Your roadmap to compliance 6 min read
Operational risk has been a headline issue in the superannuation, insurance and banking industries over recent years, as regulated entities have faced the COVID-19 pandemic, cyber and technology risk, geopolitical unrest, volatile markets and high-profile compliance failures. It is therefore no surprise to see APRA sharpening its focus on operational resilience with the final prudential standard, CPS 230 (Operational Risk Management) (CPS 230).
CPS 230 will apply to all APRA-regulated entities in the banking, insurance and superannuation industries from 1 July 2025 (with certain transitional arrangements). It will consolidate into a single prudential standard significant new requirements in relation to operational risk management, as well as updated requirements in relation to service provider risk management and business continuity planning.
APRA has also released for consultation draft Prudential Practice Guide CPG 230 (Operational Risk Management) (CPG 230), which sets out proposed guidance on CPS 230. APRA expects to finalise the guidance by the end of 2023.
While the start date for CPS 230 may seem some time away, significant preparation will be required. APRA expects regulated entities to demonstrate that they have made meaningful progress in 2023 and 2024 to prepare for CPS 230.
In this Insight, we provide an overview of CPS 230 and what it will mean for you.
CPS 230 adopts a principles-based approach and imports many familiar concepts from existing prudential standards. However, it will impose much more prescriptive and extensive obligations in relation to operational risks than we've previously seen.
Importantly, CPS 230 will:
- impose detailed requirements in relation to the governance and management of operational risk, which is currently only addressed in a general sense in CPS and SPS 220 (Risk Management);
- underscore the importance of ensuring that organisations have a real-time understanding of their operational risk profile and the impact of key business decisions and other changes affecting that profile;
- make clear that, notwithstanding the emphasis of CPS and SPS 220 on the importance of independent risk functions, senior management has end-to-end responsibility for operational risk and that these considerations should be embedded throughout the business;
- see a shift from APRA's previous focus on recovery from disruption, to an expanded focus on ensuring there is the capability to operate through disruption within pre-approved tolerance levels;
- introduce an expansive concept of material service providers, which includes a requirement to manage material risks associated with using those services providers, and a requirement to look deeper into the supply chain (eg to consider fourth-party risk regarding the delivery of critical operations);
- introduce a new concept of material arrangements – being arrangements the entity relies to undertake a critical function or that expose it to material operational risk (rather than focusing on the materiality of the services provided) – with associated requirements to undertake appropriate due diligence in the selection process and assessment of financial and non-financial risks, and an expanded set of prescribed matters that must be addressed in formal agreements; and
- give APRA increasing visibility into the implementation of operational risk management as well as an increased ability to require regulated organisations to manage their operational risks in particular ways.
As a result, CPS 230 will require significant changes to governance, compliance, contractual and incident response arrangements for all APRA-regulated entities. For more on this, see Part 2 – Practical Implementation Guide (PDF).
The key changes to the final version of CPS 230 include:
- Deferred commencement and transition period: APRA has deferred commencement of CPS 230 to 1 July 2025. For existing service provider arrangements, APRA-regulated entities will have until the earlier of 1 July 2026 or the next renewal date of an existing agreement to ensure compliance with CPS 230.
- Flexibility on prescribed critical operations and material service providers: APRA has qualified the lists of prescribed 'critical operations' and 'material service providers' by industry, and in each case APRA-regulated entities will have flexibility to classify a prescribed operation as not 'critical' or a service provider as not a 'material service provider', as applicable, if it can provide satisfactory justification for its decision. APRA says it expects these cases will be exceptional, and that entities would document the decision, obtain approval for it by an accountable person (or equivalent) and review the decision on at least an annual basis. Also, APRA will retain the power to require an APRA-regulated entity to reclassify the assessment if it disagrees with the entity's assessment.
- Materiality threshold for material service provider arrangements: APRA has clarified that only 'material arrangements' with material service providers are captured by certain requirements – ie not all arrangements with material service providers will be caught. 'Material arrangements' that will be caught are those on which the APRA-regulated entity relies to undertake a critical operation or those that expose the entity to material operational risk. APRA can also classify a service provider arrangement as material.
