2 minute video

Our key Risk, Crisis and Continuity Learnings from 2023.

54 minute video

Moving from preparation to action.

Watch the latest updates on what financial institutions must do to enhance resilience, manage risk and minimise disruption.

 

CPS 230 Moving from preparation to action Transcript

 

Good morning.

 

1

00:00:14.065 –> 00:00:17.605

Um, and thank you for joining us at Battleground’s November

 

2

00:00:17.805 –> 00:00:20.125

CPS 230 webinar with the theme of

 

3

00:00:20.725 –> 00:00:23.805

CPS 230 from preparation to action.

 

4

00:00:25.905 –> 00:00:27.125

My name’s Joe McDavid.

 

5

00:00:27.145 –> 00:00:30.045

I’m the Director of Operational Risk here at Battleground,

 

6

00:00:30.045 –> 00:00:32.445

and I’ll be leading the conversation this morning,

 

7

00:00:32.465 –> 00:00:33.685

but also looking forward

 

8

00:00:33.705 –> 00:00:36.325

to any feedback from the people across the group.

 

9

00:00:37.205 –> 00:00:38.805

I also just wanna acknowledge at the beginning here

 

10

00:00:38.805 –> 00:00:41.285

that the, for some of you, the registration process hasn’t

 

11

00:00:41.285 –> 00:00:42.405

been completely straightforward.

 

12

00:00:42.785 –> 00:00:44.725

Um, but I wanna thank you for your diligence

 

13

00:00:44.985 –> 00:00:47.525

and, um, tenacity in getting onto this link

 

14

00:00:47.705 –> 00:00:50.525

and assure you that we’ll be looking to improve that, um,

 

15

00:00:50.585 –> 00:00:51.765

as we, as we go forward.

 

16

00:00:51.785 –> 00:00:55.245

So thank you for that. But to the subject at hand,

 

17

00:00:55.485 –> 00:00:59.005

CPS 230 as a Prudential standard,

 

18

00:00:59.005 –> 00:01:00.965

it was released in draft more than a year ago

 

19

00:01:01.545 –> 00:01:03.845

and finalized more than four months ago.

 

20

00:01:04.945 –> 00:01:08.285

The standard’s been given a long lead time until July, 2025

 

21

00:01:08.305 –> 00:01:09.965

for entities to adapt to.

 

22

00:01:11.085 –> 00:01:13.425

And the lead time reflects both the request of,

 

23

00:01:13.445 –> 00:01:15.265

of financial services as an industry.

 

24

00:01:15.885 –> 00:01:18.785

And I think as well the frustration of the regulator

 

25

00:01:19.015 –> 00:01:22.105

with the time taken, in particular to meet the requirements

 

26

00:01:22.105 –> 00:01:23.425

of CCPs 2, 3, 4,

 

27

00:01:23.975 –> 00:01:26.145

information technology, information security.

 

28

00:01:26.895 –> 00:01:29.545

It’s clear already from opera’s engagement in public

 

29

00:01:29.545 –> 00:01:32.185

that they expect organizations to be ready on day one

 

30

00:01:32.405 –> 00:01:33.865

for CPS 230.

 

31

00:01:34.575 –> 00:01:36.625

Tolerance for failure to comply is minimal,

 

32

00:01:38.035 –> 00:01:42.775

but we see that there is a fundamental challenge common

 

33

00:01:42.795 –> 00:01:45.935

to all new regulations that regulated entities face,

 

34

00:01:47.275 –> 00:01:48.975

and that is the question of

 

35

00:01:49.045 –> 00:01:51.415

what is good enough, what is expected.

 

36

00:01:51.995 –> 00:01:53.455

And Simon, thank you for that note.

 

37

00:01:53.455 –> 00:01:55.615

I’ve just seen that Craig is, um, is, um,

 

38

00:01:55.645 –> 00:01:57.815

just working in the background to resolve that.

 

39

00:01:58.115 –> 00:02:00.255

So thank you for letting us know that, um,

 

40

00:02:00.265 –> 00:02:01.535

Simon, I appreciate it.

 

41

00:02:04.295 –> 00:02:06.315

So the fundamental challenge, what is good enough,

 

42

00:02:06.625 –> 00:02:11.345

what is expected, even though CPS 230 treads in a space

 

43

00:02:11.345 –> 00:02:14.305

that is currently regulated, whether it be

 

44

00:02:14.305 –> 00:02:16.225

through CCPs 2 22, 3 1,

 

45

00:02:16.245 –> 00:02:18.905

or 2, 3 2, the actual requirements

 

46

00:02:18.925 –> 00:02:20.865

of the guidance are not yet known.

 

47

00:02:21.875 –> 00:02:23.215

And the Prudential standard is brief.

 

48

00:02:23.215 –> 00:02:24.575

It’s only a dozen or so pages.

 

49

00:02:25.605 –> 00:02:27.425

The guide, the practice guide is draft,

 

50

00:02:27.565 –> 00:02:29.585

and in many cases, there isn’t a huge amount

 

51

00:02:29.585 –> 00:02:31.105

of more detail provided.

 

52

00:02:32.325 –> 00:02:34.025

And to top it off, we have a regulator

 

53

00:02:34.025 –> 00:02:35.425

that’s talking about a need, not just

 

54

00:02:35.485 –> 00:02:37.785

for an uplift in operational risk management,

 

55

00:02:38.065 –> 00:02:40.105

business continuity and management of third parties,

 

56

00:02:40.685 –> 00:02:42.145

but also for a mindset shift.

 

57

00:02:43.525 –> 00:02:46.225

So today I wanna talk a bit more about where we

 

58

00:02:46.225 –> 00:02:48.745

as battleground have been doing work with organizations

 

59

00:02:49.245 –> 00:02:52.345

to help them get to what we see as a coherent, robust,

 

60

00:02:52.405 –> 00:02:54.945

and useful position for CPS 230.

 

61

00:02:55.805 –> 00:02:58.985

And I hope you finish off this session with, um, a couple

 

62

00:02:59.105 –> 00:03:02.065

of, a couple of key things really.

 

63

00:03:02.195 –> 00:03:04.665

First of all, what might the mindset shift

 

64

00:03:04.665 –> 00:03:06.905

that APRA be talking about practically mean?

 

65

00:03:07.365 –> 00:03:09.345

How can you go about having real tangible,

 

66

00:03:09.575 –> 00:03:11.985

practical conversations in a way that

 

67

00:03:11.985 –> 00:03:13.545

that demonstrates you’re making this shift?

 

68

00:03:14.445 –> 00:03:17.185

And secondly, what might a connected model look like

 

69

00:03:17.185 –> 00:03:19.385

that meets CPS 230 requirements?

 

70

00:03:19.895 –> 00:03:21.985

Because that’s what’s fundamental

 

71

00:03:22.005 –> 00:03:23.745

to sustainable resilience in our view,

 

72

00:03:24.135 –> 00:03:26.625

it’s about decisions being made using balanced,

 

73

00:03:27.425 –> 00:03:30.065

resilient mindset, um, supported

 

74

00:03:30.065 –> 00:03:31.905

by robust complete and relevant data.

 

75

00:03:33.115 –> 00:03:36.425

That’s all. And I also recognize we’ve got a bit

 

76

00:03:36.505 –> 00:03:37.785

of a diverse audience this morning.

 

77

00:03:37.785 –> 00:03:40.145

We’ve got some non-financial services institutions,

 

78

00:03:40.455 –> 00:03:42.465

also got service providers in the group today.

 

79

00:03:42.925 –> 00:03:45.665

So one, my focus will be on the CCPs 230 journey

 

80

00:03:45.885 –> 00:03:46.985

for financial services.

 

81

00:03:47.745 –> 00:03:50.385

I think you’ll find some session in of value

 

82

00:03:50.765 –> 00:03:52.905

for service providers, getting an understanding of

 

83

00:03:52.905 –> 00:03:54.265

what your customers will be thinking.

 

84

00:03:54.315 –> 00:03:55.985

We’ll be invaluable as you work with them

 

85

00:03:56.405 –> 00:03:58.105

for those non-financial institutions.

 

86

00:03:58.375 –> 00:04:00.665

Well, I see a lot of value in the mindset, the data

 

87

00:04:00.685 –> 00:04:03.145

and the model that CPS 230 is requiring,

 

88

00:04:03.645 –> 00:04:06.065

and I think well implemented it offers a blueprint

 

89

00:04:06.085 –> 00:04:07.625

for effective, efficient,

 

90

00:04:07.625 –> 00:04:09.425

and robust operational risk management.

 

91

00:04:12.215 –> 00:04:14.355

And I’ll try and leave some time at the end for questions.

 

92

00:04:14.455 –> 00:04:16.795

So if you do wanna raise any via the chat, please do

 

93

00:04:16.795 –> 00:04:17.955

so and I will come back to them.

 

94

00:04:20.975 –> 00:04:22.995

So before we go into all of that, a bit about

 

95

00:04:22.995 –> 00:04:24.315

who we are at Battleground.

 

96

00:04:26.695 –> 00:04:28.355

And look, the first thing I wanna make clear is

 

97

00:04:28.355 –> 00:04:30.195

that we’re a software driven consultancy.

 

98

00:04:30.815 –> 00:04:32.875

We help organizations using software tools,

 

99

00:04:32.875 –> 00:04:34.035

and we also sell those tools.

 

100

00:04:34.775 –> 00:04:37.075

But the important thing is that we sell what we use

 

101

00:04:37.375 –> 00:04:39.155

and we use what we sell.

 

102

00:04:39.815 –> 00:04:42.115

If something is useful to us working with clients,

 

103

00:04:42.565 –> 00:04:44.515

it’ll pretty soon make its way into our software.

 

104

00:04:45.015 –> 00:04:46.755

So at the moment, this means we’re able

 

105

00:04:46.755 –> 00:04:48.875

to help clients connect business processes

 

106

00:04:48.875 –> 00:04:51.555

with critical operations, define tolerances

 

107

00:04:51.555 –> 00:04:52.715

for them in the platform

 

108

00:04:53.175 –> 00:04:55.235

and in the future, that might mean that we’ll be able

 

109

00:04:55.235 –> 00:04:57.315

to use the, the, the model

 

110

00:04:57.415 –> 00:04:59.635

and the platform to bring together a really clear view of

 

111

00:04:59.735 –> 00:05:02.995

how critical operations are supported by processes, managed

 

112

00:05:03.015 –> 00:05:06.355

by controls enabled by third parties, all in order

 

113

00:05:06.355 –> 00:05:07.755

to manage those risks and obligations

 

114

00:05:09.045 –> 00:05:10.265

as an organization we’ve

 

115

00:05:10.265 –> 00:05:11.465

existed for, for more than 10 years.

 

116

00:05:11.485 –> 00:05:12.865

And our founder, Craig Goldberg,

 

117

00:05:12.865 –> 00:05:14.705

is a former Deloitte partner leading

 

118

00:05:14.705 –> 00:05:16.185

their business continuity team.

 

119

00:05:16.645 –> 00:05:18.785

The consultancy team like me have a combination

 

120

00:05:18.785 –> 00:05:21.305

of senior management and consultancy experience,

 

121

00:05:21.925 –> 00:05:24.345

and given the areas we work in, crisis management,

 

122

00:05:24.905 –> 00:05:26.345

business continuity, and risk management.

 

123

00:05:26.365 –> 00:05:27.665

You can imagine we’ve been watching

 

124

00:05:27.665 –> 00:05:30.505

and working in CPS 230 closely for some time.

 

125

00:05:31.085 –> 00:05:33.065

And personally, for those of you who don’t know me,

 

126

00:05:33.615 –> 00:05:36.265

I’ve worked in senior operational risks roles in banking.

 

127

00:05:36.615 –> 00:05:39.065

I’ve worked in consulting roles and regulatory

 

128

00:05:39.085 –> 00:05:41.225

and risk uplift and also in assurance roles.

 

129

00:05:41.285 –> 00:05:43.385

So my experience is a combination

 

130

00:05:43.385 –> 00:05:45.025

of being the accountable person

 

131

00:05:45.325 –> 00:05:47.825

and being the person helping the accountable people.

 

132

00:05:50.405 –> 00:05:52.215

Look, I wanted to start today with a bit of a story.

 

133

00:05:53.475 –> 00:05:55.945

Maybe it’ll help introduce me a little bit more as well.

