Changes to operational resilience
In its Corporate Plan for 2022-23, the Australian Prudential Regulation Authority (APRA) highlighted its vision of “Protected today, prepared for tomorrow”.
In keeping with this vision, APRA has begun consultation on a new prudential standard designed to strengthen the management of operational risk in the banking, insurance, and superannuation industries.
Actuaries working in risk management need to remain a key part of how an organisation identifies the impact of, and responds to, the proposed changes.
What is changing?
In a consultation package released on 28 July 2022, APRA proposed the introduction of a new cross-industry Prudential Standard CPS 230 Operational Risk Management. The proposed standard will update the requirements for service provider management and business continuity management currently contained in:
- CPS 231 Outsourcing (and the corresponding superannuation standard SPS 231 and private health insurance standard HPS 231); and
- CPS 232 Business Continuity Management (and the corresponding superannuation standard SPS 232).
It is proposed that all five of the above standards will be replaced by the new CPS 230.
The new CPS 230 will apply to all APRA-regulated entities from 1 January 2024.
Why is APRA proposing this change?
In the accompanying Discussion Paper Strengthening operational risk management, APRA notes three key recent trends in the operations of entities it regulates:
- There have been many instances of control failures due to ineffective controls in addition to some operational risk events beyond the control of the industry, such as the COVID-19 pandemic.
- Depositors, policyholders, fund members, and other customers have a low tolerance for disruptions and expect that services will always be available.
- APRA-regulated organisations’ increasing reliance on service providers beyond ‘outsourcing’ to provide new services, capabilities, and expertise that extend their offerings to the market.
The new CPS 230 aims to strengthen standards of operational risk management in response to changing business models, lessons from recent years, and developments in global good practice.
To strive for these objectives the new requirements will require APRA-regulated entities to:
- implement and maintain effective internal controls for operational risk which are proportionate to their size, business mix, and complexity;
- be prepared and ready to ensure that critical operations remain available to their customers during periods of disruption; and
- effectively manage the risks associated with the use of service providers.
Timeline for the upcoming changes
The closing date for submissions to the consultation is 21 October 2022.
Possible considerations for risk management actuaries
- Ensure that the risk function in your organisation understands what is changing under APRA’s proposals.
- Review internal operational processes and governance to identify how the proposed changes will impact your organisation. Any submission should consider the eight questions listed in chapter 5 of the Discussion Paper which is intended to support, but not limit, responses.
- Raise internal stakeholders’ awareness of any such impact.
- Garner feedback in time to make any submission your organisation wishes to make to APRA by 21 October 2022.
- Once the prudential standard is finalised, develop an action plan for implementing any required changes within the organisation– clearly recording action items, timelines for completion, and accountabilities.
While the author is an APRA employee, it should be noted that any views and/or opinions expressed in this article are expressed in his capacity as a volunteer for the actuarial profession and do not constitute the statement of APRA’s position on the subject matter covered. |
CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.