- Removal of requirement for service providers under CPS 234 to be classified as material service providers: APRA has removed the requirement that all service providers that manage information assets classified as critical or sensitive under CPS 234 would automatically be classified as material service providers under CPS 230.
- Removal of requirement to assess whether material service provider is systematically important in Australia: APRA has removed the requirement for APRA-regulated entities to take reasonable steps to assess whether a material service provider is 'systematically important' in Australia before entering into, or materially modifying, a material arrangement. This is a helpful change, given the concept was not defined.
- Register of material service providers not required in policy: While APRA-regulated entities will still be required to maintain a register of material service providers, the register itself will not be required to form part of the Service Provider Management Policy. This change was made in response to concerns about the administrative burden of updating the policy whenever there were changes to the register.
- Clarification on notification obligations: While APRA has not extended notification timeframes, APRA has clarified that an APRA-regulated entity only needs to notify APRA if the activation of the entity's BCP relates to a disruption to a critical operation outside tolerance. Further, APRA has confirmed that a notification of an information security incident under CPS 234 does not need to be separately reported under CPS 230.
- Removal of reputational risk: APRA has removed reputational risk from the definition of 'operational risk' in CPS 230 and will review existing definitions of operational risk in the prudential framework to align with CPS 230. APRA says this removal reflects that typically reputational risk is treated as an outcome of an operational risk incident or event, rather than as an operational risk itself – however, a regulated entity would still be expected to give consideration to the reputational impact on it of an operational risk event.
APRA | Implementation timeline | Response paper - Operational Risk Management
CPS 230 attempts to address the following weaknesses that APRA has observed as part of its prudential supervision:
- Control failures: numerous operational risk events have arisen due to ineffective controls, resulting in action against a range of entities (eg through court-enforceable undertakings, remediation programs and additional operational risk capital requirements).
- Low tolerance for disruptions: customers have a lower tolerance for disruptions given the importance of core financial services in everyday life and an expectation that these services will always be available.
- Increasing reliance on (and concentration of) service providers: APRA-regulated entities are becoming more reliant on the use of service providers to support their business operations. Problems in the use of service providers that may form part of a long and complex supply chain involving 'fourth parties' and downstream providers can quickly impact the availability and level of service provided by an APRA-regulated entity.
CPS 230 follows similar reforms spearheaded by its counterparts in the UK (Prudential Regulation Authority), Canada (Office of Financial Sanctions Implementation) and others, and has regard to international standards such as the Basel Committee on Banking Supervision's Core Principles.
APRA's focus on operational risk also reflects ASIC's increased focus on the potential impacts of technology in financial markets and services, and its proposed core strategic project in relation to cyber risk and operational resilience, as set out in its 2022–26 Corporate Plan.
CPS 230 picks up a number of similar concepts from the prudential standards it proposes to replace, but also contains some very significant changes. We have outlined some of these changes (as compared to current requirements) below.
CPS 230 contains a number of overarching key principles that require APRA-regulated entities to manage operational risks, and that will be assessed from an outcomes perspective. For example, an APRA-regulated entity must:
Supplementing these principles are a number of other new requirements, including requirements to understand its operational risk profile, to conduct comprehensive risk assessments before providing material services to other parties (which Draft CPG 230 says is intended to apply to intra-group arrangements and services to non-APRA-regulated parties), and to design and embed internal operational risk controls in all of its products, activities, processes and systems.
Draft CPG 230 emphasises that an APRA-regulated entity’s approach to operational risk must be appropriate to its size, business mix and complexity. It notes that not all of the practices outlined in the guidance will be relevant for every entity – eg, certain guidance may be more relevant depending on the size, nature and complexity of a regulated entity’s operations. In particular, for smaller entities, APRA expects a simpler approach to implementing and complying with CPS 230. In draft CPG 230, APRA says that this applies to the level of granularity expected in assessing operational risk profile, including identifying and documenting processes, resources and scenario analysis. Additionally, a smaller entity could identify and document its processes and resources for critical operations only at a high level. However, APRA has not identified what it considers to be 'smaller entities' and it has stayed clear of using terminology in other recent prudential standards, such as 'significant financial institutions' (or SFIs) and 'non-significant financial institutions' (or non-SFIs), based on industry feedback that such distinctions were not appropriate.