 

134

00:05:56.245 –> 00:05:58.525

And recently I was leading a regulatory

 

135

00:05:58.525 –> 00:05:59.885

uplift program for a client.

 

136

00:06:00.145 –> 00:06:02.285

So my job was to integrate all the bits that needed

 

137

00:06:02.285 –> 00:06:04.685

to be improved, bring together a team of experts

 

138

00:06:04.705 –> 00:06:08.245

to deliver the uplift and voila, deliver an uplifted,

 

139

00:06:08.315 –> 00:06:10.245

transformed and compliant organization.

 

140

00:06:11.065 –> 00:06:13.245

And this often required presenting information

 

141

00:06:13.245 –> 00:06:14.605

to stakeholders for decisions.

 

142

00:06:15.155 –> 00:06:16.885

What would the organization do in response

 

143

00:06:16.885 –> 00:06:18.365

to a certain set of facts or events?

 

144

00:06:19.745 –> 00:06:22.085

And what I often found with, with some stakeholders,

 

145

00:06:22.215 –> 00:06:24.845

there was this zealous focus on whether

 

146

00:06:24.845 –> 00:06:27.605

or not a solution would deliver something called a compliant

 

147

00:06:27.655 –> 00:06:31.725

state that’s short-term focus for a short-term fix.

 

148

00:06:32.465 –> 00:06:35.355

And look, given that the short-term thinking was one

 

149

00:06:35.355 –> 00:06:37.875

of the major reasons the organization actually needed the

 

150

00:06:38.115 –> 00:06:41.395

regulatory uplift project, I spent much of my time trying

 

151

00:06:41.395 –> 00:06:43.235

to guide a set of balanced decisions.

 

152

00:06:44.275 –> 00:06:47.535

And clearly, I overused one phrase in particular,

 

153

00:06:48.305 –> 00:06:50.655

compliance isn’t the state, it’s a lifestyle.

 

154

00:06:51.395 –> 00:06:52.725

And what I mean by that, and,

 

155

00:06:52.725 –> 00:06:55.205

and what I mean also in the context of resilience,

 

156

00:06:55.575 –> 00:06:56.925

which I think is, you know, really

 

157

00:06:56.925 –> 00:06:58.405

what CPS 230 is all about.

 

158

00:06:58.915 –> 00:07:02.085

It’s not something you have, it doesn’t exist in perpetuity.

 

159

00:07:02.545 –> 00:07:05.405

You can’t be compliant or be resilient.

 

160

00:07:05.975 –> 00:07:08.405

Sorry, you can be compliant or resilient today,

 

161

00:07:08.785 –> 00:07:11.405

but tomorrow the threats change, your processes erode,

 

162

00:07:11.885 –> 00:07:14.485

customer needs move on, external threats evolve.

 

163

00:07:15.265 –> 00:07:17.565

All of these things are dynamic means you have

 

164

00:07:17.565 –> 00:07:20.205

to continually be evolving, making good decisions.

 

165

00:07:21.145 –> 00:07:22.605

And so your level of compliance

 

166

00:07:22.705 –> 00:07:25.885

or resilience, well, that’s a function of historic decisions

 

167

00:07:26.585 –> 00:07:27.645

and there’s very little you can do

 

168

00:07:27.645 –> 00:07:28.725

today to actually change it.

 

169

00:07:29.425 –> 00:07:33.045

But there is the need to continually make good decisions,

 

170

00:07:33.315 –> 00:07:34.325

make good investments,

 

171

00:07:34.325 –> 00:07:36.485

and execute consistently so

 

172

00:07:36.485 –> 00:07:40.525

that you can be resilient tomorrow and into the future.

 

173

00:07:43.075 –> 00:07:44.615

And so with that in mind, well what’s the

 

174

00:07:44.615 –> 00:07:45.855

agenda for the conversation today?

 

175

00:07:46.405 –> 00:07:47.575

Well, as I said earlier, I wanted

 

176

00:07:47.575 –> 00:07:49.375

to give you a clearer understanding of two things,

 

177

00:07:49.875 –> 00:07:52.575

the mindset shift that Acra Acra is talking about

 

178

00:07:52.805 –> 00:07:55.455

practically, how can you go about having some real tangible

 

179

00:07:55.715 –> 00:07:57.095

and practical conversations?

 

180

00:07:57.795 –> 00:08:01.485

And secondly, what might a connected model look like

 

181

00:08:01.485 –> 00:08:03.645

that meets those CPS 230 requirements?

 

182

00:08:04.785 –> 00:08:06.125

And how do I propose to get there?

 

183

00:08:06.125 –> 00:08:07.685

Well, I’m gonna try and use this simple

 

184

00:08:07.965 –> 00:08:09.085

approach as I possibly can.

 

185

00:08:10.225 –> 00:08:13.085

I’m gonna do a recap on the why of CPS 230.

 

186

00:08:13.625 –> 00:08:16.885

What’s the problem that ABRA have decided needs a new

 

187

00:08:17.405 –> 00:08:18.645

regulatory hammer to solve?

 

188

00:08:19.925 –> 00:08:22.685

Secondly, the what, what’s the standard asking us to do?

 

189

00:08:23.385 –> 00:08:25.645

And to be really clear, today isn’t a deep dive into

 

190

00:08:26.075 –> 00:08:28.485

what clauses we need to put into what contract

 

191

00:08:28.505 –> 00:08:32.365

or how to reconcile your current business continuity plans,

 

192

00:08:32.365 –> 00:08:35.405

maximum available outage with a new tolerance requirement.

 

193

00:08:35.865 –> 00:08:38.205

I’m more than happy to have those conversations, of course,

 

194

00:08:38.705 –> 00:08:40.525

um, and, and do on a regular basis.

 

195

00:08:41.065 –> 00:08:43.885

But one thing that I often find when talking about CPS230

 

196

00:08:43.885 –> 00:08:45.805

30 is that there is this tendency

 

197

00:08:45.805 –> 00:08:48.605

to drop immediately into the detail.

 

198

00:08:50.185 –> 00:08:52.445

And perhaps that’s where people are most comfortable,

 

199

00:08:52.715 –> 00:08:54.085

they have the most experience.

 

200

00:08:54.665 –> 00:08:55.965

But I think as you’ll see,

 

201

00:08:56.065 –> 00:08:57.965

the real value is keeping our heads elevated.

 

202

00:09:00.195 –> 00:09:01.735

And so thirdly, the how,

 

203

00:09:02.035 –> 00:09:04.335

and again, this isn’t the how in the minute detail,

 

204

00:09:04.595 –> 00:09:07.495

but more about how you can start to have conversations about

 

205

00:09:07.495 –> 00:09:11.695

that CPS 230 lifestyle I spoke about that you

 

206

00:09:11.695 –> 00:09:13.215

and your organization will need to live

 

207

00:09:13.595 –> 00:09:15.335

and I think sooner than you, you might think.

 

208

00:09:15.995 –> 00:09:17.975

And finally, the ready set go.

 

209

00:09:18.315 –> 00:09:19.695

The things we ought to be doing now

 

210

00:09:19.835 –> 00:09:21.895

or have done already to make the most of the work

 

211

00:09:22.165 –> 00:09:24.375

that CPS 230 will require.

 

212

00:09:27.775 –> 00:09:31.785

So why, why CCPs 230? Why now?

 

213

00:09:32.575 –> 00:09:34.705

Well, I think when you glean through all the leaves

 

214

00:09:34.765 –> 00:09:36.465

and pronouncements and end trails

 

215

00:09:36.485 –> 00:09:38.225

and speeches, I think there are three things

 

216

00:09:38.225 –> 00:09:39.425

that start to become clear.

 

217

00:09:40.815 –> 00:09:44.485

It’s about interconnections, it’s about control failures,

 

218

00:09:45.105 –> 00:09:46.885

and it’s about regulatory pressure.

 

219

00:09:47.925 –> 00:09:51.475

So let’s take these in turn, interconnections,

 

220

00:09:53.295 –> 00:09:56.315

modern financial institutions, many

 

221

00:09:56.575 –> 00:09:58.435

or modern institutions, even those of us

 

222

00:09:58.435 –> 00:09:59.715

who aren’t financial on the call,

 

223

00:10:00.105 –> 00:10:02.355

they’re less a single organization and,

 

224

00:10:02.355 –> 00:10:05.755

and more an orchestration of many different organizations,

 

225

00:10:05.905 –> 00:10:07.915

whether it’s technology, call center,

 

226

00:10:08.385 –> 00:10:10.035

marketing administration,

 

227

00:10:10.035 –> 00:10:13.735

or claims core banking or something else.

 

228

00:10:14.645 –> 00:10:17.015

Financial institutions rely on service providers

 

229

00:10:17.015 –> 00:10:18.455

for large chunks of what they do.

 

230

00:10:19.285 –> 00:10:21.865

And even if they don’t rely on a single financial, uh,

 

231

00:10:21.865 –> 00:10:24.505

single outsource provider in an outsourced manner,

 

232

00:10:24.555 –> 00:10:27.145

end-to-end the value chain can rely more on third parties

 

233

00:10:27.375 –> 00:10:28.585

than internal capability.

 

234

00:10:29.445 –> 00:10:30.585

And these interconnections,

 

235

00:10:30.585 –> 00:10:33.585

they require a deep understanding of what you want to do

 

236

00:10:34.565 –> 00:10:36.745

and alignments of interest across a range of parties

 

237

00:10:37.445 –> 00:10:39.985

and flexibility in operations when things go wrong

 

238

00:10:40.005 –> 00:10:41.065

to fix them swiftly.

 

239

00:10:41.845 –> 00:10:43.955

These aren’t always things that are present at even the most

 

240

00:10:43.985 –> 00:10:46.875

aligned supplier relationships, let alone the average.

 

241

00:10:47.585 –> 00:10:50.965

Then we have control failures,

 

242

00:10:51.065 –> 00:10:52.605

and they might be the high profile ones

 

243

00:10:52.605 –> 00:10:53.645

that are on the screen

 

244

00:10:54.185 –> 00:10:56.765

or the less high high profile ones that never make the press

 

245

00:10:57.105 –> 00:10:58.965

or even make it outside of an organization.

 

246

00:11:00.105 –> 00:11:01.605

But I think even if you go back as far

 

247

00:11:01.605 –> 00:11:04.605

as the 2018 Financial Services Royal Commission,

 

248

00:11:04.875 –> 00:11:06.605

what you see is a lot of examples

 

249

00:11:06.605 –> 00:11:08.645

of control failures driving conduct challenges.

 

250

00:11:09.465 –> 00:11:11.085

Yes, it’s wrong

 

251

00:11:11.085 –> 00:11:13.445

to charge dead people life insurance premiums,

 

252

00:11:14.185 –> 00:11:17.165

but if the system that processes claims doesn’t talk

 

253

00:11:17.165 –> 00:11:20.645

to the system that processes premiums well, is that a,

 

254

00:11:21.535 –> 00:11:22.635

is that a design feature?

 

255

00:11:22.695 –> 00:11:23.995

Is that a buck? What’s the issue?

 

256

00:11:23.995 –> 00:11:27.995

What’s the challenge there? And control failures also play a

 

257

00:11:27.995 –> 00:11:29.315

massive role in many of the cyber

 

258

00:11:29.315 –> 00:11:31.555

and data privacy breach breaches we’ve seen

 

259

00:11:31.555 –> 00:11:32.595

in recent months and weeks.

 

260

00:11:33.575 –> 00:11:35.155

The inability to connect risks

 

261

00:11:35.255 –> 00:11:36.755

and controls together in a way

 

262

00:11:36.755 –> 00:11:39.835

that means they can be confident that systems are secure

 

263

00:11:40.455 –> 00:11:41.795

is not going to cut it.

 

264

00:11:43.085 –> 00:11:44.865

And then finally, regulatory pressure.

 

265

00:11:45.315 –> 00:11:46.565

Everybody else is doing it.

 

266

00:11:46.625 –> 00:11:51.205

So why can’t we, the uk, the US asic,

 

267

00:11:51.745 –> 00:11:52.845

all active in the space

 

268

00:11:52.865 –> 00:11:54.925

and APRA continuing to raise the bar.

