Approaching Operational Risk Management in the Era of APRA CPS 230
On 28 July 2022, APRA (the Australian Prudential Regulation Authority) released a new prudential standard, CPS 230, designed to strengthen the management of operational risk in the financial sector. Now, that standard is in full force.
But why does an Australian standard matter outside of the financial services industry? This article lays out the rationale for approaching operational risk management in the era of CPS 230 as well as important learnings from the standard’s subsections.
Why care about APRA CPS 230?
So, why care? Well, the short answer is APRA CPS 230 didn’t come out of a vacuum.
For one, interest in operational resilience, of which operational risk management is an essential component, has taken off.
The BCI Operational Resilience Report 2022, for instance, found that operational resilience practices have risen in popularity, with over three quarters of organizations reporting either having or developing an operational resilience program.
And we all know rising interest in operational resilience has to do with the drastic increase in both actual and potential shocks and disruptions. These potential shocks and disruptions include the full range of operational risks, though, e.g., legal, regulatory, compliance, conduct risk, technology, data, reputational, and change management risks.
As such, one can’t tackle operational resilience without addressing operational risk management.
Approaching operational risk management with APRA CPS 230
Of course, that’s where APRA CPS 230 comes into play.
APRA CPS 230 establishes a minimum standard for managing operational risk, including updated requirements for business continuity and service provider management. At its most basic, APRA mandates regulated entities to maintain appropriate and sound information and information-technology infrastructure to meet current and projected business requirements and support critical operations and risk management.
APRA’s requirements in this regard are quite simple, including the following:
- Identify, assess, and manage its operational risks, with effective internal controls, monitoring and remediation
- Be able to continue to deliver its critical operations within tolerance levels through severe disruptions, with a credible business continuity plan (BCP)
- Effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements, and robust monitoring
Developing and maintaining an appropriate risk management framework
As it’s beyond the scope of this article to recapitulate everything that’s in CPS 230, we’ll detail one of its most important provisions.
Relevant to all organizations, it’s the section on developing and maintaining an appropriate risk management framework.
What’s in it? Well, the essentials include:
- Governance arrangements for the oversight of operational risk
- An assessment of operational risk profile, with a defined risk appetite supported by indicators, limits, and tolerance levels
- Internal controls that are designed and operating effectively for the management of operational risks
- Appropriate monitoring, analysis, and reporting of operational risks and escalation processes for operational incidents and events
- Business continuity plan(s) (BCPs) that set out how the entity would identify, manage, and respond to a disruption within tolerance levels and are regularly tested with severe but plausible scenarios
- Processes for the management of service provider arrangements.
Who’s responsible for putting this framework into place?
That would be the entity’s Board. Even if there’s no risk of enforcement in the case of non-Australian firms, the Board should still be considered accountable for the oversight of operational risk management, as well as business continuity, and the management of service provider arrangements.
The Board, therefore, has its work cut out. Per CPS 230, the Board will have to ensure that the entity sets clear roles and responsibilities for senior managers as it relates to operational risk management.
Those senior managers, in turn, will be responsible for operational risk management on a day-to-day basis, across end-to-end processes for all business operations.
Senior managers, however, will still have to provide information to the Board on the expected impacts on the entity’s critical operations when the Board must make decisions affecting the resilience of said operations.
Further Board responsibilities include:
- Oversee operational risk management and the effectiveness of key internal controls in maintaining the entity’s operational risk profile within risk appetite
- Approve the BCP and tolerance levels for disruptions to critical operations, review the results of testing, and oversee the execution of any findings
- Approve the service provider management policy, and review risk and performance reporting on material service providers
Of course, that only scratches the surface of requirements for operational risk management about which all organizations should know. What else is there to know? Download Noggin’s Guide to the Finalized APRA CPS 230 Standard to find out.