Draft CPG 230 also refers to a spectrum of standards – ranging from baseline obligations that regulated entities must comply with under CPS 230, to 'typical', 'better practice' and 'best practice' standards. It is not clear how a failure to meet 'better practice' or 'best practice' would be viewed by APRA (for example, whether these are APRA's expectations of larger and more complex entities – or just a high-water mark for entities to consider).
Board and senior management accountability
CPS 230 provides that the board will be accountable for operational risk management (including business continuity and service provider arrangements). Until now, APRA has required the board to be ultimately responsible for certain matters in its prudential standards. The language shift to accountable is subtle but important in terms of APRA's expectation for boards, and sits hand-in-hand with APRA's outcomes-focussed supervision.
As part of this, APRA expects the board to set clear roles and responsibilities for senior managers and to oversee operational risk management.
APRA has stated that the intent is not for the board to play a role in day-to-day operational risk management; rather, that it expects a prudent board would have a clear understanding of who is accountable within the entity for which aspect of operational risk management, including business continuity and the management of service provider arrangements, and be confident that there are no gaps in accountabilities.
In return, senior management must provide clear and comprehensive information to the board on the entity's operational risk profile and the expected impact to critical operations when the board is making decisions. In draft CPG 230, APRA says that it expects senior management would typically define roles and responsibilities regarding operational risk management for senior management across the entity, through a combination of processes, including role statements, reporting lines and charters of governing bodies. APRA also suggests that this might involve end-to-end business process mapping conducted across all business operations, including those performed by service providers.
The onus is firmly placed on business-line management to take responsibility for operational risk, as opposed to relying on risk management functions. In draft CPG 230, APRA says that it is best practice for business line management to be responsible for embedding operational risk management practices, and, as a result, to also be the owners of the risk within the entity. Further, APRA expects that there would typically be established processes for delegations, and escalation of risks and issues to the board and senior management, and defined reporting requirements.
APRA has given itself a raft of new powers in relation to the supervision of operational risk management (including powers to require entities to take specific actions where material weaknesses are identified, to adjust tolerance levels, to classify a business operation as a critical operation, and to classify service providers as material, amongst other things). See Part 2 – Practical Implementation Guide (PDF) for more detail.
APRA-regulated entities are currently required to report information security incidents to APRA as soon as possible and no later than 72 hours after becoming aware of the incident under Prudential Standard CPS 234 (Information Security). APRA proposes that it must be notified of operational risk incidents in the same timeframe (where the incident is likely to have a material financial impact or a material impact on the ability of the entity to maintain its critical operations). APRA has clarified that a notification of an information security incident reported under CPS 234 does not need to be separately reported under the notification requirements of CPS 230.
How is this different (to CPS and SPS 232)?
Business continuity plan (BCP)
CPS 230 requires APRA-regulated entities to maintain a credible BCP that sets out how the entity would maintain its 'critical operations' within 'tolerance' levels through disruptions, including disaster recovery planning for critical information assets. The BCP must be approved by the board.
This must include a register of critical operations and associated tolerance levels, triggers to identify disruption and prompt activation of the BCP, actions the entity will take to maintain critical operations within tolerance levels where disruptions arise, assessment of the key dependencies needed to support the effective implementation of the BCP and a communications strategy to support the execution of the plan.
For APRA-regulated entities (other than private health insurers)1 the requirement to maintain a BCP is not new, although some new concepts for its contents have been introduced, including 'critical operations' and 'tolerances' as described.
Some of the other prescriptive requirements for a BCP have been brought across (although reframed) in CPS 230.
