Navigating CPS 230: What Australian firms can learn from overseas
6 min read 29 September 2024
With less than 12 months remaining until CPS 230 comes into effect, Australian financial services firms should now be busy preparing their organisations for the impending changes. There are some significant activities to be carried out to ensure a smooth transition and mitigate any potential disruptions.
At Baringa, we've been at the forefront of operational resilience since 2018, guiding our clients through the complexities of compliance and regulatory change in the UK, Europe, US and here in Australia.
The experiences of UK and EU financial institutions can provide insights into best practices and likely challenges. There are valuable lessons to be learned from organisations of similar sizes and complexities overseas that have navigated frameworks like the UK’s Operational Resilience and Outsourcing & Third Party Risk Management frameworks, as well as the EU’s Digital Operational Resilience Act (DORA). This is in addition to existing regulations around conduct risk, business continuity and third-party risk that firms were already subject to.
After consulting with industry leaders in the UK and EU, we’ve identified key lessons to help Australian entities avoid common pitfalls in critical operations as they prepare for CPS 230.
1. Identify critical operations
The concept of critical operations is at the heart of CPS230. Identifying the right critical operations for your business is the first step to successful implementation.
Avoid defining your critical operations too narrowly, too broadly or in too much detail.
Striking a balance when defining critical operations is key. Too narrow a definition, risks a firm failing fully understand and mitigate the impact of disruption. Conversely, too broad a scope can result in multiple operations being included making it difficult for firms to set associated tolerance levels and placing an undue burden on firms to recover more than is required in the event of disruption.
At the same time, keep in mind that while operations, value chains and process maps interconnected, they are not the same. You don’t need to map your processes to the task or activity level, just because your service provider suggests you should.
Document and challenge your definitions of critical operations
Firms should create a template to consistently document why an operation is critical, considering factors like time sensitivity, substitutability and the impact on clients. Your ‘Second Line of Defence’ (2LOD) should challenge whether operations determined as critical would genuinely have a material adverse impact if disrupted.
2. Map key resources, assets and data.
Focus on identifying key resources essential to the critical delivery path
Rather than mapping everything, it is important for firms to clearly identify their key resources on the critical path of delivery.
When mapping data, consider the technology infrastructure and whether the data sits in a single or multiple locations.
A common challenge organisations face is mapping data, as reliance on multiple legacy systems often leads to data being dispersed across multiple locations. As part of your mapping, it is important to record whether your data is stored in a single or multiple locations.
Another common oversight is neglecting the technical infrastructure behind applications. To ensure
resilience, it's vital to consider the entire technology ecosystem supporting critical operations.
3. Map risks and controls
When mapping key resources, it’s crucial to account for interdependencies, associated risks, obligations, and controls which can become increasingly complex in environments with enlarged risk management processes and legacy controls.
Use consistent process taxonomies to support critical operations
Aligning Risk and Control Self Assessments (RCSAs) to processes rather than functions can support your understanding and management of risks relating to critical operations. However, this approach depends on having a single, consistent process taxonomy and a clear articulation of the processes supporting a critical operation, against which risks and controls can be mapped.
Clean up your control library
Like the mapping of resources, it’s essential to clearly distinguish key controls. However, work is often required to clean up the control library before the risks and controls can be mapped. This entails removing duplicative controls, ensuring control descriptions are clear and accurate, and educating the ‘First Line of Defence’ (1LOD) to ensure risks are properly understood for appropriate control tagging.
4. Set and test tolerance levels
When setting tolerance levels under CPS 230, it is essential to define acceptable thresholds for operational resilience and recovery. These levels ensure critical operations can continue or be restored within an acceptable timeframe, aligned to regulatory requirements and organisational objectives.
Clearly distinguish ‘material adverse impact’ from non-material impact
Start by defining what ‘material adverse impact’ means, versus ‘adverse impact’ or ‘inconvenience’, and what this means for depositors, policyholders, customers, and the financial system. Failing to do so, risks defining your tolerance levels too tightly. Establish a robust framework to calibrate when a material adverse impact occurs for critical operations.
Consider variance in levels of impact for different customers, transactions, and time periods.
For each critical operation, you must establish tolerance levels for the maximum acceptable time and data loss during a disruption, as well as the minimum level of service to be maintained. It's important to recognise that the impact of disruption and tolerance level may vary by client, transaction, or time of day. For example, mobile banking access issues affect everyday depositors differently than home loan borrowers, and loan origination disruptions may have greater effects on weekdays compared to weekends.