 

269

00:11:56.805 –> 00:11:58.145

But I think there’s also another way

 

270

00:11:58.285 –> 00:11:59.665

to thread this together,

 

271

00:12:00.485 –> 00:12:01.745

and I think it might be useful

 

272

00:12:02.125 –> 00:12:03.585

to start thinking about the mindset

 

273

00:12:04.015 –> 00:12:06.825

that CPS 230 is wanting us to start using

 

274

00:12:07.405 –> 00:12:09.385

to think about some of these drivers as well.

 

275

00:12:10.515 –> 00:12:11.775

So some years ago I was working

 

276

00:12:12.445 –> 00:12:14.135

with the product team at an A DI

 

277

00:12:15.345 –> 00:12:17.085

and they said they had three main problems,

 

278

00:12:17.885 –> 00:12:18.915

might have had a few more, but

 

279

00:12:18.915 –> 00:12:19.955

they said they had three main ones.

 

280

00:12:20.775 –> 00:12:23.835

The first one was they had a long list of broken products.

 

281

00:12:24.575 –> 00:12:26.395

The product wasn’t operating as desired.

 

282

00:12:26.395 –> 00:12:27.635

They couldn’t confirm if it was,

 

283

00:12:27.805 –> 00:12:29.955

there might have been some regulatory challenges there.

 

284

00:12:31.585 –> 00:12:33.465

Secondly, they wanted to develop

 

285

00:12:33.505 –> 00:12:35.185

and release a whole bunch of new products

 

286

00:12:35.455 –> 00:12:38.865

because in addition to being broken the existing products,

 

287

00:12:38.865 –> 00:12:40.745

well they needed more flexibility

 

288

00:12:40.965 –> 00:12:42.185

in order to be competitive.

 

289

00:12:43.685 –> 00:12:45.985

And thirdly, they were struggling with the capacity

 

290

00:12:45.985 –> 00:12:49.225

of the operational and technology teams in the organization

 

291

00:12:49.765 –> 00:12:51.425

who couldn’t deliver at the pace required

 

292

00:12:51.735 –> 00:12:52.945

with the accuracy needed.

 

293

00:12:54.005 –> 00:12:55.865

The technology teams didn’t have the capacity

 

294

00:12:55.865 –> 00:12:57.585

to make the changes they wanted them to.

 

295

00:12:58.965 –> 00:13:01.665

So they had too much to do and not enough to do it with.

 

296

00:13:02.935 –> 00:13:04.875

And so I went and talked to some operational leaders,

 

297

00:13:05.905 –> 00:13:08.125

and as you can imagine, the story about technology was the

 

298

00:13:08.125 –> 00:13:10.725

same, no capacity, poor reliability, inability

 

299

00:13:10.725 –> 00:13:12.725

to keep promises, all that sort of stuff.

 

300

00:13:13.945 –> 00:13:15.765

But when I asked them to open up about product

 

301

00:13:16.415 –> 00:13:17.685

after a while, it became clear

 

302

00:13:17.685 –> 00:13:20.325

that the operations teams didn’t know what the priority was.

 

303

00:13:20.705 –> 00:13:23.645

Was it growth or compliance? Was it change or remediation?

 

304

00:13:25.375 –> 00:13:26.395

And I’m not even gonna tell you what

 

305

00:13:26.395 –> 00:13:27.435

the technology folks had to say.

 

306

00:13:27.435 –> 00:13:31.725

You can probably guess. Now, this isn’t the story about

 

307

00:13:31.985 –> 00:13:33.925

how I came in and saved the situation.

 

308

00:13:34.945 –> 00:13:37.215

Truth be told, there continue to be challenges

 

309

00:13:37.285 –> 00:13:38.455

with with all of those teams.

 

310

00:13:38.955 –> 00:13:42.255

But I want to talk about how we started to get these groups

 

311

00:13:42.355 –> 00:13:44.855

to communicate a little bit more with each other.

 

312

00:13:45.675 –> 00:13:48.095

And that’s the model on the screen, the diagram on the page.

 

313

00:13:50.175 –> 00:13:52.955

And if we accept that the whole financial relationship

 

314

00:13:53.415 –> 00:13:56.835

starts with a customer, a depositor, a Superfund member,

 

315

00:13:57.395 –> 00:13:59.195

somebody who wants insurance, well,

 

316

00:13:59.195 –> 00:14:01.475

they enter into a relationship with the organization.

 

317

00:14:02.335 –> 00:14:04.515

And usually we’ve got somebody who signs a letter

 

318

00:14:04.935 –> 00:14:06.635

and says, welcome, whatever it might be.

 

319

00:14:07.305 –> 00:14:09.595

They metaphorically shake the customer’s hand

 

320

00:14:09.595 –> 00:14:11.795

and they say, you can trust us to do some things.

 

321

00:14:12.365 –> 00:14:13.955

We’ve set them out in our PDS,

 

322

00:14:14.045 –> 00:14:15.795

we’ve set them out in our Ts and Cs.

 

323

00:14:15.845 –> 00:14:17.995

There are some laws that we’re actually operating under.

 

324

00:14:18.735 –> 00:14:20.915

And there are also likely to be some other expectations

 

325

00:14:20.935 –> 00:14:22.555

and assumptions that the customer’s made.

 

326

00:14:23.025 –> 00:14:24.555

They can contact reasonably quickly,

 

327

00:14:24.705 –> 00:14:27.775

they’ll be honest in your dealings, those sorts of things.

 

328

00:14:29.155 –> 00:14:32.135

But in order to deliver on these promises, the group

 

329

00:14:32.135 –> 00:14:33.295

that have gone out and shaken hands

 

330

00:14:33.295 –> 00:14:35.775

with the customer product in this model, they have

 

331

00:14:35.775 –> 00:14:38.495

to make sure it all happens and they can’t do it themselves.

 

332

00:14:39.125 –> 00:14:41.655

They’ll have to get help from operations and technology and

 

333

00:14:41.655 –> 00:14:43.175

and other groups across the organization.

 

334

00:14:44.575 –> 00:14:46.075

So what we’ll find is there’ll probably be another

 

335

00:14:46.075 –> 00:14:47.155

set of agreements in place.

 

336

00:14:47.655 –> 00:14:49.035

It might be performance reporting,

 

337

00:14:49.035 –> 00:14:51.325

it might be service level agreements, whatever it might be.

 

338

00:14:52.505 –> 00:14:54.885

But we’ll also start to see constraints emerge

 

339

00:14:55.305 –> 00:14:58.805

and inability to perform at the level expected, perhaps

 

340

00:14:58.805 –> 00:15:01.165

because those expectations haven’t been clearly defined,

 

341

00:15:01.465 –> 00:15:02.525

or maybe they aren’t funded

 

342

00:15:02.785 –> 00:15:04.205

or maybe those aren’t well understood.

 

343

00:15:05.245 –> 00:15:06.985

And of course we’ve got a range of groups

 

344

00:15:07.785 –> 00:15:08.905

internal to the organization.

 

345

00:15:09.565 –> 00:15:11.225

So we might start to see some challenges

 

346

00:15:11.415 –> 00:15:13.185

with objectives and alignment.

 

347

00:15:15.065 –> 00:15:16.885

I’m sure you might be starting to see some of

 

348

00:15:16.885 –> 00:15:19.965

what these challenges might be in your organizations if you

 

349

00:15:19.965 –> 00:15:21.485

start thinking about that construct.

 

350

00:15:22.505 –> 00:15:23.685

But before we go too far,

 

351

00:15:23.965 –> 00:15:25.405

I just wanna layer on one more thing.

 

352

00:15:28.235 –> 00:15:31.935

And that is that many of these activities are wholly

 

353

00:15:31.935 –> 00:15:33.535

or largely reliant on third parties.

 

354

00:15:34.195 –> 00:15:36.855

And again, we’ve got another layer of expectations

 

355

00:15:36.915 –> 00:15:39.815

and assumptions and constraints and agreements in place.

 

356

00:15:41.365 –> 00:15:43.935

What does this mean? So, so what, well, we’re starting

 

357

00:15:43.995 –> 00:15:46.735

to see how hard it can be to have a clear end

 

358

00:15:46.735 –> 00:15:48.815

to end understanding of how these dots connect.

 

359

00:15:49.835 –> 00:15:51.895

How well does the product team really understand

 

360

00:15:51.895 –> 00:15:54.855

or need to understand what a breakdown in expectations

 

361

00:15:54.855 –> 00:15:57.375

between IT and an IT service provider means?

 

362

00:15:58.275 –> 00:16:00.455

How could we adjust our expectations

 

363

00:16:00.455 –> 00:16:02.615

of those internal teams based on the performance

 

364

00:16:02.835 –> 00:16:04.055

of their service providers?

 

365

00:16:05.455 –> 00:16:07.195

But again, this is also a simplification

 

366

00:16:11.265 –> 00:16:14.315

because those third parties, well,

 

367

00:16:14.915 –> 00:16:16.365

they have their own support arrangements,

 

368

00:16:16.365 –> 00:16:17.365

they operate internally.

 

369

00:16:17.755 –> 00:16:20.245

Sometimes our customers interact directly with them,

 

370

00:16:20.315 –> 00:16:21.925

sometimes they support one another,

 

371

00:16:22.745 –> 00:16:24.605

and of course they support other organizations.

 

372

00:16:26.315 –> 00:16:27.335

So I’m not suggesting,

 

373

00:16:27.335 –> 00:16:30.575

and I don’t suggest that CPS 230 requires us to map all

 

374

00:16:30.575 –> 00:16:34.135

of these extended relationships out, at least not those

 

375

00:16:34.135 –> 00:16:35.255

outside our organization.

 

376

00:16:36.335 –> 00:16:37.935

I don’t think it’s possible. I don’t think it’s

 

377

00:16:37.935 –> 00:16:39.135

sensible, I don’t think it’s useful.

 

378

00:16:40.715 –> 00:16:43.575

But I think this is part of that mindset shift

 

379

00:16:43.965 –> 00:16:47.615

that CPS 230 is starting to ask us to think about.

 

380

00:16:48.795 –> 00:16:51.335

And I think it’s as simple and as complex as this,

 

381

00:16:52.455 –> 00:16:54.315

and it’s complex, not complicated as well.

 

382

00:16:54.395 –> 00:16:55.115

I think that’s a really

 

383

00:16:55.115 –> 00:16:56.435

important point that I’ll come back to.

 

384

00:16:57.655 –> 00:16:59.645

Let’s think about all the elements that connect together

 

385

00:16:59.665 –> 00:17:01.245

to deliver your critical operations.

 

386

00:17:02.695 –> 00:17:04.285

Let’s think about how these elements

 

387

00:17:05.465 –> 00:17:07.275

play from the perspective of all of those

 

388

00:17:07.695 –> 00:17:08.835

who play a part in delivery.

 

389

00:17:10.855 –> 00:17:13.355

And let’s think about the expectations and assumptions.

 

390

00:17:13.825 –> 00:17:16.435

Uncover the constraints, understand the objectives.

 

391

00:17:19.265 –> 00:17:20.415

Let’s understand all that.

 

392

00:17:20.415 –> 00:17:24.255

First, you may then consider if you want to,

 

393

00:17:24.635 –> 00:17:26.775

or even if you’re able to change any of those things,

 

394

00:17:27.775 –> 00:17:29.555

it might seem on first glance desirable,

 

395

00:17:29.695 –> 00:17:31.315

but it might not be as you think through it

 

396

00:17:31.625 –> 00:17:33.675

because you remember C PS two 30.

 

397

00:17:33.865 –> 00:17:35.275

It’s a risk management standard.

 

398

00:17:35.945 –> 00:17:37.955

It’s not telling us to reduce the risk to zero.

 

399

00:17:38.545 –> 00:17:42.195

It’s telling us to understand the risk and to manage it.

 

400

00:17:47.425 –> 00:17:48.405

And I think if it was all that

 

401

00:17:48.405 –> 00:17:49.565

simple would be well in our way.

 

402

00:17:50.415 –> 00:17:52.315

But I think there’s another complicating factor we need

 

403

00:17:52.315 –> 00:17:54.635

to be actively considering in our CPS 230 efforts.

 

404

00:17:55.415 –> 00:17:57.835

And that is we’re not managing operational risk in a vacuum

 

405

00:17:59.225 –> 00:18:02.275

organizations that’ll be subject to strategic or regulatory

 

406

00:18:02.335 –> 00:18:04.035

or operational pressures amongst others

 

407

00:18:04.785 –> 00:18:07.875

that can challenge catalyze and complicate our efforts.

