Overview of the Australian Operational Resilience Regulatory Guidelines

1. Operational Risk Management

An APRA-regulated entity is obligated to effectively handle a comprehensive spectrum of operational risks, encompassing, but not limited to, legal, regulatory, compliance, conduct, technology, data, and change management risks. Senior management holds the responsibility for overseeing operational risk management throughout the entirety of the business operations.

Additionally, an APRA-regulated entity must maintain an appropriate and robust information and information technology (IT) infrastructure that aligns with its current and future business needs and supports critical operations and risk management. In addressing technology-related risks, such an entity must regularly assess the age and health of its information assets and adhere to the information security requirements stipulated in Prudential Standard CPS 234 Information Security (CPS 234).

• Operational Risk Profile and Assessment

An APRA-regulated entity is required to evaluate the implications of its business and strategic decisions on its operational risk profile and operational resilience as an integral part of its business and strategic planning procedures. This evaluation must encompass an assessment of how new products, services, geographic expansions, and technologies affect its operational risk profile.

Furthermore, an APRA-regulated entity must maintain a comprehensive evaluation of its operational risk profile. Within this context, it must:

Maintain effective information systems to monitor operational risk, compile and analyze operational risk data, and facilitate reporting to the Board and senior management.

Identify and document the essential processes and resources necessary for the delivery of critical operations. This includes people, technology, information, facilities, and service providers, along with recognizing their interdependencies, associated risks, obligations, key data, and controls.

Undertake scenario analysis to identify and assess the potential impact of severe operational risk events, test its operational resilience, and identify the necessity for new or revised controls and other mitigation strategies.

Additionally, an APRA-regulated entity must perform a comprehensive risk assessment before offering a substantial service to another party. This assessment ensures that the APRA-regulated entity can continue to meet its prudential obligations even after entering into the arrangement. APRA retains the authority to request the APRA-regulated entity to review and bolster internal controls or processes if it perceives heightened prudential risks in such situations.

• Operational Risk Controls

An APRA-regulated entity is required to formulate, implement, and firmly integrate internal controls aimed at mitigating operational risks in alignment with its risk tolerance and compliance obligations.

Additionally, the entity must regularly oversee, assess, and evaluate these controls to determine their efficacy in design and operation. The frequency of these evaluations should correspond to the significance of the risks they are meant to mitigate. The findings from these assessments must be communicated to senior management, and any deficiencies or gaps within the control framework must be promptly addressed.

Furthermore, the APRA-regulated entity is obligated to rectify material weaknesses in its operational risk management, including issues such as control gaps, weaknesses, and failures. This remediation process should be underpinned by clearly defined responsibilities and assurance mechanisms and must address the fundamental causes of these deficiencies in a timely manner. Until such matters have been effectively resolved, identified control gaps, weaknesses, and failures must remain a part of the entity’s operational risk profile.

• Operational Risk Incidents

An APRA-regulated entity is obligated to promptly identify, escalate, document, and address operational risk incidents and near misses. These incidents and near misses must be considered in a timely manner when evaluating the entity’s operational risk profile and the effectiveness of its controls.

Additionally, in the event that the entity becomes aware of an operational risk incident with a deemed potential for substantial financial impact or one that could significantly affect the entity’s ability to sustain its critical operations, it must notify APRA as swiftly as possible, within a maximum of 72 hours.

2. Business Continuity Plan

An APRA-regulated entity is required to:
Clearly define, identify, and keep a record of its critical operations. (b) Implement reasonable measures to reduce the chances and consequences of disruptions to these critical operations. (c) Uphold a reliable Business Continuity Plan (BCP) that outlines the strategy for sustaining critical operations within predefined tolerance levels during disruptions. This includes disaster recovery planning for essential information assets. (d) Activate its BCP when necessary in the event of a disruption. (e) Swiftly return to standard operations once the disruption has concluded.

• Critical Operations & tolerance levels

Critical operations encompass processes carried out by an APRA-regulated entity or its service provider. These operations, if disrupted beyond predefined tolerance levels, would result in a significant adverse impact on depositors, policyholders, beneficiaries, customers, or the entity’s role within the financial system. At a minimum, the following business functions must be classified as critical operations, unless a valid justification is provided: payments, deposit-taking, management, custody, settlements, clearing (for authorized deposit-taking institutions), claims processing (for insurers), investment management, fund administration (for registrable superannuation entity licensees), and customer inquiries, including the supporting systems and infrastructure (for all APRA-regulated entities). APRA retains the authority to mandate the classification of a business operation as critical. Each critical operation necessitates the establishment of tolerance levels, defining the maximum allowable disruption duration, data loss extent, and minimum service levels during alternative arrangements. APRA may require periodic reviews and adjustments to tolerance levels for critical operations and may also impose tolerance levels where heightened risks or material weaknesses are identified.

• BCP inclusions

The Business Continuity Plan (BCP) of an APRA-regulated entity must encompass a register of critical operations and associated tolerance levels, disruption triggers for plan activation and resource allocation, actions to sustain critical operations during disruptions, risk assessments, and a communication strategy. The entity must maintain the necessary capabilities for BCP execution and monitor compliance with tolerance levels, reporting any breaches to the Board with remediation plans. If a critical operation is disrupted beyond tolerance levels, the entity must promptly notify APRA, providing details about the disruption’s nature, response actions, expected impact on business operations, and the timeframe for returning to normal operations, within 24 hours.