Implement a comprehensive testing program for operational resilience
Recognising the ripple effects and overlap of disruptions is crucial, highlighting the need to test critical operations simultaneously rather than in isolation. While larger financial institutions may have established testing capabilities, testing can be daunting for institutions that do not yet have internal scenario analysis and stress testing capabilities in place.
Firms should start testing early to identify vulnerabilities, refine their response strategies, and ensure their systems and processes are compliant under the CPS230 and APRA’s enhanced expectations for scenario analysis and stress testing. As part of this, firms should leverage existing testing activities performed for business continuity, disaster recovery and IT security purposes. They should also consider where this testing may need to be extended to fully assess their ability to remain within tolerance levels for their critical operations.
5. Manage service providers
Understand how your material service providers are managing sub-outsourcing relationships
To ensure CPS 230 compliance, having a clear strategy to manage fourth-party risk is essential. Firms must understand their material service provider relationships and how these providers support critical operations, including any sub-outsourcing relationships. It’s not enough to simply list your fourth parties; you need to grasp the dependencies they bring.
While collecting data on sub-outsourcing providers is important for assessing concentration risk, the primary emphasis should be on ensuring that your material service providers have robust processes and controls to manage these relationships. Moreover, it’s vital to include contract provisions that allow you to approve sub-outsourcing arrangements.
Implement ongoing monitoring of material service provider risks
A frequent pitfall we observe in our work is the tendency to focus on due diligence solely at the point of onboarding. Monitoring and managing material service providers needs to extend beyond the contracting stages. Firms should ensure they have robust processes to continuously monitor their service providers and ensure the quality of their controls and processes is up to standard. This proactive monitoring can support decisions on re-negotiating contracts and, ultimately, exiting a service provider relationship if it no longer meets the agreed requirements.
Ensure comprehensive exit planning throughout the contract lifecycle
Exit planning should be considered throughout the life of the contract to mitigate risks and ensure a seamless transition of services, rather than only being considered at the point of triggering an exit. As part of the upfront risk assessment and due diligence, firms should consider alternate service providers, the impact of disruption to the service provider and ensure the provider’s business continuity plans are sufficient to support a smooth exit. Contracts should define clear terms for termination of the contract and define clear obligations and responsibilities in the event of an exit, including during any transition period.
6. Conduct and compliance
Align your tolerance levels with your conduct risk landscape
Regulators expect a clear correlation between a firm's tolerance levels and its conduct risk landscape, meaning the risk appetite for conduct risk should align with established tolerances. For example, a low tolerance for operational disruption should correspond to a similarly low appetite for conduct risk. Additionally, a firm with a low tolerance for operational resilience must demonstrate sufficient control over key risks within that process.
Mitigate compliance risk and avoid compliance overload through modernising your ‘Third Line of Defence’ (3LOD)
Inefficiencies between the 1LOD and 2LOD are a common problem in highly regulated firms. This usually occurs when the 2LOD sets policies without considering the practical challenges the 1LOD faces, and when roles and responsibilities across the 3LOD aren’t clear, causing overlaps, duplication, and gaps.
Fostering collaboration between the 3LOD and reducing administrative roadblocks is key. The 1LOD should be actively involved in setting the risk appetite, ensuring practical, aligned, and achievable risk limits that allow better ownership of risk management.
Get in touch
With CPS 230 on the horizon, the pressure to deliver a robust and compliant framework is intensifying. Baringa’s global expertise and proven methodologies will help you to streamline your efforts, avoid common pitfalls, and save time and resources. We don’t just focus on compliance, we help you build resilient, future-proof operations.
Our Experts
Related Insights
Organisational agility: a guide to taking the first steps
Our business agility and operational excellence expert Simon Tarbett offers some advice to clients when asked the question, Where To Start?
Read moreThe need for agility to grow revenue and thrive in a turbulent market
We’re looking at how organisations need to be agile if they’re to grow revenue and thrive in a turbulent market.
Read moreHow to set targets to drive business performance
Targets are essential for driving better business results. Let’s discuss what companies should – and shouldn’t – be doing.
Read moreHow frozen organisations can become fluid
To develop organisational agility, focus on being like water.
Read moreAre digital and AI delivering what your business needs?
Digital and AI can solve your toughest challenges and elevate your business performance. But success isn’t always straightforward. Where can you unlock opportunity? And what does it take to set the foundation for lasting success?