'Critical operation' identification
APRA-regulated entities will be required to define, identify and maintain a register of their 'critical operations'. These are processes undertaken by an APRA-regulated entity or its service provider which, if disrupted beyond tolerance levels (see below), would have a material adverse impact on its depositors, policyholders, beneficiaries or other customers, or its role in the financial system.
An APRA-regulated entity must, at a minimum, classify the following business operations as critical operations, unless it can 'justify otherwise':
APRA may also require an APRA-regulated entity to classify a business operation as a critical operation.
The new concept of 'critical operations' is similar, although arguably wider than the current requirements applicable to APRA-regulated entities.
APRA-regulated entities are currently required to identify their 'critical business functions' – being their critical business functions, resources and infrastructure. This will be broadened in CPS 230 to require identification of the 'processes' of both the APRA-regulated entity and its service providers. APRA has also included specific examples in CPS 230 to ensure baseline critical operations are consistently captured for each industry.
The concept of 'critical operations' also captures service-provider processes, meaning that these must also be specifically addressed in the institution's BCP. The current requirement in relation to service providers is that an APRA-regulated entity must satisfy itself as to the adequacy of the service provider's BCP and any dependencies between the two.
APRA-regulated entities will be required to set tolerance levels for each critical operation, being:
APRA may require that tolerance levels for critical operations are changed or may set tolerance levels where it identifies heightened risk or material weaknesses.
The new requirement to set tolerance levels is a further shift towards outcomes-focussed regulation. APRA-regulated entities are currently required to undertake an impact analysis of plausible disruption scenarios and the period of time for which the institution could not operate without each critical business operation. However, the new requirements are intended to focus institutions' risk appetite for disruption in respect of all processes as part of their business continuity plans. Failure to meet tolerance levels must be reported to the board under CPS 230.
In draft CPG 230, APRA says that, while the board approves the entity’s overall tolerance levels, senior management are able to set more granular tolerance levels and indicators that would be consistent with, and not undermine, the board-approved levels.
Testing and review
New testing requirements have been included. APRA-regulated entities must have a systematic testing program for their BCP that covers all critical operations and includes an annual business continuity exercise. The program, which must be tailored to the entity's material risks, must test the effectiveness of the entity’s BCP and its ability to meet tolerance levels in a range of severe but plausible scenarios. APRA may also require the entity to test against an APRA-determined scenario.
The scope of the testing requirements have been expanded from their current form (which only require the institution to 'review and test' the BCP, but without any specific requirements as to the testing criteria). These requirements would apply in addition to the current requirements to review and audit the BCP.
APRA-regulated entities would be required to notify APRA as soon as possible and not later than 24 hours after a disruption to a critical operation outside tolerance.
APRA may require an APRA-regulated entity to review and change its tolerance levels for a critical operation.
Although the timeframe (maximum 24 hours) is the same as the current requirements, the trigger for notification to APRA is the disruption to a critical operation outside tolerance, as opposed to when the entity 'experiences a major disruption that has the potential to have a material impact on the institution’s risk profile, or affect its financial soundness'. We do not expect much to turn on this change, but it does allow entities to set tolerance levels that are appropriate for their business operations.
How is this different (to CPS, SPS and HPS2 231)?
Material service providers and material arrangements
CPS 230 will introduce the concept of 'material service providers'.
Material service providers are those service providers on which the entity relies to undertake a 'critical operation' (see above) or that expose it to material operational risk. They include third parties and related parties deemed to be material because of one or a number of arrangements with the APRA-regulated entity. APRA has also introduced a new concept of 'material arrangements' – being those arrangements on which the entity relies to undertake a critical operation or expose it to material operational risk.
An APRA-regulated entity must, at a minimum, classify a provider of the following services as a material service provider, unless it can 'justify otherwise':
APRA may also classify a service provider, type of service provider or service provider arrangement, as material.
CPS 230 introduces various requirements related to an APRA-regulated entity's material arrangements that are described further below.
