Insight

Operational Risk Management: APRA’s CPS 230 key areas of focus

insight featured image
Contents

Welcome to the second in our series of CPS 230 technical guides. In the discussion paper that accompanied the issue of the draft CPS 230, APRA set out its three key objectives – the first of which is to “strengthen operational risk management”.

In this guide we provide an overview of some elements necessary to achieve strong operational risk management and why it is the foundation of operational resilience.

“Managing operational risk can be complex because its decentralised”.

What is operational risk and why is managing it important?

APRA defines operational risk as “risks that may result from inadequate or failed processes or systems, the actions or inactions of people or external drivers and events”.

One of the most common ways of managing operational risk is through a system of effective internal controls. Control failures however can lead to events as varied as mis-selling, data breaches and underpayments – hence, APRA’s focus on strengthening operational risk management.

It is not possible for an entity to maximise its operational resilience without effectively managing its operational risk.

What makes effective operational risk management so difficult and who owns it?

Financial risks such as credit, insurance or market risks are generally managed on a centralised basis within defined strategies and limits. APRA notes that “operational risk is inherent in all products, activities, processes and systems” and therefore, it is not possible to adopt the same centralised model of risk management.

CPS 230 states that:

  • Senior management within the business are responsible for the ownership and management of operational risk across an entity’s end to end processes
  • The board is ultimately accountable for the oversight of operational risk management and is expected to ensure that senior management effectively implements and maintains the framework

This approach aligns with the three lines model of risk management that form the basis for the approach to risk management as set out in CPS 220.

To be the most effective, operational risk should be managed where it occurs and therefore is largely the responsibility of business lines or Line 1. As such, management of operational risk is “de-centralised”, making activities such as controls assurance, Line 2 oversight and dashboard-style reporting critically important to drive consistency and effectiveness across the organisation and to enable the Board to have oversight of any processes, systems or parts of the organisation that may not be operationally resilient.

What are APRA’s expectations regarding internal controls?

APRA expects that entities “should maintain internal controls to detect and manage operational risks within appetite”. This includes the following components:

  • Process maps: A clear understanding of the end-to-end processes underpinning critical operations
  • Risk profile: An entity can identify its obligations, risks, required controls and necessary monitoring mechanisms - supported by:
    • Risk and controls register
    • Obligations register
    • Controls assurance framework
  • Breach and incident process: Shortcomings and weaknesses identified in relation to internal controls need to be rectified in a timely manner

It’s important these components operate as a framework and not in isolation – the framework should guide the required considerations and be kept up to date.

Effective operational risk management is dependent upon linkages being made based upon the information derived from the different components of the framework so that the appropriate decisions can be made.

What are the elements for effective operational risk management?

Based upon our experience in supporting our clients to implement and refresh their enterprise risk management and operational risk management frameworks or responding to APRA requirements and recommendations regarding these, following are some of the elements that we consider to be fundamental to the effective management of operational risk. These should also assist in overcoming some of the complexity arising from the decentralised nature of operational risk.

Investing in an appropriate Management Information Systems (MIS)

To support managing operational risk where it occurs – in the business – Line 1 needs the capacity to maintain their own operational risk profile. This includes recording and managing incidents and maintaining an internal controls assurance program. Once an entity is of sufficient size, investing in an MIS may not only streamline risk management but improve its consistency. Line 2 maintaining risk registers and profiles in spreadsheets will no longer be sustainable.

An MIS enables linkages to be made that support a more accurate assessment of residual risk and the level of operational risk carried by the entity. Risk dashboards can also be automatically generated that enables more insightful analysis to be provided to the Board.

Adopting a concise risk taxonomy

We often come across entities that have too many risks in their profile relative to the size, complexity, and nature of their business. Without a clear risk taxonomy, the number of risks may become unmanageable making it difficult to undertake meaningful analysis and impair the understanding of key risks.

Identifying operational risks and understanding and treating operational vulnerabilities is a critical ingredient for operational resilience.

A risk taxonomy should generally consist of two levels:

  • Level 1: Material risk categories – refer paragraph 26 of CPS 220 – Operational risk is a material risk category
  • Level 2: Risk events – it may not be necessary to further break down all material risk categories into risk event sub-categories however it is necessary for operational risk because it is so broad. Commonly used operational risk event categories include:
    • Internal fraud
    • External fraud
    • Employment practices and workplace safety
    • Clients, products, and business practice
    • Damage to physical assets
    • Business disruption and system failures
    • Execution, delivery, and process management
  • Utilising operational risk event categories streamlines the identification of operational risks, enables the root cause of incidents to be identified and analysed and allows more meaningful analysis of operational risks.

Controls assurance is a lead indicator of operational risk

Our clients will often ask us for suggestions of lead indicators for operational risk. The best lead indicator of operational risk are controls assurance results because they not only provide evidence of the adequacy of controls over material risks but also information about control weaknesses to enable improvements to be made.

When instances of control ineffectiveness are identified, they not only need to be rectified but consideration given to whether the level of residual risk has increased. This situation may only be temporary until such time that remediation actions are completed.

The value of root cause analysis

Root cause analysis may assist entities to understand why something went wrong and prevent its reoccurrence. It can also assist entities to better understand what is working well and how this can be extrapolated across other processes or functions.

Better practice is to require root cause analysis as part of an entities’ situation (formerly breach and incident) process. Without understanding the root cause, remediation may be incomplete or address only the symptoms rather than the root cause.

At its simplest, root cause analysis may just involve solving “the 5 whys”. Root cause analysis is also a useful tool when analysing disputes and complaints to determine whether there are systemic issues that may give rise to customer detriment.

Many entities leverage third party and related service providers as part of their operating model. Whilst outsourcing can increase the level of operational risk, it may also mitigate it. Replacing CPS 231: Outsourcing with CPS 230 is acknowledgement that using service providers is an established and integral part of service delivery.

Our next technical guide will provide an overview of third-party service provider management.

Operational Resilience: APRA’s CPS 230 key areas of focus
Read this article
Operational Resilience: APRA’s CPS 230 key areas of focus