Australian regulator releases final version of new cross-industry operational risk management prudential standard

On 17 July 2023, the Australian Prudential Regulation Authority (APRA) released its final version of the new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230). Alongside CPS 230, APRA has also released its accompanying response paper to the feedback received on draft CPS 230 and draft Prudential Practice Guide CPG 230 Operational Risk Management (Draft CPG 230) for consultation.

As expected, final CPS 230 does not contain a large number of amendments. However, certain key principles in CPS 230 have been refined following extensive industry feedback on draft CPS 230. We summarise some of the key changes, and note key dates that regulated entities should be aware of in their implementation of CPS 230, below.

For further detail on the broader themes of CPS 230, see our summary here.

Overview of key differences from draft CPS 230

(a) Accountability and governance

There are no substantive changes from draft CPS 230 in this regard.

However, in response to industry concerns around the separate functions of a Board and management, APRA has clarified that it does not expect Boards to undertake management functions. In Draft CPG 230, APRA provides some guidance on how Boards may meet their oversight responsibilities (for example, by regularly reviewing and challenging key aspects of an entity’s operational risk profile and keeping across the detail of any significant weaknesses or new ventures present risk).

Note that final CPS 230 removes the requirement for tolerance levels to be Board-approved. APRA has clarified in its response paper that while it expects the Board to set overall tolerance levels, senior management is better placed to set granular tolerance levels. While Draft CPG 230 sets out specific factors for setting and reviewing tolerance levels, it is still not clear what is expected of the Board and how overall tolerance levels can be set without also determining granular aspects.

(b) Material service providers

The prescribed list of material service providers (which previously applied to all APRA-regulated entities) has been replaced with the requirement to classify, at a minimum, certain service providers as material unless the entity can justify otherwise.

For all APRA-regulated entities, providers of risk management, core technology and internal audit services must be classified as material service providers. Entity-specific service providers must also be classified as material, as follows:

• ADIs: credit assessment, funding and liquidity management, and mortgage brokerage.
• Insurers (general, life and private health): underwriting, claims management, insurance brokerage, and reinsurance.
• RSE licensees: fund administration, custodial services, investment management and arrangements with promoters and financial planners.

Additionally, in contrast to draft CPS 230, providers that manage critical or sensitive information assets under Prudential Standard CPS 234 Information Security are not designated material service providers at the outset. Notwithstanding, under Draft CPG 230, APRA expects entities to consider this as a factor in determining which of its other service providers are material.

While the ability to provide justifications against classifying a service provider as material adds flexibility to the regime, APRA has stated that it only expects this to occur in exceptional cases. While this indicates that entities will need to apply a high threshold in assessing any such justifications, it is not clear what specific criteria may be relevant to this assessment (although, certain factors which should be considered when determining materiality of service providers under Draft CPG 230 may inform this assessment). Any justifications for not classifying service providers as material should be documented, approved by senior management and reviewed on an annual basis, so entities cannot “set and forget” their assessments.

Additionally, we note that draft CPS 230 imposed obligations in respect of ‘arrangements with a material service provider’, such as due diligence requirements. This has now been amended to clarify that CPS 230 is only concerned with ‘material arrangements’ (i.e. those on which an entity relies to undertake a critical operation or that expose the entity to material operational risk) with material service providers. This clarification is intended to narrow the scope of arrangements caught by certain obligations in CPS 230, as opposed to all arrangements with material service providers being captured.

In practice, entities will need to conduct a thorough assessment of each service provider and determine the materiality of the provider and the arrangement in order to fulfil their obligations under CPS 230. Certainly, this is APRA’s expectation of a prudent entity under Draft CPG 230.

(c) “Fourth parties”

CPS 230 clarifies that an entity’s service provider management policy must include its approach to managing risks associated with fourth parties that material service providers rely on “to deliver a critical operation to the entity”. Previously, draft CPS 230 captured all fourth parties that a material service provider relied on.

While this amendment somewhat narrows the scope of the obligation, the nexus test for determining which downstream service providers are captured still implicates an indeterminate number of downstream service providers.

Indeed, APRA’s expectation under Draft CPG 230 is that entities will be aware of, and will manage, the risks associated with fourth party and other downstream service providers for critical operations, such as through appropriate contractual provisions and due diligence. Having regard to the increasingly lengthy and complex supply chains that we observe in practice, the parameters of an entity’s obligations are still not clear.

With respect to an entity’s core technology services (the providers of which must be classified as material service providers, as noted above), the broad requirements for fourth parties and the undefined boundaries of such requirements are likely to lead to protracted contractual negotiations with service providers. This is particularly so in the context of cloud and other data management services which rely on numerous subcontractors for various components of their services.

(d) Critical operations

As with material service providers, APRA has replaced the prescribed non-exhaustive list of critical operations, which applied to all APRA-regulated entities under draft CPS 230, with the requirement to classify certain business operations as critical operations unless the entity can justify otherwise. Under the final CPS 230, all entities must classify their operations for customer enquiries and systems/infrastructure needed to support critical operations as critical, with some further specific operations specified for each type of regulated entity.

Similar to its approach with material service providers, APRA has stated that it only expects justifications against classification of critical operations to arise in exceptional cases. Again, it is not clear what criteria may be relevant to APRA’s assessment of satisfactory justifications.

Key dates and transitional arrangements

• 13 October 2023 – submissions on the Draft CPG 230 are due.
• Late 2023 – APRA has stated that it aims to finalise CPG 230 this year.
• 2024 – while APRA acknowledges that entities will prepare for CPS 230 obligations in different ways, it has stated that is expects senior management to at least identify critical operations and material service providers by mid-2024 and be well-positioned to set tolerance levels by the end of 2024.
• 1 July 2025 – CPS 230 takes effect.
• 1 July 2026 – entities’ existing service provider arrangements must comply with CPS 230 at the earlier of 1 July 2026 or the next renewal date for the relevant arrangement.