 

408

00:18:09.015 –> 00:18:10.275

So I’ll start with regulation.

 

409

00:18:12.775 –> 00:18:14.495

I can’t think of any AppD entity

 

410

00:18:14.495 –> 00:18:17.175

where CPS 230 is the only regulatory challenge,

 

411

00:18:19.285 –> 00:18:21.425

the most pertinent standards that will require alignment.

 

412

00:18:21.895 –> 00:18:24.545

It’s far, which I realize isn’t of course a um,

 

413

00:18:24.545 –> 00:18:26.545

prudential standard, but still very relevant.

 

414

00:18:26.855 –> 00:18:27.945

Financial accountability.

 

415

00:18:28.545 –> 00:18:29.545

CP PSS 2 34,

 

416

00:18:29.745 –> 00:18:32.505

particularly if there are tripartite audit actions

 

417

00:18:33.765 –> 00:18:35.065

and C PS 1 92

 

418

00:18:36.695 –> 00:18:38.595

and these regulations, they’re gonna influence

 

419

00:18:38.595 –> 00:18:40.515

what you focus on for C PSS two 30.

 

420

00:18:40.665 –> 00:18:42.755

They’ll compete for management focus and budget

 

421

00:18:42.855 –> 00:18:46.985

and share of mindset integration can seem to offer benefits,

 

422

00:18:47.205 –> 00:18:49.065

but would need to be carefully considered

 

423

00:18:50.825 –> 00:18:52.235

from a strategic point of view.

 

424

00:18:52.625 –> 00:18:55.075

Each organization will have their own agenda, growth,

 

425

00:18:55.475 –> 00:18:57.955

survival, digital reinvention, something else.

 

426

00:18:59.295 –> 00:19:01.915

And I think the long lead time on CPS 230

 

427

00:19:02.465 –> 00:19:04.515

potentially has caused just as much challenge

 

428

00:19:04.515 –> 00:19:07.555

for many organizations and trying to get things underway.

 

429

00:19:09.275 –> 00:19:10.625

Three years from draft standard

 

430

00:19:10.625 –> 00:19:12.665

to implementation date is a long time

 

431

00:19:13.165 –> 00:19:14.905

and management is rightly focusing

 

432

00:19:15.605 –> 00:19:17.265

on delivering on strategy.

 

433

00:19:18.935 –> 00:19:20.555

And finally, at an operational level,

 

434

00:19:20.555 –> 00:19:22.595

there’ll be transformation modernization

 

435

00:19:23.015 –> 00:19:26.555

or automation consolidation, all those things going on.

 

436

00:19:29.445 –> 00:19:32.105

And what I see is navigating the work required

 

437

00:19:32.125 –> 00:19:33.345

for CPS 230.

 

438

00:19:34.685 –> 00:19:37.425

It requires through this jungle, I think in a little bit

 

439

00:19:37.425 –> 00:19:39.585

of a jungle, it requires a clarity of end state.

 

440

00:19:40.995 –> 00:19:43.405

That is something that unfortunately has been hard

 

441

00:19:43.405 –> 00:19:46.405

to draw from regulation and guidance to date,

 

442

00:19:47.265 –> 00:19:49.485

but that’s what I wanted to talk about now.

 

443

00:19:53.035 –> 00:19:54.575

So what are we being asked to do?

 

444

00:19:56.625 –> 00:19:59.035

Well, I think if we try and get a very clear line on

 

445

00:19:59.035 –> 00:20:00.875

what is required, we end up

 

446

00:20:00.875 –> 00:20:05.235

with a pretty straightforward activity cycle plan, do

 

447

00:20:06.035 –> 00:20:07.535

check act,

 

448

00:20:08.645 –> 00:20:10.415

because that’s, I think all we’re being asked

 

449

00:20:10.615 –> 00:20:15.055

to do under CPS 230, understand our critical operations,

 

450

00:20:15.435 –> 00:20:18.315

put controls in place, check if they’re working

 

451

00:20:19.215 –> 00:20:20.555

and make them better if they’re not.

 

452

00:20:22.185 –> 00:20:24.605

And I think bringing it back to that level is,

 

453

00:20:24.605 –> 00:20:25.645

is is really important.

 

454

00:20:25.675 –> 00:20:28.325

Whether it be a third party control,

 

455

00:20:28.325 –> 00:20:31.085

whether it be a contract, whether it be business continuity,

 

456

00:20:31.765 –> 00:20:33.245

whatever the level of technical

 

457

00:20:33.265 –> 00:20:35.005

detail, how does it connect in?

 

458

00:20:36.385 –> 00:20:38.805

And I think it really does start with an understanding of

 

459

00:20:38.805 –> 00:20:41.035

what you do, not just at a basic

 

460

00:20:41.035 –> 00:20:42.275

level, but at a level of depth.

 

461

00:20:43.335 –> 00:20:46.995

And I said I wouldn’t go deeply into the standards, but,

 

462

00:20:47.165 –> 00:20:49.965

but there’s one paragraph of CPS 230 that I’m going

 

463

00:20:49.965 –> 00:20:51.405

to check by name here,

 

464

00:20:52.265 –> 00:20:55.645

and I think it’s about as close as the standard goes

 

465

00:20:55.665 –> 00:20:58.205

to giving you a shopping list, paragraph 27.

 

466

00:20:59.465 –> 00:21:02.205

And what it says is that as an organization, you need

 

467

00:21:02.205 –> 00:21:05.085

to identify and document the processes

 

468

00:21:05.465 –> 00:21:08.725

and resources needed to deliver critical operations.

 

469

00:21:09.885 –> 00:21:13.785

The people, the technology, the information, the facilities,

 

470

00:21:14.575 –> 00:21:17.825

service providers, the interdependencies,

 

471

00:21:19.165 –> 00:21:21.545

and then the associated risks and obligations and data

 

472

00:21:21.645 –> 00:21:26.585

and controls without a clear, consistent

 

473

00:21:27.465 –> 00:21:30.625

documentation of those processes and resources.

 

474

00:21:33.385 –> 00:21:35.385

I think the rest of the work is bobbing about in the notion.

 

475

00:21:37.445 –> 00:21:39.625

And I think organizations that are focusing on

 

476

00:21:40.295 –> 00:21:43.185

this deep understanding first will be well positioned

 

477

00:21:43.435 –> 00:21:46.585

throughout the CCPs 3, 2 30 journey later.

 

478

00:21:48.665 –> 00:21:50.645

And this is also where we need to set our tolerances,

 

479

00:21:50.865 –> 00:21:52.925

our operating parameters for these operations.

 

480

00:21:53.345 –> 00:21:55.485

And again, setting those tolerance is very challenging

 

481

00:21:55.485 –> 00:21:57.605

without actually really understanding what they are.

 

482

00:21:59.315 –> 00:22:02.285

Then once we know what we’re doing, we need

 

483

00:22:02.285 –> 00:22:03.525

to put in place the right controls

 

484

00:22:03.525 –> 00:22:06.125

to meet the objectives in line with tolerance and appetite.

 

485

00:22:07.065 –> 00:22:10.165

We need to check if it’s working and do something.

 

486

00:22:10.165 –> 00:22:11.605

If it isn’t, get back on plan.

 

487

00:22:14.755 –> 00:22:17.615

So I think it’s not too much of a simplification to say

 

488

00:22:17.615 –> 00:22:18.775

that in its delivery.

 

489

00:22:19.845 –> 00:22:22.285

CPS 230 is all about controls.

 

490

00:22:23.665 –> 00:22:25.205

Now those controls are variable.

 

491

00:22:25.705 –> 00:22:27.435

There’s deep technology controls,

 

492

00:22:27.445 –> 00:22:29.235

third party process controls,

 

493

00:22:30.095 –> 00:22:32.275

and the ownership is wide ranging within

 

494

00:22:32.295 –> 00:22:33.595

and outside the organization.

 

495

00:22:35.875 –> 00:22:37.095

And the controls need

 

496

00:22:37.095 –> 00:22:38.895

to be built based on a solid understanding

 

497

00:22:38.915 –> 00:22:40.055

of critical operations.

 

498

00:22:41.705 –> 00:22:43.955

What do you do? How do you do it? What is success?

 

499

00:22:46.445 –> 00:22:48.745

And I’ve not really yet,

 

500

00:22:49.125 –> 00:22:51.025

and I don’t really plan to spend a lot

 

501

00:22:51.025 –> 00:22:54.465

of time drawing distinction other than as examples

 

502

00:22:54.465 –> 00:22:57.385

between operational risk and business continuity

 

503

00:22:57.385 –> 00:22:58.665

and service provider management.

 

504

00:22:59.445 –> 00:23:00.665

And I do that intentionally

 

505

00:23:01.175 –> 00:23:03.905

because I think we’re better placed to deal with the needs

 

506

00:23:03.905 –> 00:23:08.385

of the standard holistically rather than reinforcing silos.

 

507

00:23:09.135 –> 00:23:11.665

CCPs 230 is here to help us break those silos down.

 

508

00:23:12.785 –> 00:23:15.165

And if we focus on those elements individually,

 

509

00:23:16.085 –> 00:23:18.605

I fear we won’t help create the mindset we need.

 

510

00:23:20.125 –> 00:23:22.745

Now that’s not to say technical expertise isn’t necessary

 

511

00:23:23.565 –> 00:23:25.825

and CCPs 230, it absolutely is,

 

512

00:23:26.765 –> 00:23:29.705

but it must be applied through an organizational lens.

 

513

00:23:30.045 –> 00:23:32.105

It must be applied through that understanding

 

514

00:23:33.245 –> 00:23:35.065

of the operations and the processes.

 

515

00:23:39.835 –> 00:23:42.615

So how do we progress in order to meet these requirements?

 

516

00:23:43.665 –> 00:23:46.365

Well, APRA have a helpfully outlined three areas

 

517

00:23:46.415 –> 00:23:48.845

where they believe organizations should be focusing.

 

518

00:23:50.465 –> 00:23:53.355

APRA member Therese McCarthy Hockey recently outlined

 

519

00:23:53.825 –> 00:23:55.995

organizations should be focusing on governance,

 

520

00:23:56.635 –> 00:23:58.035

critical operations and mindset.

 

521

00:23:59.535 –> 00:24:01.145

Okay, that’s great, but how?

 

522

00:24:02.165 –> 00:24:05.025

How, and look, I find

 

523

00:24:05.045 –> 00:24:09.305

and see that there are four questions that we can consider

 

524

00:24:09.325 –> 00:24:11.665

to make some practical progress

 

525

00:24:13.635 –> 00:24:14.975

to connect this mindset shift

 

526

00:24:15.155 –> 00:24:17.175

to reconcile the technical requirements,

 

527

00:24:17.675 –> 00:24:19.695

and most importantly, to have the conversations

 

528

00:24:20.045 –> 00:24:22.295

with the operational leaders that are necessary.

 

529

00:24:24.175 –> 00:24:26.435

And whenever I talk to operational leaders about risk

 

530

00:24:26.435 –> 00:24:28.395

management, these are the four questions I use.

 

531

00:24:31.305 –> 00:24:34.405

And I almost always find I have a far more open trusting

 

532

00:24:34.425 –> 00:24:37.645

and outcome focused conversation than I had

 

533

00:24:37.645 –> 00:24:38.645

with earlier approaches.

 

534

00:24:39.275 –> 00:24:40.845

It’s one of the things, I’ve been doing this stuff

 

535

00:24:40.865 –> 00:24:43.005

for quite a few years and I’ve got it wrong many times

 

536

00:24:44.185 –> 00:24:45.325

and I think I’m starting

 

537

00:24:45.365 –> 00:24:46.765

to learn from some of those mistakes.

 

538

00:24:48.485 –> 00:24:49.505

And what’s the first question?

 

539

00:24:49.535 –> 00:24:51.505

Well, the first question is what are we trying to achieve?

 

540

00:24:51.505 –> 00:24:54.945

What’s the purpose of our activity? Who do we serve for?

 

541

00:24:54.945 –> 00:24:57.795

What end? What are the customer and the product

 

542

00:24:57.815 –> 00:24:58.995

and the business requirements?

 

543

00:25:01.185 –> 00:25:02.465

Secondly, have we designed,

 

544

00:25:03.365 –> 00:25:04.745

and I use that word intentionally

 

545

00:25:04.745 –> 00:25:06.185

because whether we’ve documented it

 

546

00:25:06.185 –> 00:25:09.145

or not, yes, Tim will absolutely be able to get that to you.

