APRA proposes a streamlined set of requirements for Operational Risk Management
In July 2022, the Australian Prudential Regulation Authority (APRA) proposed a new draft prudential standard, CPS 230 (Operational Risk Management) (Standard) and related Discussion Paper, which broadly requires that APRA-regulated entities (Entities) incorporate operational risk management controls and processes into their broader risk management frameworks, in order to effectively manage the full range of operational risks inherent within their relevant businesses.
The draft Standard takes a principles-based, outcome-focussed approach, which aims to assist Entities in preventing operational disruption and increasing resilience, by requiring the implementation of certain operational risk controls, effective management third party service provider relationships and the strengthening of business continuity and disaster recovery practices.
The introduction of the draft Standard forms part of APRA’s broader strategy to modernise its prudential framework, in response to changes in the operational risks that Entities face more generally, due to factors including the increased uptake of third party services, increasing global connectivity and resulting cybersecurity risk in the digital economy, as well as disruptions to global supply chains (particularly as a result of the COVID-19 pandemic). Specifically, the draft Standard proposes to replace existing prudential standards:
- CPS/SPS/HPS 231 (Outsourcing) (Outsourcing Standard); and
- CPS/SPS 232 (Business Continuity Management) (BC Standard),
in order that APRA’s requirements and guidance in respect of all areas of operational risk management are housed within a single standard, which will operate alongside the existing CPS 234 (Information Security) (IS Standard).
Submissions on the draft Standard and related Discussion Paper close on 21 October 2022, with the Standard likely to commence on and from 1 January 2024. From this date, the Standard will apply to any renewed arrangements with material service providers, as well as any new arrangements. Although no transitional period is contemplated by the draft Standard, APRA is inviting submissions as to a timeframe by which Entities will need to ensure compliance, which will need to cater for any operational, procedural or contractual changes that Entities may need to make.
Boards and senior management
Previously, accountability for operational risk management within an Entity often rested with the Entity’s risk management function, with the board being responsible for operational risk management in a passive sense. However, the draft Standard proposes to confer ultimate ‘accountability’ for operational risk management on an Entity’s board and to make the board responsible for managing operational risk, approving policies, ‘tolerance levels’ and frameworks, preventing disruption to ‘critical operations’ and ensuring that senior management effectively implements and maintains its operational risk management frameworks.
The draft Standard also increases the level of accountability of senior management in respect of operational risk management, by requiring that boards set out clear roles and responsibilities for senior management and that senior management must:
- regularly report to the board in respect of the efficacy of the Entity’s operational risk controls and general operational risk profile;
- where a board is making decisions that could affect the resilience of critical operations, provide information to the board about the possible impact of those decisions; and
- take action to address any areas of concern related to operational risk.
Operational risk management
Building on the existing requirements of prudential standard CPS 220 (Risk Management), the draft Standard introduces new and enhanced requirements designed to strengthen Entities’ implementation, monitoring and testing of their operational risk management frameworks, including by requiring that Entities:
- understand and constantly monitor their operational risk profile (including in respect of any weaknesses or vulnerabilities) and continually assess the impact of its business decisions on that risk profile, including in respect of the impact of new products, services, geographies and technologies, which may result in new and unique operational risks. Entities should gain this understanding through the analysis of operational risk data, identification of the processes and resources needed for critical operations and undertaking scenario analysis for potential operational risk events;
- manage operational risk in accordance with the relevant Entity’s risk appetite, by designing, implementing and embedding into its operations, robust operational risk controls commensurate with the size, mix and complexity of the relevant Entity’s business activities (this is similar language to the IS Standard, that requires that an Entity’s information security framework is commensurate with the risks and vulnerabilities of its IT infrastructure and environment). Entities must also regularly review and test these controls, and rectify any weaknesses or vulnerabilities in timely manner; and
- identify, escalate, record and address operational risk incidents and ‘near misses’ in a timely manner, and report such incidents to APRA (see the Notifications to APRA section below).
Satisfying these requirements will likely mean that Entities need to review their current operations and consider whether any changes need to be made, including in terms the Entity’s internal processes for the assessment and management of operational risk and the allocation of responsibility for operational risk management oversight. We consider that there could be a material time and resource cost that will need to be borne by Entities in seeking to enhance its internal operations and processes to comply with these requirements.
In respect of business continuity, the draft Standard is broadly similar to, but enhances, the existing requirements of the BC Standard, including by:
- introducing a concept of ‘tolerance levels’, being a threshold of, for example, the amount of disruption to business operations or loss of data that the Entity considers would be tolerable in the event of a disruption to its critical operations – these tolerance levels must be board-approved;
- introducing a concept of ‘critical operations’ and requiring that Entities maintain a register of its critical operations. Critical operations are those, which, if disrupted beyond the relevant tolerance level(s) (that might be measured in hours or days), would have a material adverse impact on the Entity’s policyholders, depositors, beneficiaries or other customers, or its broader role in the financial system; and
- requiring that Entities have in-place a board-approved business continuity plan (BCP) that, in addition to being compliant with the existing requirements of the BC Standard, sets out the way that those Entities would maintain critical operations during disruptions and how critical information assets are protected in the event of disasters, and also establishes a review and testing program for the BCP. Entities are also required to submit the BCP to APRA on an annual basis.
