Events of recent years like COVID-19, cyber-attacks, flood and storms etc. has reinforced the importance of managing and responding to operational risks. To ensure that regulated entities are well placed to manage operational risk and respond to business disruptions when they inevitably occur, APRA (Australian Prudential Regulation Authority) is consulting on a new prudential standard for operational risk management.
The importance of operational risk management has been highlighted repeatedly in recent years, with regular examples of operational risk events and failures that have had both financial and non-financial implications. APRA has observed three key trends in recent years:
- Control Failures
- Low tolerance for disruptions
- Increasing reliance on service providers
APRA is proposing to introduce new and enhanced requirements to strengthen the management of operational risk and raise standards to align with the expectations and needs of the financial system and digital economy.
The main three objectives of the new proposed standard for operational risk management are:
- Strengthen operational risk management
- Improve business continuity planning
- Enhance third party risk management
The proposed Prudential Standard CPS 230 Operational Risk Management (CPS 230) will replace five existing standards
Standards | Applicable up to | Applicable from |
proposed Prudential Standard CPS 230 Operational Risk Management (CPS 230) | 1st January 2024 | |
Prudential Standard CPS 231 Outsourcing (CPS 231) | 31st December 2023 | |
Prudential Standard CPS 232 Business Continuity Management (CPS 232) | 31st December 2023 | |
Prudential Standard SPS 231 Outsourcing (SPS 231) | 31st December 2023 | |
Prudential Standard SPS 232 Business Continuity Management (SPS 232) | 31st December 2023 | |
Prudential Standard HPS 231 Outsourcing (HPS 231). | 31st December 2023 |
Key Features of the new Proposed Standard includes
Prudential Standard CPS 230 Operational Risk Management | – Entities must manage operational risks with effective internal controls, monitoring and remediation – Entities must be able to respond to disruptions and maintain continuity of critical operations – Entities must understand and manage the risks from the use of service providers |
In developing CPS 230, APRA has adopted a principles-based approach with a focus on outcomes rather than process. In designing the new standard, APRA has had regard to:
- existing APRA standards for business continuity and outsourcing, which have been streamlined and updated
- international standards, such as the Basel Committee on Banking Supervision’s Core Principles, and the recently released Principles for Operational Resilience and Principles for the Sound Management of Operational Risk
- international peer’s approaches and guidance, including the Prudential Regulation Authority (PRA) in the UK and the Office of the Superintendent of Financial Institutions (OSFI) in Canada.
Overview of draft CPS 230 requirements
Draft CPS 230 | Key Requirements |
Operational risk management | – Operational risk assessment to ensure that APRA-regulated entities understand and monitor their risk profile – Operational risk controls which must be designed, implemented and embedded and regularly tested for effectiveness – Operational risk incidents which must be identified, escalated, recorded and addressed in a timely manner |
Business continuity | – Critical operations which are processes that, if disrupted, would have a material adverse impact on depositors, policyholders, beneficiaries or other customers or financial system stability – Tolerance levels for the maximum disruption to critical operations that an entity would accept in a disruption, including the maximum time and extent of data loss – Business continuity plan (BCP) that sets out how the entity would manage and respond to a disruption to critical operations and must be subject to testing and review |
Service provider management | – Identification of material service providers on which the entity relies for its critical operations or that expose it to material operational risk – Service provider agreements to ensure entities monitor and manage the risks associated with third parties and intra-group entities |
The expected outcome from the standard is to integrate Operational risk management into an entity’s overall risk management framework and processes. This will strengthen the resilience of the Australian financial system, improve financial safety and promote sound operations.
The full extract of the discussion paper is available here:
https://www.apra.gov.au/discussion-paper-strengthening-operational-risk-management