This change represents a shift from the current focus on outsourcing and the materiality of the service being provided (ie the outsourcing of a 'material business activity'), to the materiality of the operational risk posed by the service provider and the relevant arrangement.
Interestingly, CPS 230 does not define a material arrangement by reference to an arrangement with a material service provider. However, in the Response Paper, APRA says that 'only material arrangements with material service providers' are captured. In draft CPG 230, APRA says that 'CPS 230 requires entities to identify material service providers, and to maintain formal agreements for material arrangements with these providers. Not all arrangements with a material service provider will be material to the entity'.
The new definition of material service providers is likely to capture a much wider range of service providers, which APRA states is to reflect the increased reliance on third parties to provide and undertake critical operations, as well as the fact that a service provider arrangement can expose a regulated organisation to a high degree of risk even where the service it is providing may not be critical. That said, APRA-regulated entities will take comfort from APRA's clarification that only material arrangements with those material service providers will be captured by the more onerous requirements in CPS 230.
As with the new business continuity regime, APRA has included a list of service providers in CPS 230 that will be deemed to be captured, to ensure that these are consistently captured for each industry.
Service provider management policy and 'fourth parties'
Regulated entities will need to maintain a board-approved 'service provider management policy' which sets out how it will identify material service providers and manage arrangements, as well as a number of other specific requirements.
One such requirement is that the policy addresses how the entity would manage risks associated with any 'fourth parties' or subcontractors relied on to deliver a critical operation to the APRA-regulated entity. These are downstream service providers in the supply chain.
Although CPS 231 and SPS 231 currently require a policy, the policy content requirements in CPS 230 are broader, given both the definition of material service providers (see above) and the requirement to address 'fourth party' risk.
In terms of fourth parties, CPS 231 and SPS 231 currently require sub-contracting to be addressed in an outsourcing contract, with an indemnity to the effect that any sub-contracting by a third-party service provider is the responsibility of the third-party service provider (and HPS 231 is silent on this). CPS 230 does away with this slightly confusing drafting and instead requires that service providers assume liability for failure of a sub-contractor, and for each APRA-regulated entity to otherwise set its own approach for the management of fourth-party risk.
In draft CPG 230, APRA notes that fourth-party providers may in turn rely on other service providers, which can result in an entity relying on downstream service providers without direct agreements and can impede the ability of the entity to manage risks in its supply chain.
In this scenario, APRA expects that an entity would be aware of, and manage, the risks associated with fourth-party and other downstream service providers for critical operations, including the correlated risk that arises when several of its service providers are reliant on the same fourth party. APRA says that this would typically include due diligence, appropriate contractual provisions to ensure the entity is informed of material fourth parties and appropriate assurance.
Practically, risk management in this regard may include a combination of enhanced due diligence on service providers and other downstream providers that could materially impact the performance of the service, reporting obligations, the inclusion and exercise of rights to audit and test service provider systems, inclusion of service providers in simulations/tabletop exercises, and the continued requirement that third parties remain liable for any acts or omissions of their subcontractors. Of course, how much can be achieved in this respect will depend on commercial negotiations.
Service provider agreements
For all material arrangements, an APRA-regulated entity must maintain a formal and legally binding agreement.
Notably, agreements relating to material arrangements must require notification by the service provider of its use of other material service providers that it materially relies upon in providing the service to the APRA-regulated entity (through sub-contracting or other arrangements), for the service provider to take responsibility for its sub-contractors, force majeure provisions and termination rights.
Termination provisions for RSE licensees must include the ability for the trustee to terminate the arrangement where to continue it would be inconsistent with the trustee's duty to act in the best financial interests of beneficiaries.
APRA may review and make changes to a service-provider arrangement where it identifies heightened prudential concerns.
CPS 230 is silent as to some of the more prescriptive (but non-contentious) requirements that currently apply under CPS and SPS 231, such as the requirement for the agreement to address pricing, insurance or review provisions.
Instead, APRA's focus has narrowed to the key terms that must be included to address the operational risk brought about by the use of service providers.