 

547

00:25:09.765 –> 00:25:12.265

Um, whether we’ve documented it

 

548

00:25:12.265 –> 00:25:16.135

or not, whether we’ve connected or not, or not connected it

 

549

00:25:16.135 –> 00:25:20.195

or not, we have a design for our organization

 

550

00:25:20.785 –> 00:25:23.275

targets, policies, decision making constructs,

 

551

00:25:23.375 –> 00:25:24.635

accountability models.

 

552

00:25:27.625 –> 00:25:31.105

Thirdly, how are we enabled to meet this design?

 

553

00:25:31.215 –> 00:25:33.465

What are the human and the data and the technology

 

554

00:25:33.485 –> 00:25:35.425

and the financial resources we have in place?

 

555

00:25:37.005 –> 00:25:39.465

And finally, how are we performing and how do we know this?

 

556

00:25:40.255 –> 00:25:41.945

What data do we have or measure?

 

557

00:25:42.535 –> 00:25:44.945

What do we do in order to address gaps in performance?

 

558

00:25:46.515 –> 00:25:49.415

And then finally, how are all of these elements connected?

 

559

00:25:50.505 –> 00:25:52.765

Is the purpose clearly translated into design?

 

560

00:25:53.725 –> 00:25:56.065

Is the design even feasible given the enablers?

 

561

00:25:57.055 –> 00:25:59.795

Are our performance metrics helpful in tweaking performance?

 

562

00:26:01.735 –> 00:26:04.075

And I’ll go into this construct in a little bit more

 

563

00:26:04.075 –> 00:26:08.035

because for me it’s so fundamental to that CCP 230,

 

564

00:26:08.065 –> 00:26:10.075

that operational risk journey.

 

565

00:26:11.335 –> 00:26:13.505

But if well populated

 

566

00:26:13.605 –> 00:26:16.025

and connected, it can really start

 

567

00:26:16.025 –> 00:26:17.905

to give us the insights we, we need

 

568

00:26:18.325 –> 00:26:20.305

to truly understand our critical operations.

 

569

00:26:21.325 –> 00:26:23.345

It can tell us who we rely on, who do we need

 

570

00:26:23.345 –> 00:26:26.745

to align across objectives and constraints and capacity?

 

571

00:26:27.595 –> 00:26:29.505

Where might our disconnects be coming from?

 

572

00:26:31.125 –> 00:26:32.825

But I think it can also help us have a bit more

 

573

00:26:32.825 –> 00:26:35.905

of an open conversation about why our controls might not be

 

574

00:26:36.145 –> 00:26:39.425

managing our risks, where we might need to tweak

 

575

00:26:39.445 –> 00:26:40.585

to improve reliability.

 

576

00:26:42.365 –> 00:26:44.175

And in, in my experience, at least

 

577

00:26:44.275 –> 00:26:45.775

by couching in this language,

 

578

00:26:46.335 –> 00:26:48.575

I think we can create a more inclusive description

 

579

00:26:48.595 –> 00:26:50.335

of our operational risk profile.

 

580

00:26:50.875 –> 00:26:53.695

And that inclusivity is so important

 

581

00:26:53.695 –> 00:26:56.775

because the people who manage our operational risks,

 

582

00:26:56.795 –> 00:26:57.975

we know that aren’t the risk folk.

 

583

00:26:58.125 –> 00:27:00.655

It’s operations, it’s product, it’s technology.

 

584

00:27:01.675 –> 00:27:06.125

Our job is to create a description that includes people.

 

585

00:27:07.875 –> 00:27:10.615

And so if this model can give us a leg up towards CPS230

 

586

00:27:10.615 –> 00:27:13.215

30, I think it’s worthwhile thinking about how much

 

587

00:27:13.215 –> 00:27:15.455

of the data that populates that we might have already,

 

588

00:27:16.265 –> 00:27:18.415

where it’s stored, is it connected?

 

589

00:27:19.715 –> 00:27:22.935

How do we connect it? So over the following pages,

 

590

00:27:23.095 –> 00:27:25.535

I wanna spend a bit of time digging into each

 

591

00:27:25.535 –> 00:27:26.695

of the data elements that

 

592

00:27:26.725 –> 00:27:28.335

that we see at least as being crucial.

 

593

00:27:29.555 –> 00:27:32.895

And what you might wanna do as I do this is, is start a bit

 

594

00:27:32.895 –> 00:27:35.015

of a mental inventory for your own organization.

 

595

00:27:35.835 –> 00:27:36.855

You might wanna think about whether

 

596

00:27:36.855 –> 00:27:39.095

or not you’ve got a clear and agreed view of the data.

 

597

00:27:40.155 –> 00:27:42.055

You might wanna think about whether you’re storing it

 

598

00:27:42.055 –> 00:27:43.095

in a consistent manner.

 

599

00:27:44.825 –> 00:27:47.245

You might wanna think about whether you’ve captured all the

 

600

00:27:47.245 –> 00:27:49.965

things that you might want enough specificity to measure

 

601

00:27:49.985 –> 00:27:53.405

and understand clear ownership, but maybe not too much.

 

602

00:27:54.265 –> 00:27:56.725

And finally think about whether

 

603

00:27:56.745 –> 00:27:58.885

or not how the data is stored.

 

604

00:27:59.705 –> 00:28:02.285

Is it that in a way that you can actually connect it?

 

605

00:28:02.735 –> 00:28:05.165

Could you clearly understand for a given operation

 

606

00:28:05.665 –> 00:28:06.685

how it’s been designed?

 

607

00:28:07.105 –> 00:28:10.405

Who enables it? How would we know if it’s going well or not?

 

608

00:28:18.775 –> 00:28:22.355

And so the first area I wanted to explore was purpose.

 

609

00:28:23.455 –> 00:28:26.385

What are we trying to achieve? And the kinds of things

 

610

00:28:26.735 –> 00:28:27.785

that we wanna know here.

 

611

00:28:29.295 –> 00:28:30.425

Purpose and objective.

 

612

00:28:30.425 –> 00:28:33.945

It’s not just, it’s not even really our high level business

 

613

00:28:33.945 –> 00:28:36.385

purpose, those vision things.

 

614

00:28:36.615 –> 00:28:38.625

Because again, we’re down to the process level.

 

615

00:28:39.285 –> 00:28:41.105

What’s the actual purpose of the process?

 

616

00:28:41.885 –> 00:28:43.185

Are we trying to process claims

 

617

00:28:43.205 –> 00:28:44.905

to a certain level of efficiency?

 

618

00:28:45.525 –> 00:28:47.105

Do we wanna process a certain number

 

619

00:28:47.105 –> 00:28:48.505

of transactions per day?

 

620

00:28:49.735 –> 00:28:52.105

When to connect it to that higher strategic purpose?

 

621

00:28:52.725 –> 00:28:54.385

But it’s more important to be clear on

 

622

00:28:54.485 –> 00:28:56.705

how we’ll actually know if we’re doing what we need.

 

623

00:28:58.795 –> 00:29:00.855

And we need to know who and what need we’re serving.

 

624

00:29:01.515 –> 00:29:03.965

What are the products, services, customers, channels?

 

625

00:29:04.785 –> 00:29:07.245

Is this a 30 year mortgage, a multi-year?

 

626

00:29:07.315 –> 00:29:10.005

Annuity a day-to-day payment card?

 

627

00:29:12.185 –> 00:29:14.165

We need to know who our internal customers are,

 

628

00:29:14.815 –> 00:29:16.245

who’s downstream dependent.

 

629

00:29:17.165 –> 00:29:20.455

They rely on us. So our constraints are their constraints

 

630

00:29:21.155 –> 00:29:22.495

and we need to understand their purpose

 

631

00:29:22.555 –> 00:29:23.575

so we can design for this.

 

632

00:29:25.355 –> 00:29:27.815

And finally, we need to understand the rules we need

 

633

00:29:27.815 –> 00:29:29.415

to play within and the risks we might,

 

634

00:29:29.415 –> 00:29:30.415

that might put us off track.

 

635

00:29:31.645 –> 00:29:33.305

And I’m not saying by putting risk at the bottom,

 

636

00:29:33.375 –> 00:29:34.505

it’s the least important thing

 

637

00:29:34.505 –> 00:29:35.905

here, but it’s not the driver.

 

638

00:29:36.565 –> 00:29:38.825

The driver is the why and the what.

 

639

00:29:39.205 –> 00:29:40.745

The risk is how we might go off track.

 

640

00:29:41.985 –> 00:29:43.285

So we need to design for it,

 

641

00:29:43.935 –> 00:29:45.435

but only in the context of purpose.

 

642

00:29:47.525 –> 00:29:49.745

And you’ll also notice that I’ve delineated some colors

 

643

00:29:49.745 –> 00:29:51.185

here, some green and some brown.

 

644

00:29:52.415 –> 00:29:54.115

And this is because in my experience,

 

645

00:29:54.495 –> 00:29:56.115

and most of you, if you’re coming from a risk lens,

 

646

00:29:56.115 –> 00:29:59.435

you’ll have a GRC system, a risk intelligence system.

 

647

00:29:59.495 –> 00:30:01.595

And in that risk system you’ll probably

 

648

00:30:01.595 –> 00:30:02.755

have obligations and risks.

 

649

00:30:03.795 –> 00:30:06.175

But many of you will not have the stuff in Brown.

 

650

00:30:07.225 –> 00:30:09.445

And you’ll see through the following pages that the bulk

 

651

00:30:09.445 –> 00:30:12.525

of the data that we see as being really fundamental elements

 

652

00:30:12.545 –> 00:30:16.445

of that CPS 230 model, well,

 

653

00:30:16.445 –> 00:30:18.205

they’re not traditionally in GRC systems.

 

654

00:30:19.665 –> 00:30:20.925

And I thought about this for a second

 

655

00:30:20.945 –> 00:30:22.125

and I thought, does that make sense?

 

656

00:30:23.375 –> 00:30:25.165

We’re saying that with what a new risk standard,

 

657

00:30:25.505 –> 00:30:29.005

but most of the data is not in our risk systems.

 

658

00:30:31.225 –> 00:30:32.925

And I sort of came to the conclusion, yeah,

 

659

00:30:33.605 –> 00:30:35.855

because I think if our current systems were actually

 

660

00:30:35.855 –> 00:30:37.695

capturing and connecting the dots,

 

661

00:30:38.225 –> 00:30:40.015

maybe we wouldn’t need the new regulation.

 

662

00:30:40.025 –> 00:30:41.495

Maybe we’ll be doing this stuff already.

 

663

00:30:42.315 –> 00:30:43.335

So I think it makes sense.

 

664

00:30:47.025 –> 00:30:48.485

And the next area is design.

 

665

00:30:49.805 –> 00:30:53.505

So how do have we intentionally

 

666

00:30:53.565 –> 00:30:55.185

or unintentionally over time

 

667

00:30:56.145 –> 00:30:57.825

designed our organization to meet our purpose?

 

668

00:30:59.285 –> 00:31:01.545

And I say intentionally or unintentionally, not

 

669

00:31:01.545 –> 00:31:03.585

because any of the individual decisions

 

670

00:31:03.995 –> 00:31:05.105

might be unintentional.

 

671

00:31:05.165 –> 00:31:08.425

I’m sure that there’s always logic, there’s always logic.

 

672

00:31:08.445 –> 00:31:10.025

People are always making decisions

 

673

00:31:10.635 –> 00:31:12.065

based on what’s available to them.

 

674

00:31:12.365 –> 00:31:16.105

But the combined effect is rarely if ever considered

 

675

00:31:16.875 –> 00:31:18.085

when those decisions are made.

 

676

00:31:18.665 –> 00:31:21.735

And if they are, that decision making is often

 

677

00:31:21.755 –> 00:31:22.935

in the hands of a few people.

 

678

00:31:23.035 –> 00:31:26.925

It may not be shared. So what are we looking at here?

 

679

00:31:26.925 –> 00:31:28.005

Well, look, I, I think we start

 

680

00:31:28.005 –> 00:31:29.525

with our process architecture.

 

681

00:31:29.625 –> 00:31:31.165

How do we organize what we do?

 

682

00:31:31.865 –> 00:31:34.605

Now in many organizations, this might be under documented,

 

683

00:31:34.705 –> 00:31:37.205

it might be as not be as well understood as it could be.

