Operational risk, cyber risk and climate risk flagged as key areas of focus in APRA's latest Corporate Plan

6 minute read  30.08.2023 Kate Hilder, Siobhan Doherty

The Australian Prudential Regulation Authority (APRA) has released its 2023-24 Corporate Plan.  Our key takeaways are below.


Key takeouts


  • The 'protected today, prepared for tomorrow' themes highlighted in APRA's previous plan have been maintained
  • Protecting the safety and resilience of regulated entities remains a key focus. Within this, the actions identified aim to respond to emerging and accelerating risks – many of which are driven by the pace of technological change
  • Key focus areas for the regulator over the next four years include strengthening cyber resilience and operational resilience (including through implementation of CPS 230, and driving compliance with CPS 234) and stepping up focus on climate risk including embedding climate risk into APRA's Supervision Risk and Intensity (SRI) model 'to require ongoing supervisory assessment of this issue'

Overview

On 28 August 2023, the Australian Prudential Regulation Authority (APRA)) released its latest corporate plan covering the four years to 2026-27.  

Announcing the release of the plan, APRA Chair John Lonsdale observed that the 'twin themes' of safeguarding the resilience of the financial sector - 'protected today' - and ensuring the financial system is 'prepared for tomorrow' by planning and preparing now for key challenges - remain unchanged from the previous plan.  

However, the regulator's planned priority actions have been amended in response to various challenges identified in the current environment and emerging and/or accelerating risks including (for example):

  • Risks flowing from increased digital interconnectedness including the speed at which a 'bank run' can now occur (as highlighted by the collapse of Silicon Valley Bank earlier in the year)
  • Increased cyber security risks and in particular, 'the escalation of hacks and scams'.  
  • Factors that 'threaten the stability of the financial system' such as rising interest rates, higher inflation and ongoing geopolitical uncertainty
  • The impact of increasingly frequent and increasingly severe extreme weather events on insurance affordability (particularly for those in 'at risk' areas)  
  • 'The expansion of the superannuation pool, which emphasises the need for an efficient and transparent system, good performance outcomes for members and more options for Australians on retirement'.

The plan also responds to the government’s recent Statement of Expectation (2023) of APRA and the Financial Regulator Assessment Authority (FRAA) review.

Four key priorities over the next four years

APRA's updated plan seeks to address the following four key challenges over the next four years.  

1. System-wide risks

APRA observes that:

'Events earlier this year [collapse of Silicon Valley Bank] showed that the interconnected nature of the global financial system means that stress experienced by some American and European banks transmitted rapidly between entities and across borders'.

In response to these challenges, APRA plans (over the next four years) to:

  • Develop a cross-industry stress testing framework to 'explore how shocks to the financial system might be mitigated or propagated by the interactions between the banking, insurance, and superannuation industries'.  
  • Deploy 'macroprudential tools to mitigate risks to financial stability at a system-wide level, whilst continuing to work closely with the Reserve Bank of Australia (RBA)'.  APRA will work with the RBA to both:
    • 'Put in place mechanisms by which the RBA will provide formal advice to APRA on APRA’s use of its macroprudential tools; and
    • Update the Memorandum of Understanding between APRA and the RBA to continue our close cooperation to manage financial stability risks'.  

2. Operational resilience

APRA observes that:

'Risks to operational resilience are heightened for regulated entities in the current operating environment, particularly due to a significant rise in cyber-attacks, the increasing interconnectedness of the financial system, along with greater reliance on unregulated third-party service providers'.

In response, APRA plans to step up its focus on both strengthening operational risk management and cyber resilience. 
Operational resilience

Implementation of CPS 230: Aligned with the implementation of recently finalised Prudential Standard CPS 230 Operational Risk Management (CPS 230), which will apply from 1 July 2025, APRA intends to: 

  • 'Heighten expectations on regulated entities to address identified control weaknesses;
  • Increase focus on business continuity and third-party risk management to ensure these risks are managed appropriately; and
  • Engage with industry to improve the way non-financial risk data is collected and used to assess the effectiveness of regulated entities’ operational risk management practices'. 

APRA also expects its work in this area will support action being taken by government and other agencies to reduce the impact of scams on the community.  

