the setting of tolerance levels for disruptions to critical operations. Although similar in concept, this differs to risk appetite in that the risks have crystallised.
  • Setting out the actions that APRA may take should they consider that an entity’s operational risk management is deficient. We have already seen APRA impose requirements to undertake an independent review and develop remediation program with quite prescriptive requirements.

What is operational resilience?

Operational risk management analyses and defines risks associated with people, processes, and systems.

Operational resilience defines the approach to managing operational risks.  

Operational resilience is the outcome of effective operational risk management process and requires entities to take a much more wholistic approach to operational risk.

Effective operational resilience enhances an organisation’s ability to withstand, adapt to, and recover from an operational-risk related event. As such, the foundation is effective management of operational risk to identify, prevent and manage operational risk events.

In CPS 230, APRA is requiring regulated entities to review their operational risk management from the perspective of their key services, focusing on the degree to which disruption of these services can cause financial harm and customer detriment.

Technology is a critical component – it is core to the delivery of services, yet exposes entities to significant vulnerabilities that can be easily exploited by cyber threats. The COVID 19 pandemic also exposed other vulnerabilities such as an inability to access third party service providers. There are therefore strong linkages between the requirements of CPS 230 and CPS 234: Information Security.

Why is APRA focusing on operational resilience?

Operational resilience aligns with APRA’s focus on “protected today, prepared for tomorrow”, which also aligns with other global prudential regulators in prioritising operational resilience.

In March 2021, the Bank for International Settlements released its Principles of Operational Resilience. These principles aim to “strengthen (banks’) ability to withstand operational-risk related events that can cause significant operational failures or wide-scale disruptions in financial markets”. These principles form the foundation of the requirements within CPS 230.

There are seven operational risk principles:

  1. Governance: Establish, oversee and implement an effective operational resilience approach that enables an entity to respond and adapt to, as well as recover and learn from, disruptive events to minimise their impact on delivering critical operations through disruption.
  2. Operational risk management: Leverage operational risk management frameworks to identify external and internal threats and potential failures in people, processes, and systems on an ongoing basis, promptly assess the vulnerabilities of critical operations and manage the resulting risks.
  3. BCP planning and testing: Business continuity plans should be in place and tested using a range of severe but plausible scenarios to assess the ability to deliver critical operations through disruption.
  4. Mapping interconnections and dependencies: Identify critical operations and map the internal and external interconnections and interdependencies that are necessary for the delivery of critical operations consistent with its approach to operational resilience.
  5. Third-party dependency management: Manage dependencies on relationships, including but not limited to those of third parties or intragroup entities, for the delivery of critical operations.
  6. Incident management: Develop, implement, and continuously improve response and recovery plans to manage incidents that could disrupt the delivery of critical operations in line with risk appetite and tolerance for disruption.
  7. ICT including cyber security: Ensure resilient ICT including cyber security that is subject to protection, detection, response and recovery programmes that are regularly tested, incorporate appropriate situational awareness and convey relevant timely information for risk management and decision-making processes to fully support and facilitate the delivery of critical operations.

What do Boards and Management need to be thinking about?

Operational_Resiliance (1).png

A sound Operational Risk Management Framework is essential – one that doesn’t just take account of services delivered directly by the entity but also those delivered by a third party.

Operational resilience means that regulated entities must think about operational risk management in a different way – what must go right as well as what could go wrong.

Entities will need to dedicate resources to successfully implement CPS 230 as well as Board and Management on determining tolerance levels. Rethinking some basic assumptions means reconsidering some strategic elements of the business, reworking some processes, and re-assessing the impact of change programmes within an organisation.

This will not be possible without an existing robust Operational Risk Management Framework.

Our next article will provide an overview of operational risk management.