Risk management framework
CPS 230 imposes a binding requirement upon each APRA-regulated entity to adopt an operational risk management approach that is 'appropriate to its size, business mix and complexity', and this has not changed. However, the earlier draft guidance had sought to illuminate this concept by providing a range of examples about what might constitute 'better practice', or 'best practice', or what 'a prudent entity' might do.
Many submissions to APRA raised concerns about how the proportionality concept should be applied in practice – for example, whether APRA expected all APRA-regulated entities to aim for the 'best/better practice' recommendations; or whether these recommendations were only intended to apply to the largest and most sophisticated businesses. In response, APRA has removed almost all of those recommendations from the final guidance, in favour of three streamlined principles:
- CPS 230 is the baseline which applies to all APRA-regulated entities;
- significant financial institutions should have stronger practices, commensurate with their size and complexity; and
- all APRA-regulated entities should 'mature their practice over time', in line with their operational risk profile and their role in the financial system.
We expect that some businesses will enjoy the freedom of choosing their own adventure (at the risk of receiving an APRA direction if they get it wrong); but many will be disappointed that the guidance does not otherwise shed much light on the inherent ambiguity of the proportionality principle.
Roles and responsibilities
Many submissions to APRA raised concerns that the consultation draft was overly prescriptive in seeking to outline the responsibilities of Boards and senior management in relation to operational risk management. In particular, a number of submissions questioned whether APRA expected Boards to become involved in day-to-day operational risk matters (e.g., control testing), and whether these expectations might undermine good governance by preventing Boards from adopting effective delegation frameworks.
Helpfully, APRA has streamlined the guidance to remove much of this prescriptive detail – and in practice, we expect this will give Boards and senior managers confidence and flexibility to develop a proportionate approach that is consistent with their size, complexity and existing governance frameworks. In essence, the guidance is now more closely aligned with orthodox principles of good governance, including the (relatively uncontroversial) propositions that:
- Boards should clearly understand who within their organisation is responsible for each aspect of operational risk management, and have reasonable assurance that there are no gaps in responsibilities;
- delegation, reporting and escalation processes should be clear and documented;
- senior management should provide targeted and timely information to the Board, so the Board is equipped to make effective decisions;
- Boards may delegate to senior management the ability to approve lower-level policies that are aligned with Board-approved policies; and
- the Board's role is primarily to:
- oversee the operational risk profile;
- ensure that operational risks outside of appetite are promptly addressed;
- oversee the effectiveness of key internal controls;
- be informed of material weaknesses and major remediation projects;
- understand material operational risks arising from new ventures; and
- ensure internal audit provides assurance, and has the appropriate capability to do so.
More curious, however, is the new expectation that the Board, in approving the BCP and overall tolerances for the disruption of critical operations, must ensure that the BCP aligns with its tolerances. We assume this simply means that the BCP needs to be designed in a way which supports the continuance of critical operations within the approved tolerance levels – although it is not clear why this is specifically called out as a Board responsibility (and whether or not it can be appropriately delegated to a subcommittee or senior management).
Operational risk management
The consultation draft included a lot of detailed commentary regarding APRA's expectations in relation to specific risk management matters such as risk assessments, process mapping, control effectiveness, control testing, control remediation and scenario analysis. Some submissions to APRA queried whether this meant that APRA-regulated entities were expected to adopt specific operational risk management structures, and noted this may add significant cost and complexity (particularly where the APRA expectations did not align with an entity's existing structures for managing other kinds of risk).
APRA has responded by significantly streamlining this section of the guidance, with the overall effect being that many of the prescriptive risk management matters have now been removed. What remains are some general principles, many of which have been simplified or restated from the consultation draft. These include recommendations that APRA-regulated entities should:
- understand how their critical operations are delivered during business-as-usual, and maintained during disruptions;
- have documented and up-to-date processes as part of their operational risk management framework;
- regularly update their risk profile in response to changing strategy, risk environment or business mix;
- design, implement and embed effective internal controls (which, to the extent possible, minimise the likelihood and impact of disruptions, particularly to critical operations);
- separate the teams which are responsible for operating those controls from the teams that test the controls;
- consider APRA's checklist of recommendations for monitoring, reviewing and testing the effectiveness of controls;
- identify, escalate and rectify any gaps, weaknesses or failures in a timely manner;
- have mechanisms in place to manage all stages of an operational risk incident (including detection, escalation, containment, response, and review);
- conduct root cause analysis and remediation of operational risk incidents;
- consider 'tactical responses' in the near-term, followed by 'strategic solutions' over the longer term to mitigate operational risk;
- avoid extended delays or unwarranted extensions to incident closure targets; and
- record all incidents and near-misses.
Helpfully, the guidance also clarifies that where an entity determines that one of the business operations prescribed by APRA in CPS 230 is not in fact a critical operation in the context of that particular entity, there is no need to provide any justification to APRA unless APRA expressly requests it. Although the expectation that such decisions would be approved by a FAR Accountable Person has been maintained.