Expanding on this point, the need for organisations to ensure their risk mitigation efforts keep pace with the rapid pace of technological advances, and APRA's expectations around this, was a headline message in APRA member Therese McCarthy Hockey's recent speech:  From fires to firewalls: The evolution of operational risk.  Ms McCarthy Hockey commented: 

'The challenge we’re now seeing with operational resilience is that not only is the speed of technology and innovation threatening to outpace the ability of businesses to keep up with the risks, but the threat landscape itself is accelerating too.  Countering this will take significant time and investment and – importantly – a new mindset to ensure sustainability of practice.  By setting a target for entities to aim at and a firm date by which to hit it, our new cross-industry prudential standard CPS 230 is designed to light a fire under our regulated entities so they act with the heightened urgency this issue requires'.

Ms McCarthy Hockey made clear that APRA expects organisations to start work now in preparing for implementation of the new standard, emphasising that they should expect APRA to engage with APRA on their progress in the lead up to the commencement date.

[Note: For our key takeaways from Ms McCarthy Hockey's address see: Governance News 30 August 2023.]

Continued focus on strengthening GCRA: APRA observes that its focus to date 'organisational resilience has addressed recommendations related to governance, culture, remuneration and accountability' (GCRA) made by the Hayne Commission.  APRA considers that the actions implemented already have 'increased the focus of boards and senior managers of regulated entities on the financial outcomes of the community, and sharpened accountability to prevent poor outcomes'.  APRA plans to continue this work over the next four years through:

  • Ensuring regulated entities are 'embedding changes to their organisation following risk transformation programs, particularly where an entity has been subject to an operational risk capital charge or licence conditions'
  • Working with the Australian Securities and Investments Commission (ASIC) to implement the Financial Accountability Regime (FAR) (subject to the passage of the necessary legislation to establish the new regime)

[Note: Legislation to introduce the long-awaited FAR - the Financial Accountability Regime (Consequential Amendments) Bill 2023 and Financial Accountability Regime Bill 2023 – is currently before the Senate.  The Senate is not due to sit again until 4 September 2023.  Though the Bills are listed in the latest Senate Notice paper, it is not certain that they will necessarily be considered/passed during the September sittings]

  • Amending Prudential Standard CPS 510 Governance, CPS 520 Fit and Proper and CPS 220 Risk Management to clarify expectations of boards, simplify the prudential framework and reduce regulatory burden 

Strengthening cyber resilience: The plan identifies the following actions to strengthen cyber resilience:

  • 'Act on breaches of Prudential Standard CPS 234 Information Security (CPS 234) to strengthen minimum cyber standards;
  • Ensure regulated entities are taking action to address issues identified in CPS 234 independent assessments; 
  • Assess the effectiveness of boards to oversee actions taken by regulated entities to mitigate cyber risk;
  • Set clear expectations for specific cyber issues where action by regulated entities is needed to adopt better practices; 
  • Intensify data-driven supervision for cyber risk to optimise the use of technical specialists on higher risk regulated entities; and
  • Focus on supervisory crisis preparedness to ensure a coordinated response to unexpected disruption to critical financial services'.

Again, APRA member Therese McCarthy Hockey has separately underlined APRA's expectation that organisations do more to meet the requirements in CPS 234, and in particular, that boards step up their engagement with/oversight.  

Ms McCarthy Hockey cautioned that:

'APRA is rapidly running out of patience with the slow pace of uplift.  Three years after CPS 234 was implemented, and with the backdrop of a growing list of cyber incidents, entities should expect to see APRA taking strong action.  Where an entity is found to be significantly wanting in its compliance with our information security requirements, additional capital requirements of the kind imposed on Medibank may well be a likely outcome'.

3.  Climate-related financial risks

The plan identifies the following actions to embed consideration of climate risk into APRA's regulatory approach and gain insights into climate impacts on the financial system: 

  • 'Conduct a Climate Vulnerability Assessment to assess the impact of climate risk on access and affordability of general insurance;
  • Embed climate risk in our Supervision Risk and Intensity (SRI) model to require ongoing supervisory assessment of this issue; and
  • Use existing and new data collections for climate risk to prepare and develop insights on emerging issues and best practices'. 

