6 minute read
This summary of the key changes (and constants) within CPS 230 is drafted assuming a level of understanding of the key elements of APRA’s draft standard CPS 230. I’ll be updating my summary of the overall requirements of CPS 230 over the coming days, so if you are new to the subject that may be a better place to start.
APRA have released their final prudential standard CPS 230, along with a response paper and draft prudential practice guide.
In their response paper, APRA state there are three key changes to the final CPS 230 –
- easing transition: deferring commencement of CPS 230 to 1 July 2025 and inclusion of transition arrangements for existing service provider arrangements;
- flexibility on prescribed critical operations and service providers: refining the requirement to classify specific business operations as ‘critical’ and certain service providers as ’material’, with an ‘unless otherwise justified’ provision; and
- material service providers: modifications so that only material arrangements with material service providers are captured in relation to certain requirements, rather than all arrangements
This article does not intend to go through the changes line by line (but there is a quick summary in an appendix), rather, it seeks to call out some of the key themes in APRA’s final standard and the evolution of the standard and practice guide – to enable readers to consider their preparation and response to the standard.
In summary, we see three key themes emerging from APRA’s revised standard and response paper (and we are still digesting the guide!)
- The intent hasn’t changed.
- Proportionality is in the eye of the risk-holder.
- APRA are giving more time – the trade-off is that expectations aren’t flexible
The release of APRA’s final CPS 230 prudential standard, along with key waypoints, provides an important reminder to all APRA regulated entities of the need to be well underway with preparations for CPS 230 already.
Our experience in working with a range of organisations suggests there are several common challenges with getting traction on CPS 230 efforts:
- building stakeholder alignment,
- competing organisational priorities, and
- a lack of clarity of ‘where to start’.
The final prudential standard and guidance will help to catalyse action.
- APRA’s summary of feedback indicates widespread acceptance of the Critical Operations approach, with feedback on critical operations only focused on the ‘prescribed’ critical operations, now sensibly noted as being minimum expectations unless justified otherwise.
- The intent of the standard hasn’t changed – It is still all about resilient critical operations. An approach based on understanding what these are, their purpose, how they are intended to operate, how they are enabled and how they are actually operating remains the best way forward.
- APRA sought, and received, significant feedback around proportionality with respect to the different organisations in scope of CPS 230.
- APRA have firmly come back with the view that, for CPS 230 at least, proportionality is in the eye of the risk-holder, and have not, in the standard at least, distinguished between significant and non-significant financial institutions.
- Organisational responses to CPS 230 need to address their risks, complexity and context. This provides significant opportunity to forward thinking organisations to embed and align efforts around CPS 230 with other organisational priorities, underlining the need to think now and think hard about how you will meet the requirements of the standard in a sustainable manner.
APRA are giving more time – the trade-off is that expectations aren’t flexible
- APRA have extended the effective date for CPS 230 by 18 months, giving entities more time to do the groundwork required to meet requirements. The trade off here is that APRA’s expectations of compliance have not changed, and expectations of day 1 compliance are clear.
- By providing key way-points on the journey to July 2025 including identifying critical operations and material service provider by mid-2024, and tolerances by the end of 2024, APRA is clearly setting out an expectation that work is already underway – and a repeat of CPS 234 timeline slippage is not acceptable.
- We have been working with clients for some time on their CPS 230 readiness efforts and have taken a similar approach to developing roadmaps and milestones. Our observation is that the dates set by APRA are likely to be the latest possible dates, and leave little, if any room for slippage. Treating the dates issued by APRA as a target is, as I have already commented, a ‘bold strategy’
So, what should I be doing now….
As outlined above, the release of the prudential standard offers an opportunity to catalyse action. The good news is that the intent and overall approach hasn’t changed, so those organisations who already have a roadmap that they are progressing will only need to make small changes. However, even with the additional time offered, the volume of work required is significant. .
However, many organisations may have been awaiting the standard and guidance to move from preparation to action :
- What is our current state of adherence to the requirements of CPS 230?
- Conduct a gap analysis of current practice regarding operational risk, business continuity and service provider management.
- What is our roadmap from current state to July 2025?
- What is required, what is the sequence, what are the dependencies. Consider an approach which enables clear steps to be taken now, and a set of milestones to enable monitoring of progress, which is likely to be more detailed than APRA’s small number of waypoints
- Who do we need to mobilise around our efforts, and how can we do this?
- Are key operational, customer, technology and product leaders aligned around our plan and have we started the necessary conversations with our third parties?
- How will we align the data that will be produced through our efforts around critical operations?
- APRA have made clear that critical operations are the golden thread of operational risk management. Thinking clearly now about the data model that will enable connection of operational risk data to decisions, provide insight on operational performance and provide early warning of threats and stress is vital.
CPS 230 is coming, its bigger, longer and uncut. The challenge is translating this to action.
Appendix – quick summary of what has changed in APRA CPS 230 from draft to final
Here is a quick summary of what has changed and why. APRA have a more fulsome document at https://www.apra.gov.au/operational-risk-management-0