• Testing & Review

An APRA-regulated entity must establish a systematic testing program for its Business Continuity Plan (BCP), covering all critical operations, and include an annual business continuity exercise. This program aims to assess the effectiveness of the entity’s BCP and its ability to meet predefined tolerance levels across various severe yet plausible scenarios.

The testing program should be customized to address the material risks specific to the entity, encompassing a range of severe yet plausible scenarios, including disruptions to services provided by significant service providers and situations requiring contingency measures. APRA retains the authority to mandate the inclusion of an APRA-determined scenario in a business continuity exercise for an APRA-regulated entity or a particular class of such entities. Additionally, the entity must update its BCP annually to reflect changes in legal or organizational structure, business composition, strategy, risk profile, or any shortcomings identified during BCP review and testing.

Furthermore, the internal audit function within an APRA-regulated entity must periodically review the entity’s BCP and provide assurance to the Board regarding the BCP’s credibility in sustaining critical operations within tolerance levels during severe disruptions. This review also ensures that testing procedures are adequate and have been satisfactorily conducted.

3. Management of Service Provider Arrangements

An APRA-regulated entity is obligated to uphold a thorough service provider management policy, addressing the identification of material service providers and the overall management of service provider relationships, with a particular focus on mitigating risks linked to these arrangements. This policy must encompass key elements such as the entity’s procedures for engaging with, monitoring, replacing, and terminating agreements with material service providers. Additionally, it should outline the entity’s strategy for managing risks inherent to these material service provider relationships. Furthermore, the policy should extend its risk management scope to include any fourth parties upon whom material service providers rely to deliver critical operations to the APRA-regulated entity.

• Material Service Provider

An APRA-regulated entity is mandated to identify and maintain a register of its material service providers while effectively managing the significant risks associated with these providers. Material service providers are those entities upon which the APRA-regulated entity relies to execute critical operations or those that expose it to substantial operational risk. Material arrangements encompass those on which the entity depends to perform critical operations or those that expose it to substantial operational risk.

At a minimum, an APRA-regulated entity must classify providers offering the following services as material service providers, unless there is justifiable reason to do otherwise:

• For an authorized deposit-taking institution (ADI): credit assessment, funding and liquidity management, and mortgage brokerage.
• For an insurer (general, life, private health): underwriting, claims management, insurance brokerage, and reinsurance.
• For a registrable superannuation entity licensee (RSE licensee): fund administration, custodial services, investment management, and arrangements with promoters and financial planners.
• For all APRA-regulated entities: risk management, core technology services, and internal audit.

Additionally, the entity must annually submit its register of material service providers to APRA. APRA retains the authority to mandate an APRA-regulated entity or a specific class of such entities to classify a service provider, type of service provider, or service provider arrangement as material.

• Service Provider Agreement

Before establishing or significantly modifying a material arrangement, an APRA-regulated entity must conduct appropriate due diligence, including a selection process and an assessment of the service provider’s ongoing capabilities. Additionally, the entity must assess both financial and non-financial risks stemming from its reliance on the service provider, considering factors like geographic location and service provider concentration.

For all material arrangements, the entity must maintain a formal, legally binding agreement specifying covered services, service levels, rights, responsibilities, ownership of assets and data, dispute resolution, audit access, liability, and compliance obligations. This agreement must also address sub-contracting by the service provider and include force majeure and termination provisions.

Furthermore, the formal agreement must allow APRA access to relevant documentation, data, and information, as well as the right to conduct on-site visits. It should ensure the service provider doesn’t obstruct APRA in fulfilling its regulatory duties.

Each material arrangement must be assessed and managed for risks impacting the service provider’s ongoing provision of services, risks to the entity resulting from the arrangement, the entity’s ability to execute its Business Continuity Plan, and its ability to exit the arrangement in an orderly manner if necessary. APRA has the authority to request revisions to a service provider arrangement if heightened prudential concerns arise.

• Monitoring, Notification & Review

An APRA-regulated entity must diligently monitor and ensure that senior management receives appropriate reporting on material arrangements, in accordance with the nature and utilization of the service. This monitoring entails regular assessments of:

(a)The service agreement’s performance, including adherence to agreed-upon service levels. (b) The efficacy of controls designed to manage risks associated with service provider usage. (c) Compliance by both parties with the service provider agreement.

The entity must also notify APRA promptly, within a maximum of 20 business days, after entering into or significantly amending an agreement for a service that it relies on to execute a critical operation. Additionally, the entity must inform APRA in advance of entering into any significant offshoring arrangement or when proposing a substantial change to the arrangement, including situations involving offshore data or personnel related to the provided service.

Moreover, the internal audit function within an APRA-regulated entity must evaluate any proposed material arrangement involving the outsourcing of a critical operation. The internal audit function should routinely report to the Board or Board Audit Committee regarding the compliance of such arrangements with the entity’s service provider management policy.

Reference – Prudential Standard CPS 230 Operational Risk Management published by APRA