4. Superannuation – improving member outcomes

The final key priority identified is industry specific – 

'improving superannuation transparency to provide members with enhanced insights about investment performance and increasing APRA’s focus on retirement outcomes'.

In line with this, over the next four years, APRA plans to: 

  • 'Maintain focus on reducing unacceptable product performance by increasing expectations on trustees to close high fee, poorly performing products;
  • Drive trustees to improve member retirement outcomes through targeted supervision of the implementation of the retirement income covenant;
  • Increase transparency of performance across the superannuation industry by releasing new and expanded statistical publications and conducting the annual performance test;
  • Simplify core superannuation requirements in updates proposed to Prudential Standard SPS 515 Strategic Planning Member Outcomes to foster a culture of continuous improvement for trustees; and
  • Assess trustee self-assessments against the strengthened Prudential Standard SPS 530 Investment Governance, particularly in respect of the approach taken by trustees to liquidity management, stress testing, and asset valuation'.

Other industry-specific actions

Banking sector

To ensure the ongoing 'safety and resilience' of the banking sector, and act on 'lessons learned from recent market disruption' the plan flags the following three actions:

  • 'Risk-based reviews of financial risk and targeted changes to liquidity and interest rate in the banking book prudential requirements to ensure these risks are being managed appropriately; 
  • Incorporate relevant learnings from the Basel Committee’s review of recent banking stress, including consideration of options to improve the effectiveness of Additional Tier 1 capital instruments in Australia1;  and
  • Engage with the Government, Treasury, and other CFR agencies on reforms to modernise the payments regulatory framework'.

Insurance

Key challenges for the insurance sector highlighted in the plan include:  

  • Ensuring 'insurers are financially strong, with the financial capacity to pay legitimate claims to Australian policyholders' (though APRA notes that the industry 'remains well-capitalised)
  • Responding to profitability, and accessibility challenges which are being driven by increased costs.

Over the next four years, APRA plans to: 

  • 'Address challenges in the reinsurance market for general insurers by reviewing prudential requirements for reinsurance to ensure they remain fit for purpose;
  • Maintain focus on the sustainability of individual disability income insurance policies offered by life insurers, particularly in respect to prudential expectations related to governance, strategy, product design and data; and 
  • Intensify focus on operational resilience for private health insurers, with activities targeted towards cyber resilience and third-party supplier risks for critical outsourced functions'. 

Lifting APRA's internal capability

The plan also highlights a number of actions aimed at strengthening 'the key enablers that support our [ie APRA's] primary functions as a prudential regulator to drive the evolution of the organisation'.  Namely:

  • Continuing work on Modernising the Prudential Architecture (MPA)
  • Transforming the way technology and data is used to better 'enable data driven risk-based supervision, improve insights and transparency, and streamline the data collection process'
  • 'Cultivating an agile and engaged organisation to ensure that we remain fit for the future'

[Sources: APRA media release 29/08/2023; APRA Corporate Plan 2023-27]

Interested in this (and similar) topics?

Subscribe to alerts and our weekly wrap up of key financial services, risk, regulatory and ESG developments. You can access the current issue and our archive of previous issues here.

Contact

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiI0NzYwOTFjYS1mZDdiLTQ1MDctOGYwOC1lNDk0ZTRhMDM3YzQiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTczOTE2ODE1MiwiZXhwIjoxNzM5MTY5MzUyLCJpYXQiOjE3MzkxNjgxNTIsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2tleS10YWtlYXdheXMtZnJvbS1hcHJhLWNvcnBvcmF0ZS1wbGFuLTIwMjMtMjQiLCJhdWQiOiJodHRwczovL3d3dy5taW50ZXJlbGxpc29uLmNvbS9hcnRpY2xlcy9rZXktdGFrZWF3YXlzLWZyb20tYXByYS1jb3Jwb3JhdGUtcGxhbi0yMDIzLTI0In0.6aIzlM6kS4VgiiebUfNHEiWlBBjDH2valH7uxlx-4tc
https://www.minterellison.com/articles/key-takeaways-from-apra-corporate-plan-2023-24