Ongoing digital transformation, the global interconnectedness of markets, and the increased use of third-party service providers has introduced complexities to risk management efforts at financial institutions. To address potential threats to critical operations, the Australian Prudential Regulation Authority (APRA) released the Prudential Standard CPS230 Operational Risk Management (“CPS230”) on 17 July 2023. This replaces CPS 231 Outsourcing, CPS 232 Business Continuity Management, and SPS 231 Outsourcing to address weaknesses that APRA observed as part of its prudential supervision, including a rise in operational risks due to ineffective controls and reliance on third-party service providers.
The latest standard aims to strengthen the oversight of operational risk, respond to potential business disruptions, and manage the exposure associated with the use of third-party service providers. When put into effect on 1 July 2025, it will apply to all APRA-regulated entities (“entities”), including banks, insurers (general, life, and health), and registrable superannuation funds. APRA continues to stress that entities must be proactive in preparing for implementation.
Protecting an Organization
Operational risk refers to the possibility of loss resulting from inadequate or failed internal processes, systems, or policies. While generally considered a subset of Enterprise Risk Management that looks to find a balance between risk and reward, Operational Risk Management focuses on protecting an organization from adverse events. The goal is to zero in on the risks that can have the biggest negative impact on an organization and have employees be accountable for minimizing any disruption.
Driving Operational Resilience
Entities will need to manage their full range of operational risks. This is a broad concept that includes (but is not limited to) legal, regulatory, compliance, conduct, technology, data, and change management risk. Regular risk assessments must be conducted to identify potential threats and vulnerabilities to information assets. This involves evaluating the likelihood and potential impact of risks and taking steps to ensure they are mitigated. CPS230 also mandates a culture of continuous improvement, calling for entities to regularly review and enhance their information security measures to adapt to changing threats and technological advancements.
An entity’s approach must be appropriate for its size, business mix, and complexity and include steps to:
- Identify, assess, and manage operational risks, with effective internal controls, monitoring, and remediation in place.
- Continue to deliver critical operations within tolerance levels through severe disruptions, with a credible business continuity plan (BCP).
- Effectively manage the risks associated with material service providers, with a comprehensive service provider management policy, formal agreements, and robust monitoring.
Implementing and maintaining robust security controls is crucial. This should include access controls, data encryption, network security, incident response, and more.
Governing Effectively
Ensuring strong governance and oversight is a key requirement of CPS230. While APRA gives entities the flexibility to guide their own decisions, they are required to develop and maintain an overarching framework to manage information security risks. This includes defining roles and responsibilities, setting clear policies and procedures, crafting business continuity plans, and ensuring oversight and accountability at all levels. Entities must also provide awareness programs and training for staff, so they understand their roles and responsibilities in maintaining information security.
Managing Third-Party Providers
The increasing prevalence of third-party relationships has introduced additional complexities to risk management. In the Australian banking industry, third-party providers have been leveraged to enhance operational capabilities and drive innovation. While these relationships offer specialized expertise and scalability, many have access to sensitive information, such as customer and banking data, and can expose organizations to a multitude of risks, notably cyber-attacks.
CPS230 expands the requirements for entities to assess and manage the risks of material third-party (and even fourth-party) service providers, defined as any firm that is relied on for critical operations or that exposes an entity to material operational risk. Oversight involves due diligence in selecting providers, setting security expectations through contracts, and monitoring on an ongoing basis to ensure compliance with the provisions within the regulation.
Taking Action
CPS230 aims to foster a risk-aware culture, creating an environment that strengthens risk management behaviors. Success will require broader thinking that breaks down functional silos to look at end-to-end workflows and processes across an organization. This will entail a significant effort, and steps need to be taken now to be in compliance for 2025.
KY3P® is S&P Global's comprehensive Third-Party Risk Management solution that effectively addresses the core elements of APRA's CPS230 requirements. Built upon a robust methodology, KY3P offers a diligent and meticulous approach to effectively manage third-party risks. The KY3P methodology is developed in close collaboration with an esteemed user community, ensuring a consistent and industry-aligned approach.
KY3P offers flexible tools tailored to individual requirements, including continuous monitoring of third-party vendors, customizable due diligence questionnaires, and comprehensive assessments. Additionally, it provides validated data that supports risk-based decision-making, enabling organizations to assess suppliers at varying levels of criticality.
By leveraging KY3P, businesses gain invaluable insights that strengthen their day-to-day operations. Organizations can embed resilience into their core practices, ensuring regulatory compliance, identifying potential threats and vulnerabilities, and proactively planning for the impact of emerging risks.
Click here for more information on KY3P.