 

684

00:31:38.025 –> 00:31:39.965

But in addition to the what, it’s important

 

685

00:31:39.965 –> 00:31:41.165

that we understand the limits.

 

686

00:31:42.075 –> 00:31:43.165

What are the capacities

 

687

00:31:43.165 –> 00:31:44.965

and the constraints of these processes?

 

688

00:31:45.665 –> 00:31:48.565

Now, in a traditional factory environment, we’d never try

 

689

00:31:48.565 –> 00:31:51.165

and switch out one manufacturing process from one line

 

690

00:31:51.165 –> 00:31:54.125

to another without a whole bunch of control

 

691

00:31:54.225 –> 00:31:55.285

and check and challenge.

 

692

00:31:56.755 –> 00:31:58.815

So why do we think we can switch out resources in a

 

693

00:31:58.815 –> 00:32:00.895

financial process with, with minimal loss

 

694

00:32:00.895 –> 00:32:02.495

of efficiency or reduction in quality?

 

695

00:32:04.175 –> 00:32:06.535

Secondly, how have we empowered these processes?

 

696

00:32:06.595 –> 00:32:07.695

Who makes the decisions?

 

697

00:32:08.085 –> 00:32:11.215

What does our policy construct tell us who is accountable?

 

698

00:32:12.655 –> 00:32:14.145

Thirdly and crucially, what are our limits,

 

699

00:32:14.165 –> 00:32:16.305

our appetite statements, our tolerances

 

700

00:32:16.935 –> 00:32:18.025

that we’ve set ourselves?

 

701

00:32:18.215 –> 00:32:21.025

What can we work within, hopefully within our constraints?

 

702

00:32:21.325 –> 00:32:22.945

But how does that relationship work?

 

703

00:32:25.045 –> 00:32:26.685

Fourthly, how have we put this together

 

704

00:32:27.235 –> 00:32:28.525

into a message for our people?

 

705

00:32:28.915 –> 00:32:31.405

What are they trained to do? What do their instructions say?

 

706

00:32:31.755 –> 00:32:34.005

What do the processes tell them to do when things go bump?

 

707

00:32:34.665 –> 00:32:37.295

And finally, how do we design our controls

 

708

00:32:37.295 –> 00:32:38.695

to keep all these parts on track?

 

709

00:32:40.215 –> 00:32:42.595

What’s our desired mechanism to keep things working?

 

710

00:32:44.855 –> 00:32:46.755

And I think there’s a really interesting thought experiment

 

711

00:32:46.755 –> 00:32:49.515

here in three parts to play along.

 

712

00:32:49.515 –> 00:32:53.525

If you want to first have a think about your organization

 

713

00:32:53.585 –> 00:32:56.725

and, and one of your key processes, customer service claims,

 

714

00:32:57.045 –> 00:33:00.725

handling payments, and think about all this design stuff

 

715

00:33:01.105 –> 00:33:02.205

and, and ask a question,

 

716

00:33:05.275 –> 00:33:08.135

how confident are you that all of this design, the,

 

717

00:33:08.195 –> 00:33:11.495

the process delegations, the limits, the training material,

 

718

00:33:12.475 –> 00:33:15.335

are internally consistent with one another end to end?

 

719

00:33:15.805 –> 00:33:18.215

Does our training reinforce our delegation?

 

720

00:33:18.755 –> 00:33:20.215

Is that all connected with our process?

 

721

00:33:23.005 –> 00:33:24.445

Secondly, how confident are you

 

722

00:33:24.445 –> 00:33:26.965

that those elements have actually got a reasonable chance

 

723

00:33:26.985 –> 00:33:29.485

of delivering on the goals for that process?

 

724

00:33:29.745 –> 00:33:32.445

The growth in the customer goals, the risk goals.

 

725

00:33:34.035 –> 00:33:37.175

And that’s what the little blue feedback loop I think really

 

726

00:33:37.175 –> 00:33:38.375

is important in this model.

 

727

00:33:38.755 –> 00:33:41.095

We need to be checking if our design will actually meet our

 

728

00:33:41.095 –> 00:33:43.695

purpose or if we need to adjust one or the other.

 

729

00:33:45.195 –> 00:33:49.145

And the final question as you ponder this,

 

730

00:33:51.445 –> 00:33:53.905

do you think your current controls framework gives you any

 

731

00:33:53.905 –> 00:33:56.075

helpful information about all

 

732

00:33:56.075 –> 00:33:57.075

of the stuff you’re thinking about?

 

733

00:33:57.865 –> 00:34:00.205

And if it does, great, I’m really, really happy for you.

 

734

00:34:01.265 –> 00:34:03.485

And I’d love to learn more about

 

735

00:34:03.485 –> 00:34:05.205

how you’ve got your control framework doing that.

 

736

00:34:05.205 –> 00:34:07.965

Because in many of the organizations I speak with,

 

737

00:34:09.635 –> 00:34:12.165

there’s a level of confidence about one, you know,

 

738

00:34:12.165 –> 00:34:15.675

people understand what they’re doing, there’s

 

739

00:34:16.695 –> 00:34:19.025

less confidence about the connectivity.

 

740

00:34:20.205 –> 00:34:23.225

And when you start talking controls, it’s really quite,

 

741

00:34:24.555 –> 00:34:25.705

quite disconnected.

 

742

00:34:27.255 –> 00:34:29.665

Look, again, the green and the brown, it represents

 

743

00:34:29.665 –> 00:34:31.825

where this data sits today in many organizations.

 

744

00:34:32.295 –> 00:34:34.145

Look, I absolutely recognize that some

 

745

00:34:34.145 –> 00:34:36.905

of you will have more in the green than I’ve represented,

 

746

00:34:37.765 –> 00:34:40.185

but I’d be surprised if you can connect all the dots.

 

747

00:34:44.005 –> 00:34:47.225

And next we get into I think the real detail

 

748

00:34:47.225 –> 00:34:49.345

that CPS 230 is asking us for

 

749

00:34:50.045 –> 00:34:51.585

and with, remember, remember back

 

750

00:34:51.585 –> 00:34:54.785

to our friend paragraph 27, that sead on my brain

 

751

00:34:54.845 –> 00:34:56.705

and you know, I think needs

 

752

00:34:56.705 –> 00:34:58.985

to be sead on a few more is the enablers.

 

753

00:35:00.195 –> 00:35:02.145

These are the things that we need to have in place

 

754

00:35:02.165 –> 00:35:03.865

to bring the design to life.

 

755

00:35:04.985 –> 00:35:07.135

We’ve got our people, the systems they use,

 

756

00:35:07.155 –> 00:35:09.975

the data they rely on to enable those systems,

 

757

00:35:11.275 –> 00:35:13.855

the facilities they work in, the structures they rely on,

 

758

00:35:13.855 –> 00:35:15.455

the upstream dependencies delivered

 

759

00:35:15.455 –> 00:35:16.655

by others in the organization.

 

760

00:35:17.955 –> 00:35:20.055

And of course we’ve got the third parties that we rely on

 

761

00:35:20.155 –> 00:35:22.975

to deliver parts of or all of these processes.

 

762

00:35:24.415 –> 00:35:26.435

And as we see here, this is an area where I,

 

763

00:35:26.515 –> 00:35:28.915

I see many organizations haven’t gathered the data

 

764

00:35:29.335 –> 00:35:30.475

to connect the dots yet.

 

765

00:35:31.615 –> 00:35:33.275

Yep. Some organizations might have some

 

766

00:35:33.275 –> 00:35:34.595

of these elements in their risk systems,

 

767

00:35:35.015 –> 00:35:37.195

but even if they are, are they really connected

 

768

00:35:37.405 –> 00:35:40.365

with process purpose and design or are they standalone?

 

769

00:35:40.865 –> 00:35:42.605

Are they sitting in different silos?

 

770

00:35:44.065 –> 00:35:46.005

And that’s actually one of the challenges that I see

 

771

00:35:46.435 –> 00:35:49.005

that people have with CCPs 2, 3, 4 in particular.

 

772

00:35:49.675 –> 00:35:52.005

Because if you can’t connect the technology risk

 

773

00:35:52.005 –> 00:35:55.405

with the business purpose, how can you actually show whether

 

774

00:35:55.405 –> 00:35:57.285

you’re managing the risk effectively at all?

 

775

00:36:00.085 –> 00:36:02.185

And look, here’s another great way to look at this.

 

776

00:36:02.815 –> 00:36:04.265

With that hypothetical process,

 

777

00:36:05.605 –> 00:36:08.075

think about whether your organization has put the right

 

778

00:36:08.115 –> 00:36:11.555

enablers in place to deliver the process design.

 

779

00:36:12.455 –> 00:36:14.195

And if you haven’t, how would you know?

 

780

00:36:14.615 –> 00:36:15.755

Except from the thing breaking.

 

781

00:36:17.875 –> 00:36:20.095

And this actually gets onto one of my bigger bug bears

 

782

00:36:20.095 –> 00:36:21.215

with control evaluation.

 

783

00:36:21.315 –> 00:36:23.895

And I’ve been guilty as most over this.

 

784

00:36:24.795 –> 00:36:27.375

We test a control against a design or an objective.

 

785

00:36:28.315 –> 00:36:29.855

We find it doesn’t meet that objective.

 

786

00:36:29.855 –> 00:36:32.095

And then, and then the, the answer is improve the control.

 

787

00:36:32.855 –> 00:36:36.155

We don’t clearly understand what enables that control

 

788

00:36:36.745 –> 00:36:38.075

what needs to be traded off

 

789

00:36:38.075 –> 00:36:39.235

to actually give us a better chance

 

790

00:36:39.235 –> 00:36:40.475

of delivering on our design.

 

791

00:36:42.235 –> 00:36:44.055

And that’s why unfortunately a a lot

 

792

00:36:44.055 –> 00:36:46.415

of control remediations go on a scrap he to die.

 

793

00:36:47.755 –> 00:36:50.015

So my advice, if you’re looking at a process incident

 

794

00:36:50.015 –> 00:36:52.055

or a control failure, start

 

795

00:36:52.055 –> 00:36:54.375

with the getting a clear understanding of the enablers.

 

796

00:36:55.155 –> 00:36:57.175

And look, if you can’t get that from those involved,

 

797

00:36:57.445 –> 00:36:58.775

they probably don’t understand the process.

 

798

00:37:00.465 –> 00:37:03.285

And if they do, you’ll probably quickly find out

 

799

00:37:03.285 –> 00:37:04.365

where those stresses are.

 

800

00:37:05.725 –> 00:37:06.985

And please don’t read or listen

 

801

00:37:07.045 –> 00:37:10.065

or hear this as me saying just spend more money in fix

 

802

00:37:10.065 –> 00:37:12.345

problems, more enablers, better risk management.

 

803

00:37:13.285 –> 00:37:14.705

That’s not what I’m saying.

 

804

00:37:15.805 –> 00:37:17.335

What I’m saying is we need to understand

 

805

00:37:17.515 –> 00:37:20.335

how we’ve allocated our finite resources across a purpose.

 

806

00:37:21.445 –> 00:37:23.515

Which of those resource allocations might be

 

807

00:37:23.515 –> 00:37:24.795

causing us the most pressure?

 

808

00:37:25.795 –> 00:37:29.485

Are there any allocations we can reduce whether we trade off

 

809

00:37:30.255 –> 00:37:31.995

or do we just have to continue running hot

 

810

00:37:32.495 –> 00:37:33.835

and accept that things might break?

 

811

00:37:34.875 –> 00:37:38.455

And that might be fine if we’re doing so with preparedness.

 

812

00:37:42.075 –> 00:37:43.295

And the final element of this

 

813

00:37:43.295 –> 00:37:44.535

model, the performance metrics.

 

814

00:37:46.175 –> 00:37:48.075

How do we know if we’re using our enablers

 

815

00:37:48.075 –> 00:37:50.475

to deliver on our design and hence meet our purpose

 

816

00:37:52.525 –> 00:37:54.745

and those metrics and goals and the like their key here.

 

817

00:37:54.965 –> 00:37:56.345

But also things like complaints

 

818

00:37:56.645 –> 00:38:00.185

and issues where we need to apply consequence management,

 

819

00:38:00.365 –> 00:38:01.825

how our controls are performing,

 

820

00:38:02.205 –> 00:38:04.305

how well we’re delivering on our improvement actions.