Business continuity
APRA's guidance in relation to business continuity remains largely unchanged. However, there have been a number of noteworthy modifications, generally characterised by removal of best practice and granular guidance.
- Register of critical operations – APRA has maintained the position that an entity's register of critical operations would typically include the name of the critical operation, description of the critical operation and tolerance levels for disruption. However, the final guide now indicates that entities should also include the material service provider arrangements supporting the critical operation.
APRA has also removed its view that it is better practice for business continuity management to be approached across the whole of business and that business continuity outcomes are typically better when business continuity and disaster recovery processes are aligned.
- Tolerance levels – APRA's position remains unchanged regarding the considerations an entity should make when setting and reviewing tolerance levels. This includes the impact on its customers and stakeholders, financial and reputational impact on the entity as well as the broader financial system, legal or regulatory requirements and recovery objectives.
However, the final guidance no longer includes the expectation for entities to set and 'regularly reassess tolerance levels'. Instead, APRA expects that entities will reassess tolerance levels as they learn lessons from actual disruptions, testing, scenario analysis and evolution in industry practices.
APRA has maintained the three types of tolerance: maximum period, maximum data loss and minimum service levels. The factors to be considered in setting these tolerances have mostly remained unchanged. However, APRA has removed the expectation that recovery time objectives are typically less than the maximum allowable outage. APRA also no longer expresses the view that it is sound practice to accept that there are scenarios where data can be lost and that maximum data loss should never be set at zero.
- Maintaining the BCP – The final guidance maintains that a business continuity plan (BCP) should cater to all stages of disruption to critical operations. APRA's position also remains that an entity may maintain one or more BCPs and that it is useful to link the BCP and any other management plans.
The final guide has removed the expectation for BCPs to be 'practical, concise and easy to action' and for it to be sufficiently detailed so that execution does not rely on the knowledge of individual staff. APRA has also removed its guidance surrounding BCPs that involve the use of alternative locations for the delivery of critical operations.
- Testing the BCP – APRA has maintained the expectation that regulated entities should conduct 'systematic' testing of BCPs that would typically occur over a multi-year cycle. Interestingly, the final guide no longer contains the considerations an entity should make when designing a testing program, specifically in relation to the use of simulation techniques or maintaining security during the testing process.
APRA's position remains that test results and execution of findings should be reported and reviewed by the Board. The final guide has also maintained guidance surrounding what should be included in the reports on BCP tests, which include:
- the scope, including the critical operations included (and excluded) and the specific tolerance levels tested;
- what was demonstrated by the test, including whether tolerance levels were met; and
- any issues raised, root causes and required remediation.
APRA expects entities that rely on material service providers to confirm those providers also maintain robust BCP testing.
- Updating the BCP – APRA has maintained that BCPs should be informed by results of testing, internal audit findings and lessons learned from actual business disruption.
- Auditing the BCP – APRA's final guide maintains that internal audit is an important vehicle for assurance and that the Board may consider seeking assurance through expert opinion. However, APRA has removed guidance that these assurances typically occur where the required skills do not reside within internal audit.
APRA has also kept the expectation that an audit program would typically assess all aspects of business continuity capability over time and that additional assurance projects could be triggered by changes to the entity. The final guide no longer expects entities to assess the scope and quality of the testing conducted, where an internal audit relies on control testing performed by other areas of the business.
Material Service Providers (MSPs)
A number of key changes have been made to APRA's guidance in relation to material service provider management, which was to be expected given this has been one of the more contentious areas of the reforms and an area which no doubt will continue to evolve as implementation progresses.
- MSPs in scope – The factors that should be considered in determining which service providers are material have been removed and the guidance in relation to the prescribed list of service providers has been changed from not relying on it solely to identify material service providers, to that list being a starting point.
Helpfully, the final guide also provides clarification that arm's length transactions and intermediation are not intended to be caught unless the service provider undertakes a critical operation on behalf of the regulated entity or exposes it to material operational risk, citing examples of the purchase of reinsurance and intermediation by insurance brokers as not automatically being in scope.
Unfortunately, the guidance leaves a number of questions in relation to the identification of material service providers unresolved, including what constitutes 'underwriting' or 'core technology services'.
- Rebutting the prescribed list - APRA's guidance has changed in relation to the justification for excluding service providers in class on the prescribed list, now saying this must be done by a FAR accountable person (previously senior management equivalent was also contemplated). Annual review continues to be required, although the guidance now provides that the reasons for the decision do not need to be provided to APRA unless requested.
- Fourth parties - The expectation that regulated entities will manage the risks associated with fourth parties and other downstream service providers has been removed, including:
- the example measures of undertaking due diligence to identify material fourth parties, contractual provisions to ensure the regulated entity is informed of material fourth parties and assurance from service providers they have the capability to manage fourth parties; and
- best practice guidance requiring service providers undertake appropriate monitoring of risks managed by fourth parties.
The sole remaining reference to fourth parties is that reasonable steps should be taken to list those involved in the delivery of a critical operation in their MSP registers.
