Skip to content

New APRA standard takes an outcome-based approach to operational risk

The much-anticipated draft Prudential Standard CPS 230: Operational Risk Management was released by APRA on 28 July 2022. It applies to all APRA-regulated entities, including authorised deposit-taking institutions (ADIs), general insurers, life insurers, private health insurers and registrable superannuation entity licensees (RSE licensees).

When less is more

Before we get into the detail of the draft standard it is encouraging to note that it involves substantial rationalisation, and therefore reduction, in the volume of prudential standard documents.

It will replace the 231: Outsourcing and 232: Business Continuity standards, as well as being a full cross industry consolidated (CPS) standard. The draft standard is 12 pages, and it replaces CPS 231 (14 pages) and CPS 232 (11 pages), not to mention the three related standards of SPS 231, HPS 231 and SPS 232. In addition, the draft standard also covers operational resilience, a topic that has generated voluminous paperwork in the UK from the Bank of England, the PRA and the FCA.

It is also clear that APRA is strengthening its focus on outcomes and principle-based prudential regulation rather than being process-focussed. This may disappoint those who like pages of detailed guidance but be applauded by those of us who prefer principles and guidance. In this era of more and more regulation and endless pages of requirements, it is refreshing to see this approach taken by APRA.

So now to the draft standard, which is due to come into operation on 1 January 2024 with the draft open for comment up to 21 October 2022.

What are the key contents?

The focus of the standard is to address some key challenges APRA has observed over the recent past within its regulated entities:

  • Control failures
  • Low tolerance of disruptions
  • Increasing reliance on third parties

It also seeks to specifically address operational resilience, which leads to the following requirements:

  • Strengthen operational risk management with a focus on:
    1. Operational risk assessment
    2. Operational risk controls
    3. Operational risk incidents
    4. Roles and responsibilities of business lines, senior managers and board
  • Improve business continuity planning so that entities are prepared and ready to ensure continued delivery of critical operations during periods of disruption. There is a specific focus on:
    1. Critical operations
    2. Tolerance levels
    3. Business Continuity Plan (BCP)
  • Enhance third-party risk management by effectively managing the risks associated with the use of service providers with specific focus on:
    1. Identification of material service providers
    2. Service provider agreements

Where does operational resilience fit in?

There is an overarching theme running through the standard focussed on operational resilience, by bringing together and refining the existing resilience-based standards of 231: Outsourcing and 232: Business Continuity. In addition, CPS 234: Information Security, while remaining untouched, will also support the resilience cause.

Operational resilience is defined by APRA as “the ability to effectively manage and control operational risks and maintain critical operations through disruptions”, and APRA’s focus is to ensure that entities:

  • prevent, to the extent practicable, disruption to critical operations
  • adapt processes and systems to continue operations in the event of a disruption
  • return to normal operations promptly after a disruption is over

What is clear is that APRA does not see operational resilience as something new, separate from operational risk management. It is the outcome of prudent operational risk management, and it is an extension of business continuity management, something we strongly support.

What is the impact on risk systems?

It is worth noting that the standard requires APRA-regulated entities to “maintain appropriate and sound information and information technology (IT) infrastructure to […] support its critical operations and risk management”. More specifically, they must:

  • maintain appropriate and effective information systems to monitor operational risk, compile and analyse operational risk data and facilitate reporting to the Board and senior management
  • identify and document the processes and resources needed to deliver critical operations, including people, technology, information, facilities and service providers, the interdependencies across them, and the associated risks, obligations, key data and controls
  • undertake scenario analysis to identify and assess the potential impact of severe operational risk events, test its operational resilience and identify the need for new or amended controls and other mitigation strategies

Key takeaways

Our initial key takeaways from a review of the draft standard and discussion paper are:

  1. APRA has taken the opportunity to rationalise its standards and guidance and at the same time address operational resilience, but in an outcome-driven rather than a process-driven way, quite different from some other overseas regulators. This has to be a good thing!
  2. Operational resilience is part of good operational risk management, it is not different to it.
  3. The link between operational resilience and BCP is very strong, with APRA seeing it as a natural progression of BCP from a time when we predominantly focussed on loss of physical resources to one where digital and third-party resources are equal, if not more important.
  4. Entities will need to tighten up several areas of operational risk management to meet the requirements of this standard. This will include a greater focus on critical process mapping, a tightening of the core elements of operational risk management, such as controls management, and the bringing together of the various elements of operational risk management in order to provide a more real time, integrated risk profile for the board.

We will continue to analyse the draft standard in detail and will continue to share our findings and views in future blogs. Watch this space.

Next steps for your organisation

Protecht recently launched the Protecht.ERM Operational Resilience module, which helps you identify and manage potential disruption so you can provide the critical services your customers and community rely on.

Find out more about operational resilience and how Protecht.ERM can help:

About the author

David Tattam is the Chief Research and Content Officer and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.