 

821

00:38:04.805 –> 00:38:06.145

And of course my personal favorite,

 

822

00:38:06.195 –> 00:38:07.745

those unplanned investments

 

823

00:38:07.745 –> 00:38:10.745

and process improvement AKA are incidents.

 

824

00:38:12.145 –> 00:38:14.665

I think the key question to ask here is are we getting the

 

825

00:38:14.665 –> 00:38:16.345

right information at the right time

 

826

00:38:16.885 –> 00:38:18.425

to tweak the process design

 

827

00:38:18.645 –> 00:38:20.945

and enablement so we can stay on track

 

828

00:38:22.005 –> 00:38:24.785

rather than focusing on managing the metrics we do receive?

 

829

00:38:25.845 –> 00:38:29.145

And again, much of the data that we see as being vital dots

 

830

00:38:29.145 –> 00:38:30.945

to be connected, they’re not present in those

 

831

00:38:31.415 –> 00:38:32.705

risk platforms traditionally.

 

832

00:38:36.755 –> 00:38:38.975

One of the goals that I set for this session was

 

833

00:38:38.975 –> 00:38:42.215

to give a view of a connected model that might enable you

 

834

00:38:42.215 –> 00:38:44.135

to meet CPS 230 with confidence.

 

835

00:38:45.895 –> 00:38:47.015

I suggest that this model,

 

836

00:38:48.025 –> 00:38:50.605

it has roots in CPS 230 requirements,

 

837

00:38:50.625 –> 00:38:52.565

but it does in some areas go but broader.

 

838

00:38:54.465 –> 00:38:55.555

It’s a blueprint for this.

 

839

00:38:56.725 –> 00:38:58.665

Is it perfect for your organization today?

 

840

00:38:58.665 –> 00:39:00.825

No, of course not. We’re all different in some way.

 

841

00:39:01.885 –> 00:39:04.865

But does it offer a model to work to? Absolutely.

 

842

00:39:06.085 –> 00:39:08.385

And I think crucially for those of us in risk roles,

 

843

00:39:09.045 –> 00:39:11.345

it offers an operations led conversation.

 

844

00:39:12.445 –> 00:39:14.865

So I spoke earlier about the risks of letting silos,

 

845

00:39:14.865 –> 00:39:16.465

whether they be risk or resilience

 

846

00:39:16.525 –> 00:39:18.025

or vendor management lead here.

 

847

00:39:19.265 –> 00:39:21.505

’cause CCPs 230 will only ever be part of

 

848

00:39:21.505 –> 00:39:24.225

what you do each day if it’s being led by your product

 

849

00:39:24.365 –> 00:39:26.585

and technology and operational leaders.

 

850

00:39:28.415 –> 00:39:30.035

And this data model, whenever I put it in front

 

851

00:39:30.035 –> 00:39:31.155

of those people, it resonates.

 

852

00:39:31.295 –> 00:39:34.595

It talks to them in LA language, it reflects their mindset.

 

853

00:39:36.355 –> 00:39:38.415

And that’s the thing, if we go on all guns blazing

 

854

00:39:38.415 –> 00:39:40.335

and tell people they’re gonna have to reinvent themselves

 

855

00:39:40.335 –> 00:39:43.415

because the regulator says we need a new mindset that

 

856

00:39:43.415 –> 00:39:46.055

what they’ve been doing up until now is wrong.

 

857

00:39:46.605 –> 00:39:47.735

Well, we’re in for a tough time

 

858

00:39:48.715 –> 00:39:51.985

because operational people manage risk every day.

 

859

00:39:52.345 –> 00:39:53.505

Payments are processed,

 

860

00:39:53.645 –> 00:39:56.025

claims are handled, pensions are paid.

 

861

00:39:57.025 –> 00:39:59.045

Is it perfect? No, of course not.

 

862

00:40:00.415 –> 00:40:04.405

But I think a way forward offers, sorry,

 

863

00:40:05.005 –> 00:40:07.085

a way forward that respects what it’s done

 

864

00:40:07.345 –> 00:40:10.425

and builds on it offers far more

 

865

00:40:11.115 –> 00:40:13.025

value than a way forward that tries

 

866

00:40:13.025 –> 00:40:14.225

to burn that to the ground.

 

867

00:40:15.505 –> 00:40:17.085

And that is what this model tries to do

 

868

00:40:17.505 –> 00:40:20.005

and tries to respect and go forward.

 

869

00:40:24.405 –> 00:40:25.905

So I’ve

 

870

00:40:26.025 –> 00:40:28.065

provided a bit of an overview of of some of the key elements

 

871

00:40:28.065 –> 00:40:29.505

of CPS 230, the mindset

 

872

00:40:29.805 –> 00:40:33.375

and the data model that will be required in our view

 

873

00:40:33.375 –> 00:40:35.135

to demonstrate sustainable resilience.

 

874

00:40:36.495 –> 00:40:39.155

But what should organizations be doing now

 

875

00:40:39.455 –> 00:40:41.515

to move from preparation to action?

 

876

00:40:42.825 –> 00:40:44.105

Well, many

 

877

00:40:44.105 –> 00:40:47.185

of the organizations I think are still in that get ready phase.

 

878

00:40:48.355 –> 00:40:49.735

So if we think about ready, set, go,

 

879

00:40:50.065 –> 00:40:52.135

we’re starting the race, I think a lot

 

880

00:40:52.135 –> 00:40:53.535

of people are still getting ready, but

 

881

00:40:53.535 –> 00:40:54.735

we’re soon gonna need to get set.

 

882

00:40:56.385 –> 00:40:59.605

Now, in my view, a lot of the value added, the opportunity

 

883

00:40:59.705 –> 00:41:03.445

to connect these efforts sits in the get ready stage.

 

884

00:41:04.725 –> 00:41:06.765

I think there’s also potential for high volatility

 

885

00:41:06.785 –> 00:41:09.725

and outcomes because this is where it’s important

 

886

00:41:09.725 –> 00:41:12.125

to build engagement, getting it on the agenda,

 

887

00:41:12.195 –> 00:41:14.045

getting it on the budget slate.

 

888

00:41:15.225 –> 00:41:17.485

And I don’t think we can overestimate the importance

 

889

00:41:17.545 –> 00:41:20.005

of setting a really clear view on what must be true,

 

890

00:41:20.105 –> 00:41:22.005

what’s our data model, what’s our mindset,

 

891

00:41:26.685 –> 00:41:27.545

How we are

 

892

00:41:31.225 –> 00:41:31.885

to get to this?

 

893

00:41:33.245 –> 00:41:35.495

Because that then drives the activity that follows.

 

894

00:41:37.835 –> 00:41:39.255

And I think it’s also vital at this stage

 

895

00:41:39.255 –> 00:41:41.655

to make some key decisions about roles and planning.

 

896

00:41:42.475 –> 00:41:44.015

And one question we’ve commonly heard is,

 

897

00:41:44.015 –> 00:41:47.815

will the CPS 230 a project or not our experiences?

 

898

00:41:47.815 –> 00:41:49.895

In some organizations it is and some it isn’t.

 

899

00:41:50.715 –> 00:41:52.695

And then the next question is, well, well should it be?

 

900

00:41:54.495 –> 00:41:56.275

And I think it’s actually more helpful to look at

 

901

00:41:56.275 –> 00:42:00.515

what we see as the critical success factors for CPS 230

 

902

00:42:01.055 –> 00:42:03.355

and how you’ll achieve those than work out

 

903

00:42:03.355 –> 00:42:04.475

whether it’s a project or not.

 

904

00:42:05.415 –> 00:42:10.025

So will you have a clear shared view of the end state?

 

905

00:42:11.365 –> 00:42:13.665

Can you get the right access to the right capability

 

906

00:42:13.685 –> 00:42:15.265

to make good decisions at the right time?

 

907

00:42:16.775 –> 00:42:17.875

Can you coordinate

 

908

00:42:17.875 –> 00:42:20.355

and access the resources you need to make progress?

 

909

00:42:22.205 –> 00:42:25.165

Fourthly? And so fundamentally, are you confident

 

910

00:42:25.165 –> 00:42:26.445

that the knowledge gained

 

911

00:42:27.145 –> 00:42:29.645

by doing the work will be institutionalized,

 

912

00:42:30.195 –> 00:42:32.565

will become part of the way things are done around here?

 

913

00:42:33.855 –> 00:42:35.435

And finally, have you got a good mechanism

 

914

00:42:35.455 –> 00:42:36.995

to work out if you’re on track or not?

 

915

00:42:38.715 –> 00:42:40.995

I think if you can answer those five questions in the

 

916

00:42:40.995 –> 00:42:43.635

affirmative, then I don’t care whether you’ve got a project

 

917

00:42:43.935 –> 00:42:46.555

that’s on the side of someone’s desk, whatever it might be.

 

918

00:42:47.745 –> 00:42:51.195

Realistically, I expect many organizations will put in place

 

919

00:42:51.275 –> 00:42:54.235

a project model as they transition from get ready

 

920

00:42:54.235 –> 00:42:56.675

to get set given the volume of work

 

921

00:42:56.675 –> 00:42:58.315

and coordination required.

 

922

00:42:59.855 –> 00:43:02.995

And that next phase get set, that’s

 

923

00:43:02.995 –> 00:43:04.075

where the volume of work is.

 

924

00:43:04.735 –> 00:43:07.195

That’s where we do the documentation, the control mapping,

 

925

00:43:07.255 –> 00:43:09.235

the methodology updates, the system upgrades.

 

926

00:43:09.855 –> 00:43:11.755

And our advice here

 

927

00:43:12.095 –> 00:43:14.475

and that’s drawn as much from our early experience

 

928

00:43:14.475 –> 00:43:16.875

of this work as it is from past regulatory efforts,

 

929

00:43:17.095 –> 00:43:19.395

is the importance of iteration

 

930

00:43:20.015 –> 00:43:23.915

and maintaining a clear view of the end state first efforts,

 

931

00:43:24.085 –> 00:43:28.275

first list of critical operations controls, tolerances,

 

932

00:43:28.955 –> 00:43:30.115

material service providers.

 

933

00:43:30.465 –> 00:43:33.715

They will update, they will require more data, sorry,

 

934

00:43:33.715 –> 00:43:34.995

they’ll require update.

 

935

00:43:35.015 –> 00:43:36.275

As your data improves,

 

936

00:43:37.065 –> 00:43:39.075

your processes will need to change and evolve.

 

937

00:43:39.795 –> 00:43:41.395

Incident management, business continuity.

 

938

00:43:42.895 –> 00:43:45.115

So expect iteration, don’t expect

 

939

00:43:45.115 –> 00:43:46.155

to get it right first time.

 

940

00:43:46.815 –> 00:43:48.035

But I think importantly,

 

941

00:43:49.045 –> 00:43:50.675

start making the trade off decisions

 

942

00:43:50.755 –> 00:43:52.395

that C ps two 30 will require.

 

943

00:43:52.855 –> 00:43:56.675

As you get set, start living that resilient lifestyle.

 

944

00:43:57.815 –> 00:43:59.595

How quickly think about

 

945

00:43:59.595 –> 00:44:01.195

how quickly you can integrate tolerances

 

946

00:44:01.195 –> 00:44:03.195

for critical operations into decision making,

 

947

00:44:03.665 –> 00:44:05.875

even on a scenario or an exercise basis.

 

948

00:44:06.725 –> 00:44:09.235

Think about how quickly you can move your procurement

 

949

00:44:09.825 –> 00:44:11.355

that relates to critical operations

 

950

00:44:11.375 –> 00:44:13.275

to being CCP S two 30 informed.

 

951

00:44:13.625 –> 00:44:15.035

Because you know what?

 

952

00:44:15.175 –> 00:44:18.955

Any contract you’ve enter into over the next 18 months

 

953

00:44:18.955 –> 00:44:20.995

or so will at some stage likely have

 

954

00:44:20.995 –> 00:44:23.795

to meet CPS 230 requirements if it’s in scope.

 

955

00:44:25.655 –> 00:44:26.775

And that’s

 

956

00:44:26.775 –> 00:44:28.615

because as you move from getting set to go,

 

957

00:44:29.465 –> 00:44:32.245

well the expectation is that CPS 230 is well embedded,

 

958

00:44:34.125 –> 00:44:36.175

that implementation data’s been pushed out.

