The Australian Prudential Regulation Authority (APRA) is seeking to strengthen the management of operational risk across Australia’s superannuation trustees, banks, and insurers through the introduction of a new prudential standard.
On Monday, the regulator confirmed it had finalised Prudential Standard CPS 230 Operational Risk Management (CPS 230), which sets out new rules to ensure that APRA-regulated entities are able to better manage operational risks and respond to business disruptions.
The introduction of CPS 230 follows in the wake of major cyber attacks and data breaches in Australia in recent times, including against health insurance giant Medibank last October.
“The need for APRA’s new standard has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches,” APRA chair John Lonsdale said in a statement.
“This new standard will ensure that regulated entities set and test controls and maintain robust business continuity plans to respond if disruptions do occur.”
Under CPS 230, regulated entities must effectively manage their operational risks while setting and maintaining appropriate standards for conduct and compliance.
“An APRA-regulated entity must identify, assess, and manage operational risks that may result from inadequate or failed internal processes or systems, the actions or inactions of people or external drivers and events. Operational risk is inherent in all products, activities, processes and systems,” the regulator said.
According to APRA, entities must maintain critical operations “within tolerance levels” during severe disruptions and have a credible business continuity plan in place.
“An APRA-regulated entity must, to the extent practicable, prevent disruption to critical operations, adapt processes and systems to continue to operate within tolerance levels in the event of a disruption and return to normal operations promptly once a disruption is over,” the regulator explained.
Additionally, CPS 230 requires that APRA-regulated entities effectively manage the risks associated with using service providers, including by having a comprehensive service provider management policy, formal agreements, and robust monitoring.
“An APRA-regulated entity must not rely on a service provider unless it can ensure that in doing so it can continue to meet its prudential obligations in full and effectively manage the associated risks,” APRA stated.
CPS 230 originally went up for industry consultation in July last year, with the regulator receiving 62 submissions in response.
APRA said that these submissions were “generally supportive” but noted that some had called for greater clarity and guidance in certain areas, while also highlighting potential unintended consequences and practical difficulties regarding implementation.
In response to this feedback, the final CPS 230 incorporates a number of changes, including deferring the commencement of the new standard from January 2024 to July 2025.
“We expect regulated entities to be proactive in preparing for implementation, rather than waiting until the last minute to get ready to meet the new requirements,” said Mr Lonsdale.
“There will be a transition phase for existing contractual arrangements with material service providers for entities that need some flexibility,” the APRA chair added.
APRA has also published the draft Prudential Practice Guide CPG 230 Operational Risk Management to assist entities with the implementation of CPS 230.
According to the regulator, the board of an APRA-regulated entity is “ultimately accountable for oversight of an entity’s operational risk management” including in relation to business continuity and the management of service provider arrangements.
“The board must ensure that the APRA-regulated entity sets clear roles and responsibilities for senior managers for operational risk management, including business continuity and the management of service provider arrangements,” APRA said.
In its draft guide, the regulator noted it had observed that boards were not consistently provided with important information on operational risk when making strategic decisions.