An APRA-regulated entity must submit its register of material service providers to APRA on an annual basis and notify APRA:
Material offshoring arrangement means a material arrangement where the service provided is undertaken outside Australia.
The requirement to annually submit a register of material service providers to APRA is new. APRA hopes this will assist it with industry-wide monitoring so it can step in where it sees 'concentration risk' (ie the overuse of a single service provider).
Notifications to APRA where material changes are made (to onshore agreements) or significant change proposed (to material offshore arrangements) are also new. Private health insurers should note that APRA notification timeframes will be shortened to 20 business days (as opposed to the 28 days that currently apply under HPS 231).
Otherwise, APRA has downgraded its oversight of offshoring arrangements. CPS 230 requires entities only to notify APRA prior to entering into such agreements (instead of the current requirement to consult).
APRA says that CPS 230 will 'improve the accessibility and adaptability of the framework, seeking to ensure the prudential rules are easy to understand, find and navigate'. That may be true to an extent, but it is worth noting that other regulatory requirements and guidance relating to operational risk would continue to sit alongside the standard, including CPS 234 (Information Security) and CPS 226 (Margining and Risk Mitigation for Non-centrally Cleared Derivatives), as well as other APRA cross-industry and industry-specific prudential guides.
APRA also notes it is not proposing changes to the operational risk capital for ADIs and insurers at this stage.3 RSE licensees will remain bound by the requirements of SPS 114 in relation to the operational risk financial requirement. RSE licensees will recall that APRA has conducted consultation on new requirements for the operational risk financial requirement that would result in a replacement of the existing SPS 114. The proposals are contained in APRA Discussion Paper Financial resources for risk events in superannuation (November 2022), which we have summarised here. APRA has stated that consultation on the draft standard and guidance is expected to commence mid-2023. APRA intends to finalise the revised SPS 114 in early 2024 with an effective date of 1 January 2025. It is worth noting, that as part of its new powers under CPS 230, APRA may require trustees to hold additional capital in the form of ORFR where their operational risk management has material weaknesses.
APRA-regulated entities should begin to review their operational risk management processes and arrangements against CPS 230, to scope the changes required and prepare a project timeline. If your organisation provides services to APRA-regulated entities, you should look at understanding the implications of contractual obligations these APRA-regulated entities would need to impose for CPS 230 compliance.
Affected entities may also wish to consider making submissions to APRA on draft CPG 230 (consultation is open until 13 October 2023), and should look out for the release of the final CPG 230.
APRA has stated that it expects to see evidence of meaningful steps to prepare for implementation in 2023 and 2024. It has suggested senior management should identify critical operations and material service providers by mid-2024, and be well positioned to set tolerance levels by the end of 2024. APRA-regulated entities should expect a 'knock on the door' from their APRA supervisor during the implementation period, to assess progress.
To assist APRA-regulated entities (and their counterparties) to prepare, we have prepared Part 2 – Practical Implementation Guide (PDF) which considers CPS 230 and draft CPG 230.
For private health insurers, the business continuity obligations in CPS 230 will all be new. Private health insurers were not subject to the business continuity obligations imposed on financial institutions and RSE licensees under CPS 232 and SPS 232 respectively.
Private health insurers are currently subject to less stringent standards under HPS 231 than those applicable to financial institutions and RSE licensees under CPS and SPS 231. CPS 230 uplifts requirements for private health insurers to the same standard applicable to all APRA-regulated entities. This will notably bring into scope new requirements for private health insurers, such as the requirement to audit the service provider arrangements against entity’s service provider management policy.
As set out in Prudential Standard APS 115 Capital Adequacy: Standardised Measurement Approach to Operational Risk for all ADIs other than non-SFIs, Attachment A of APS 110 for non-SFIs, Prudential Standard GPS 118 Capital Adequacy Operational Risk Charge and Prudential Standard LPS 118 Capital Adequacy Operational Risk Charge for insurers and the upcoming equivalents for Private Health Insurers.