 

959

00:44:36.205 –> 00:44:38.615

Well, there’s an expectation of performance from day one.

 

960

00:44:39.765 –> 00:44:41.175

Produce the reports you need,

 

961

00:44:41.205 –> 00:44:42.975

give the board the information they need

 

962

00:44:43.725 –> 00:44:45.985

to oversight all from day one.

 

963

00:44:48.765 –> 00:44:51.685

And so to wrap up, I wanna go back

 

964

00:44:51.685 –> 00:44:55.645

to some words from Wayne Byers of opera a couple years ago.

 

965

00:44:56.265 –> 00:44:58.565

And I think they form a really clear basis of the ask

 

966

00:44:58.585 –> 00:44:59.685

for CCPs 230.

 

967

00:45:02.075 –> 00:45:03.215

And that’s what we’re being asked to do.

 

968

00:45:03.265 –> 00:45:04.815

We’re being asked to join the dots.

 

969

00:45:05.485 –> 00:45:07.185

The dots are mostly there.

 

970

00:45:07.865 –> 00:45:09.905

I think you’ll see from the data model I shared earlier

 

971

00:45:09.975 –> 00:45:12.065

that the dots may not all be there

 

972

00:45:12.885 –> 00:45:15.665

and they almost certainly haven’t been connected

 

973

00:45:15.665 –> 00:45:18.545

or constructed in such a way that they’re easy to connect.

 

974

00:45:21.065 –> 00:45:23.445

And why not? Well, I think we haven’t had good end-to-end

 

975

00:45:23.445 –> 00:45:25.205

views of our critical operations

 

976

00:45:25.915 –> 00:45:27.765

risk systems, process systems.

 

977

00:45:29.675 –> 00:45:34.365

They haven’t helped us and we haven’t thought about this

 

978

00:45:35.135 –> 00:45:36.745

perhaps as much as we could

 

979

00:45:38.215 –> 00:45:40.665

from multiple lenses across the organization.

 

980

00:45:41.665 –> 00:45:44.205

Our mindsets thinking about

 

981

00:45:46.855 –> 00:45:49.735

who’s upstream, who’s downstream, how does

 

982

00:45:49.735 –> 00:45:52.215

that work in an organization which is siloed.

 

983

00:45:53.325 –> 00:45:55.855

It’s not people who haven’t been thinking about it,

 

984

00:45:55.855 –> 00:45:57.415

it’s the organization that’s been forcing

 

985

00:45:58.065 –> 00:45:59.215

their thinking in that way.

 

986

00:46:00.075 –> 00:46:01.935

And so I think the work we need to do is has

 

987

00:46:01.935 –> 00:46:03.175

to address both these challenges.

 

988

00:46:04.215 –> 00:46:06.375

I think we need better connected,

 

989

00:46:06.695 –> 00:46:10.095

coherent data on our critical operations, their purpose,

 

990

00:46:10.345 –> 00:46:13.535

their design, their enablers, and their performance.

 

991

00:46:14.555 –> 00:46:17.375

And we need this data in as in a manner that’s useful,

 

992

00:46:18.255 –> 00:46:21.725

not disaggregated, not perfect, not perfect,

 

993

00:46:22.165 –> 00:46:23.525

absolutely but useful.

 

994

00:46:25.905 –> 00:46:27.485

And I think most of this data exists,

 

995

00:46:27.665 –> 00:46:30.525

but we need better tools and we need time

 

996

00:46:30.665 –> 00:46:34.125

to connect the dots because that’s not easy either.

 

997

00:46:36.355 –> 00:46:37.935

And I think we need to think a bit differently.

 

998

00:46:39.475 –> 00:46:41.415

If we don’t attempt to understand the pressures

 

999

00:46:41.415 –> 00:46:43.495

and the constraints and the challenges of those who

 

1000

00:46:44.555 –> 00:46:48.475

we rely on to do what we do well, I think they’ll continue

 

1001

00:46:48.475 –> 00:46:49.835

to surprise and disappoint us.

 

1002

00:46:51.945 –> 00:46:54.285

And at some point that becomes more our fault than theirs.

 

1003

00:46:55.145 –> 00:46:58.395

If we haven’t set up a process

 

1004

00:46:59.105 –> 00:47:03.555

that is consistent between purpose design enablers

 

1005

00:47:03.695 –> 00:47:08.005

to meet performance, then that’s the challenge on the person

 

1006

00:47:08.265 –> 00:47:10.605

and the people and the groups who have designed those

 

1007

00:47:12.195 –> 00:47:14.965

processes, not the people who are delivering on them.

 

1008

00:47:16.195 –> 00:47:19.455

And I think CPS 230 can be a catalyst for better

 

1009

00:47:19.915 –> 00:47:22.615

and more robust conversations about

 

1010

00:47:22.615 –> 00:47:26.625

what can actually be achieved and at what level of risk

 

1011

00:47:27.005 –> 00:47:28.505

and with what level of resources.

 

1012

00:47:31.285 –> 00:47:33.385

And in my experience, that’s what all leaders,

 

1013

00:47:34.995 –> 00:47:37.705

not just risk leaders are crying out for.

 

1014

00:47:41.155 –> 00:47:43.585

Thank you for listening to that presentation.

 

1015

00:47:43.705 –> 00:47:45.425

I hope as I said that you were able to

 

1016

00:47:46.325 –> 00:47:48.545

get those two key takeaways, a bit

 

1017

00:47:48.545 –> 00:47:49.905

of a better understanding about the mindset

 

1018

00:47:49.965 –> 00:47:50.985

and what that might look like

 

1019

00:47:51.525 –> 00:47:53.225

and a bit of an understanding about what

 

1020

00:47:53.225 –> 00:47:54.825

that data model might look like

 

1021

00:47:55.285 –> 00:47:57.025

and then some thoughts about how to go forward.

 

1022

00:47:57.965 –> 00:48:00.025

I’m happy to take any questions through the chat

 

1023

00:48:00.885 –> 00:48:04.905

and also happy to, uh, provide any other other comments

 

1024

00:48:04.905 –> 00:48:07.225

that anyone may be interested in understanding.

 

1025

00:48:07.485 –> 00:48:09.305

But at this point, um, if there’s nothing further,

 

1026

00:48:10.055 –> 00:48:12.265

I’ll be happy to uh, wish you a good day

 

1027

00:48:12.325 –> 00:48:13.345

and thank you for your time.

 

1028

00:48:32.135 –> 00:48:35.575

Looks like the, um, questions are minimal.

 

1029

00:48:36.595 –> 00:48:39.535

As um, Craig indicated we will share the material,

 

1030

00:48:40.435 –> 00:48:43.775

the recording, and the slides with all of the participants.

 

1031

00:48:44.295 –> 00:48:46.975

I also note that there may have been some challenges

 

1032

00:48:46.975 –> 00:48:49.855

with the links, so we will, um, just work out how best

 

1033

00:48:49.855 –> 00:48:52.455

to make sure that everybody who was interested today, um,

 

1034

00:48:53.435 –> 00:48:54.455

the material they need.

 

1035

00:48:54.635 –> 00:48:59.215

And I’m always interested in discussing, um, any element

 

1036

00:48:59.215 –> 00:49:01.655

of CPS 230 with anybody at any time.

 

1037

00:49:02.075 –> 00:49:03.695

Tim, you did have a question about supplier.

 

1038

00:49:05.155 –> 00:49:07.775

I think my read on supplier and I,

 

1039

00:49:07.815 –> 00:49:10.015

and I sort of come back to, to my approach is there’s gonna

 

1040

00:49:10.015 –> 00:49:12.095

be a huge amount of work in supplier and third party.

 

1041

00:49:13.075 –> 00:49:16.415

Um, I think it’s almost certain that every organization

 

1042

00:49:16.415 –> 00:49:19.895

that is a app regulate entity will have more

 

1043

00:49:21.535 –> 00:49:24.895

material service providers than material outsourcing.

 

1044

00:49:25.695 –> 00:49:27.255

I think the work has to start early

 

1045

00:49:27.515 –> 00:49:29.775

and it has to start with a list of who are those

 

1046

00:49:30.335 –> 00:49:31.495

suppliers likely to be.

 

1047

00:49:32.075 –> 00:49:33.415

And where I’ve been working

 

1048

00:49:33.415 –> 00:49:36.615

with organizations is let’s get a list, let’s rank them,

 

1049

00:49:37.185 –> 00:49:39.135

let’s work out how critical they are

 

1050

00:49:39.235 –> 00:49:40.495

and let’s work out a timeline.

 

1051

00:49:41.075 –> 00:49:45.215

Um, I think the challenge then starts to play out

 

1052

00:49:45.915 –> 00:49:47.335

as you actually start to uncover

 

1053

00:49:47.395 –> 00:49:48.575

and say, well,

 

1054

00:49:48.715 –> 00:49:51.455

can those suppliers do those things we’re asking them to do?

 

1055

00:49:52.955 –> 00:49:55.255

So then you’re actually saying, well, have we got, you know,

 

1056

00:49:55.255 –> 00:49:57.055

how do our enablers align with our design?

 

1057

00:49:57.795 –> 00:49:59.615

But that’s not an easy conversation,

 

1058

00:49:59.995 –> 00:50:01.775

but I think you have to get to it first.

 

1059

00:50:02.675 –> 00:50:06.295

So my thoughts are on supplier is iterate,

 

1060

00:50:06.955 –> 00:50:08.345

bring up the hard things early

 

1061

00:50:08.535 –> 00:50:11.305

because it will take 12 to 18 months to address that.

 

1062

00:50:17.525 –> 00:50:19.865

And for those suppliers who might be on the, um, on,

 

1063

00:50:19.885 –> 00:50:22.505

on the call, I think the only other comment I’d make would

 

1064

00:50:22.505 –> 00:50:25.845

be think about this lens.

 

1065

00:50:26.135 –> 00:50:27.405

Think about it now,

 

1066

00:50:27.875 –> 00:50:29.005

because your, your,

 

1067

00:50:29.075 –> 00:50:32.365

your customer organizations will be coming to you expecting

 

1068

00:50:32.945 –> 00:50:34.605

the, you know, you to have thought about it.

 

1069

00:50:35.205 –> 00:50:37.205

I think that the worst position

 

1070

00:50:37.205 –> 00:50:40.885

to be from a third party’s perspective is having 10 sets

 

1071

00:50:40.885 –> 00:50:41.885

of requirements to meet.

 

1072

00:50:42.425 –> 00:50:45.045

So I would be very much advocating for third parties

 

1073

00:50:45.225 –> 00:50:46.845

to be able to say, this is

 

1074

00:50:46.845 –> 00:50:48.685

what we understand our critical operat, you know,

 

1075

00:50:48.685 –> 00:50:51.165

how we support critical operations to be, this is

 

1076

00:50:51.165 –> 00:50:52.805

how we are thinking about tolerances

 

1077

00:50:53.505 –> 00:50:55.445

and this is how we’re thinking about doing

 

1078

00:50:55.465 –> 00:50:56.525

our testing and our work.

 

1079

00:50:56.755 –> 00:50:58.285

Does that meet your requirements?

 

1080

00:50:58.795 –> 00:51:01.845

More so than getting 10 different sets of requirements.

 

1081

00:51:01.905 –> 00:51:04.405

And that’s what we definitely will see with some

 

1082

00:51:04.405 –> 00:51:06.885

of those larger providers who might be working with

 

1083

00:51:07.445 –> 00:51:09.565

multiples is, you know, here’s our,

 

1084

00:51:09.565 –> 00:51:10.765

here’s our interpretation.

 

1085

00:51:11.145 –> 00:51:12.325

Do you accept it or not?

 

1086

00:51:12.515 –> 00:51:13.925

Because if you don’t accept it,

 

1087

00:51:13.925 –> 00:51:16.805

there might be more cost associated with it as opposed to,

 

1088

00:51:17.265 –> 00:51:18.845

you know, take, take the work that we’ve done.

 

1089

00:51:22.275 –> 00:51:25.575

Any other questions from those who are, um, on the chat?

 

1090

00:51:54.595 –> 00:51:58.015

If not, I will probably call this at two minutes too

 

1091

00:51:58.275 –> 00:52:00.215

and say thank you so much for your time.

 

1092

00:52:00.755 –> 00:52:04.375

Um, and have a great day.

 

Share this article with your network

More articles