APRA is strongly encouraging its regulated entities not to wait until the last minute – and start preparing now. Having “run out of patience” with the slow uplift to CPS 234 on information security, the regulator has put the sector on notice, announcing it “…will be assessing entities’ preparedness for the new standard throughout 2024, starting in less than six months.” APRA is unapologetic about deliberately designing “an implementation schedule to ensure entities are not still playing catch-up several years down the track”.
Our webcast polls suggest participants are taking this advice seriously. Almost a quarter (24%) said their CPS 230 project is well on its way. More than half (57%) have plans in place. Only 19% have yet to start.
Although no one is starting from a zero base, the task ahead should not be underestimated. APRA is raising the bar with more prescriptive operational risk management expectations, the need to develop a critical operations view and an uplift of third-party risk management practices.
Despite postponing the effective date to a more realistic 1 July 2025, APRA is expecting institutions to make significant progress in mapping end-to-end business processes by mid-2024, covering the crucial path to delivering critical operations. Tolerance levels covering the critical operations are to be determined by the end of 2024.
APRA also expects entities to “…perform detailed gap analysis against the requirements – identifying areas of challenge to implementation and putting in place actions to resolve these challenges”. The goal is to flag any concerns early and make course corrections. This will then leave six months for entities to gain confidence in their ability to routinely test the design and operating effectiveness of the internal controls for these critical operations and operational risks more broadly. Not just their own controls, but also those of third parties. Sophisticated analysis will also be required to understand whether tolerance levels can be maintained under severe but plausible scenarios.
Strong leadership
The new regulations drive the impetus that the board, as the ultimately accountable party, is very much part of the compliance journey. APRA is expecting boards to oversee operational risk management, approve impact tolerance levels and review the risks associated with a much broader cohort of material service providers. At the same time, the new standard puts business line management firmly at the centre of managing business processes, risks and controls.
It’s no surprise then that, for more than 90% of our participants, an executive is taking the lead in CPS 230 programs, largely Chief Risk Officers. Given the cross-functional change required, a top-down approach is essential. This should cover uplifting operational risk management, mapping internal processes and extending the coverage of material service providers to include third and fourth parties.
Third-party risk management has been, and will be, a regulatory focus for the foreseeable future, requiring organisations to significantly uplift their risk infrastructure and due diligence across a bigger population of service providers – over whom they may have little direct control. From 1 July 2025, they must have an understanding of their most critical third- and fourth-party service providers at a level where they are almost part of their own organisation.
Anecdotal evidence from our participants suggests that suppliers are already pushing back on fourth-party requirements. This is an area that may need a collaborative industry approach to get suppliers to accept the new reality.
Keen to learn
The extent of questions and observations in our session reflects the sector’s appetite for sharing and learning. Based on international experience, we advise firms to:
- Bring boards into the CPS 230 journey early to avoid having to restart or change course based on board input. Boards must be comfortable with the institution’s approach, including management roles and responsibilities, and receive sufficient reporting to understand the operational risk profile. Executives need to explain how the new view of critical operations will retrofit into the risk management framework and feed up to the board. According to APRA, boards should already be focussing on three actions:
- Putting the right governance arrangements in place
- Identifying critical operations and material service providers
- Developing a new organisational mindset about their new boundaries of responsibility
- Take a customer lens to the critical operations. Rather than the traditional functional view, critical processes must be identified from the perspective of how they will impact a customer. Decisions about criticality will need to consider multiple elements, including the following:
- Size of a customer base – How many people will the outage affect?
- Time criticality of receiving the service – How long before an outage becomes a crisis?
- Substitutability of the service – Can customers get this service in a different way elsewhere?
- Impact – What damage will the outage cause to the entity itself or the financial system?
- Understand that this is not a one-off, set-and-forget project. Business process maps will change as institutions launch new products, or change shape via reorganisation, acquisition or divestment. Project management must eventually transition into business as usual. Part of current planning needs to include a view of what CPS 230 will look like when it ends up embedded in the business.
- Don’t underestimate the time involved. In the UK, scenario testing in particular took much longer than institutions expected. Initial testing inevitably identified gaps, requiring firms to reset and retest.