Material service providers
Whereas the Outsourcing Standard was primarily focussed on the ‘outsourcing of material business activities’ (the focal point being the activity itself), the draft Standard shifts its focus onto the service providers being engaged by the relevant Entity, creating a concept of ‘material service providers’ – a service provider that an Entity relies on to undertake a ‘critical operation’ or that may expose that Entity to operational risk. The Discussion Paper released alongside the draft Standard provides various examples of the types of services that would be considered material, including those supporting critical operations, risk management functions, technology services and internal audit.
The Outsourcing Standard currently requires Entities to be able to demonstrate to APRA that a proposed outsourcing arrangement was effected pursuant to certain internal procedures (such as board approval, business case and/or a tendering process). However, the draft Standard does not require that the Entity demonstrates anything to APRA. Rather, it requires that an Entity:
- before entering an arrangement with a material service provider, undertakes appropriate due diligence, including an assessment of the financial and non-financial risks associated with the engagement of the relevant service provider; and
- has an appropriate tendering process in respect of the engagement of that service provider.
Further, the draft Standard proposes a number of new requirements in respect of the engagement of material service providers, and the management of Entities’ relationships with them, including that an Entity:
- may not rely on a material service provider unless it can ensure that in doing so, it will be able to meet its prudential obligations and manage the risk that comes with engaging that service provider;
- must maintain, and provide to APRA on an annual basis, a register of material service providers, as well as a service provider management policy that details how service providers are identified as material, and how the Entity’s relationships with those services providers are managed; and
- considers and develops a strategy to manage the risks presented by a service provider’s use of ‘fourth parties’ (e.g. subcontractors), who could be, of themselves, material services providers (including that contracts with material service providers should provide for a mechanism whereby the Entity is notified of the service provider’s proposed use of subcontractors).
Generally, the draft Standard takes a less-prescriptive approach than the Outsourcing Standard, which can primarily be seen through the reduction in the number of mandatory requirements for outsourcing agreements as compared to the Outsourcing Standard.
Notification to APRA
The draft Standard imposes new requirements for Entities to notify APRA on the occurrence of certain events, including:
- as soon as possible, but in any event, within 72 hours of becoming aware of an operational risk incident that is likely to have a material impact (including financial impact) on the Entity’s ability to maintain its critical operations. It should be noted that certain operational risk incidents that involve information assets or pertain to information security may trigger reporting obligations under the IS Standard (which notifications must be made in the same timeframe). Where this is the case, a notification made under one standard would satisfy the obligation to notify under the other;
- as soon as possible, but in any event, within 20 business days of entering into, or materially modifying, an agreement with a service provider related to a critical operation;
- prior to the commencement of, or significant change to, any offshoring arrangement with a material service provider; and
- as soon as possible, but in any event, within 24 hours of the activation of the BCP.
Additional APRA powers
The draft Standard also confers a number of additional powers of APRA in order to further its capacity to oversee and enforce compliance with the Standard and Entities’ operational risk management frameworks, including that APRA may:
- require an Entity to hold additional capital;
- direct that certain business functions are deemed ‘critical operations’ or that a service provider be deemed a ‘material service provider’ for the purposes of the Standard;
- if it considers that an Entity’s operational risk management approach contains weaknesses, order independent review and remediation of those weaknesses;
- require an Entity to change its tolerance levels for a critical operation, or set tolerance levels for Entities;
- impose conditions on an Entity’s Australian Financial Services Licence; and
- require an Entity to revise its contractual arrangements with a material service provider where APRA has ‘heightened prudential concerns’ about the relevant arrangement.
The task ahead
The draft Standard requires Entities to implement an operational risk management regime that is tailored to the size, business mix, and complexity of the relevant Entity, and that covers the full range of operational risks specific to that Entity. Therefore, Entities should seek to approach compliance to the Standard holistically – the policies and procedures implemented to comply with the Standard will need to cover all aspects of the relevant organisation and present a uniform framework for dealing with operational risks.
Accordingly, the effort required to implement such a regime is likely to be significant in terms of both time and resourcing, and Entities should immediately begin to consider how to effectively manage such an implementation. Some of the effort involved in implementing a Standard-compliant organisational risk management regime may include:
- revising and uplifting template contracts and existing agreements with material service providers, not only to ensure that those templates and agreements are compliant with the Standard, but also to ensure that where appropriate, material service providers are contractually bound to assist the Entity in complying with the Standard. For example, where an Entity is required to notify APRA of the activation of its BCP, the Entity should ensure that the material service provider is bound to notify the Entity of any events which may require the BCP to be activated, in sufficient time to allow the Entity to satisfy its obligation to notify APRA;
- reviewing existing supplier contracts more generally, to consider whether those suppliers fall within the definition of ‘material service provider’ for the purposes of the Standard (and then conducting the revision and uplift contemplated above);
- the implementation of internal policies, procedures and frameworks (including governance and escalation frameworks) for managing operational risks, that cover all aspects of the relevant business;
- without limiting the above point, the implementation of the required service provider management policy, which should contemplate the decision-making and cadence processes for the engagement of material service providers; and
- facilitating internal training for board members and senior management in respect of organisational risk management, including education in respect of any relevant policies, procedures and frameworks being implemented.
How can DLA Piper help?
DLA Piper is well-placed to assist you in navigating the raft of requirements proposed by the Standard. We frequently work with APRA-regulated clients and have an intricate understanding of what is required to achieve compliance with APRA standards and regulations. We can assist in the review and uplift of contracts, provision of advice in relation to the classification of material service providers, and assist in the development of internal policies, procedures, frameworks and training initiatives.