CPS 230 itself still requires regulated entities' service provider management policies to include their approach to managing the risks associated with any fourth parties that MSPs rely on to deliver a critical operation.
In its response to the consultation APRA indicates the changes in relation to fourth parties have been made to address concerns around the commercial difficulty the draft guidance posed and extent of APRA's expectations. However, query the extent to which all, or at least some, the specific examples of risk management measures that have been removed from the guidance will still be necessary to meet this requirement and to include material fourth parties in the service provider register.
- Aggregate cohorts – APRA's position remains unchanged that the operational risk associated with cohort of service providers should be managed by the regulated entity where the aggregate impact of those providers is material, despite each not meeting this threshold individually. However, clarification has been provided that this means the regulated entity should have additional processes and controls to satisfy itself that the aggregate risk of the cohort is being monitored and managed, not that each service provider in the cohort should be identified as material.
- MSP register – the final guide now includes an outline of APRA's expectation of the content of material service provider registers and also indicates APRA will be providing a template.
APRA acknowledges the industry concern in relation to having to identify all of a regulated entity's providers and this has been removed from the final guide. APRA instead encourages regulated entities to first identify their critical operations as way of narrowing the identification exercise.
APRA has also outlined its request that the first material service provider register is submitted to it by 1 October 2025.
- Service provider management policies - There is no change to the list of matters APRA expects a service provider management policy to include. However, similarly to the register, the suggestion the policy should also include non-material service providers has helpfully been removed.
The final guide no longer refers to the periodic evaluation of the effectiveness of service provider management policies which the draft suggested could be undertaken through a review of service provider performance, audit results or independent review. However, these policies will still require some form of review in order to satisfy the requirements under CPS 230 itself to 'maintain' such policies and also to review the effectiveness of internal risk management controls generally.
- MSP agreements – APRA's position remains unchanged that not all arrangements with material service providers will be material, clarifying that the relevant materiality is that underpinning the standard or reliance to perform critical operations and exposure to material operational risk.
The final guide no longer sets out any expectations in relation to the types of provisions which APRA would expect to include in agreements with material service providers. Similar to predecessor Prudential Practice Guides to CPS 231 Outsourcing, the draft contained details in relation to documenting service levels, liability and indemnities and transition arrangements on termination. There is no specific explanation provided in the response to submissions for these omissions, which arguably remain prudent to include, particularly where relevant to the minimum content requirements for such agreements and other obligations which CPS 230 itself prescribes.
- CPS 900 future-proofing of MSP agreements – In order to comply with Prudential Standard CPS 900 Resolution Planning, regulated entities may be required to amend contracts with service providers to make critical functions 'resolution resilient', in summary to ensure the contract remains on foot and essential services can continue in the event APRA exercises any of its resolution powers. While not addressed in the final guide itself, in its response to submissions, APRA suggests it may be efficient for regulated entities to include any necessary CPS 900 amendments during their CPS 230 negotiations to save from having to make further amendments in future.
- Managing the risks of MSPs – the final guide suggests regulated entities should proactively manage risks in relation to material arrangements including ensuring their own BCPs address these risks and ensuring the service providers' own BCPs are similarly robust.
This is a significant departure from the draft guide which suggest better practice would be to reach further into service providers by requiring the providers to have their own framework which effectively mirrors the CPS 230 requirements and includes controls to the same level of details and to the same standard, with a view to consistency of process mapping.
- Assessing the risk of service providers – there are no substantive changes to the matters which APRA expects regulated entities to take into account when assessing the risk of engaging an MSP, including the additional factors which should be considered when assessing a service provider in another jurisdiction.
However, the final guide now states that internal audits should review any proposed outsourcing of critical operations which are currently performed in-house and should have the capacity and capability to do so.
- Monitoring MSPs – The list of matters that APRA expects should be monitored in relation to MSPs has been reduced, largely to de-duplicate content between the final guide and with CPS 230 itself. However, notable omissions include specificity around service delivery locations, key personnel and use of fourth parties, as well as emerging risks and the ongoing viability of the service provider.
Unlike the draft, the final guide does not include suggestions in relation to monitoring controls which included formal reporting, interviews, surveys, testing, certifications, contractual review, attestations and independent reviews.
- Non-APRA-regulated subsidiaries – While not in the final guide itself, APRA has clarified that CPS 230 does not apply directly to group entities that are not APRA-regulated. However, APRA does point out that heads of groups are required to apply CPS 230 throughout the group and that where a subsidiary is material, APRA expects that CPS 230 would be applied to the entire entity unless the regulated entity can justify a different approach.
Reliance on other parts of the same legal entity – Also not in the final guide itself, in its response to submissions, APRA has clarified that services provided by another part of the same legal entity as the regulated entity are not considered MSPs. However, an appropriate risk assessment would still be conducted and service level agreements or other mechanisms adopted that would allow for the identification of issues and other matters impacting the services.
Contact us to learn more about how MinterEllison can support your journey to CPS 230 compliance.