2 minute video
Our key Risk, Crisis and Continuity Learnings from 2023.
54 minute video
Moving from preparation to action.
Watch the latest updates on what financial institutions must do to enhance resilience, manage risk and minimise disruption.
CPS 230 Moving from preparation to action Transcript
Good morning.
1
00:00:14.065 –> 00:00:17.605
Um, and thank you for joining us at Battleground’s November
2
00:00:17.805 –> 00:00:20.125
CPS 230 webinar with the theme of
3
00:00:20.725 –> 00:00:23.805
CPS 230 from preparation to action.
4
00:00:25.905 –> 00:00:27.125
My name’s Joe McDavid.
5
00:00:27.145 –> 00:00:30.045
I’m the Director of Operational Risk here at Battleground,
6
00:00:30.045 –> 00:00:32.445
and I’ll be leading the conversation this morning,
7
00:00:32.465 –> 00:00:33.685
but also looking forward
8
00:00:33.705 –> 00:00:36.325
to any feedback from the people across the group.
9
00:00:37.205 –> 00:00:38.805
I also just wanna acknowledge at the beginning here
10
00:00:38.805 –> 00:00:41.285
that the, for some of you, the registration process hasn’t
11
00:00:41.285 –> 00:00:42.405
been completely straightforward.
12
00:00:42.785 –> 00:00:44.725
Um, but I wanna thank you for your diligence
13
00:00:44.985 –> 00:00:47.525
and, um, tenacity in getting onto this link
14
00:00:47.705 –> 00:00:50.525
and assure you that we’ll be looking to improve that, um,
15
00:00:50.585 –> 00:00:51.765
as we, as we go forward.
16
00:00:51.785 –> 00:00:55.245
So thank you for that. But to the subject at hand,
17
00:00:55.485 –> 00:00:59.005
CPS 230 as a Prudential standard,
18
00:00:59.005 –> 00:01:00.965
it was released in draft more than a year ago
19
00:01:01.545 –> 00:01:03.845
and finalized more than four months ago.
20
00:01:04.945 –> 00:01:08.285
The standard’s been given a long lead time until July, 2025
21
00:01:08.305 –> 00:01:09.965
for entities to adapt to.
22
00:01:11.085 –> 00:01:13.425
And the lead time reflects both the request of,
23
00:01:13.445 –> 00:01:15.265
of financial services as an industry.
24
00:01:15.885 –> 00:01:18.785
And I think as well the frustration of the regulator
25
00:01:19.015 –> 00:01:22.105
with the time taken, in particular to meet the requirements
26
00:01:22.105 –> 00:01:23.425
of CCPs 2, 3, 4,
27
00:01:23.975 –> 00:01:26.145
information technology, information security.
28
00:01:26.895 –> 00:01:29.545
It’s clear already from opera’s engagement in public
29
00:01:29.545 –> 00:01:32.185
that they expect organizations to be ready on day one
30
00:01:32.405 –> 00:01:33.865
for CPS 230.
31
00:01:34.575 –> 00:01:36.625
Tolerance for failure to comply is minimal,
32
00:01:38.035 –> 00:01:42.775
but we see that there is a fundamental challenge common
33
00:01:42.795 –> 00:01:45.935
to all new regulations that regulated entities face,
34
00:01:47.275 –> 00:01:48.975
and that is the question of
35
00:01:49.045 –> 00:01:51.415
what is good enough, what is expected.
36
00:01:51.995 –> 00:01:53.455
And Simon, thank you for that note.
37
00:01:53.455 –> 00:01:55.615
I’ve just seen that Craig is, um, is, um,
38
00:01:55.645 –> 00:01:57.815
just working in the background to resolve that.
39
00:01:58.115 –> 00:02:00.255
So thank you for letting us know that, um,
40
00:02:00.265 –> 00:02:01.535
Simon, I appreciate it.
41
00:02:04.295 –> 00:02:06.315
So the fundamental challenge, what is good enough,
42
00:02:06.625 –> 00:02:11.345
what is expected, even though CPS 230 treads in a space
43
00:02:11.345 –> 00:02:14.305
that is currently regulated, whether it be
44
00:02:14.305 –> 00:02:16.225
through CCPs 2 22, 3 1,
45
00:02:16.245 –> 00:02:18.905
or 2, 3 2, the actual requirements
46
00:02:18.925 –> 00:02:20.865
of the guidance are not yet known.
47
00:02:21.875 –> 00:02:23.215
And the Prudential standard is brief.
48
00:02:23.215 –> 00:02:24.575
It’s only a dozen or so pages.
49
00:02:25.605 –> 00:02:27.425
The guide, the practice guide is draft,
50
00:02:27.565 –> 00:02:29.585
and in many cases, there isn’t a huge amount
51
00:02:29.585 –> 00:02:31.105
of more detail provided.
52
00:02:32.325 –> 00:02:34.025
And to top it off, we have a regulator
53
00:02:34.025 –> 00:02:35.425
that’s talking about a need, not just
54
00:02:35.485 –> 00:02:37.785
for an uplift in operational risk management,
55
00:02:38.065 –> 00:02:40.105
business continuity and management of third parties,
56
00:02:40.685 –> 00:02:42.145
but also for a mindset shift.
57
00:02:43.525 –> 00:02:46.225
So today I wanna talk a bit more about where we
58
00:02:46.225 –> 00:02:48.745
as battleground have been doing work with organizations
59
00:02:49.245 –> 00:02:52.345
to help them get to what we see as a coherent, robust,
60
00:02:52.405 –> 00:02:54.945
and useful position for CPS 230.
61
00:02:55.805 –> 00:02:58.985
And I hope you finish off this session with, um, a couple
62
00:02:59.105 –> 00:03:02.065
of, a couple of key things really.
63
00:03:02.195 –> 00:03:04.665
First of all, what might the mindset shift
64
00:03:04.665 –> 00:03:06.905
that APRA be talking about practically mean?
65
00:03:07.365 –> 00:03:09.345
How can you go about having real tangible,
66
00:03:09.575 –> 00:03:11.985
practical conversations in a way that
67
00:03:11.985 –> 00:03:13.545
that demonstrates you’re making this shift?
68
00:03:14.445 –> 00:03:17.185
And secondly, what might a connected model look like
69
00:03:17.185 –> 00:03:19.385
that meets CPS 230 requirements?
70
00:03:19.895 –> 00:03:21.985
Because that’s what’s fundamental
71
00:03:22.005 –> 00:03:23.745
to sustainable resilience in our view,
72
00:03:24.135 –> 00:03:26.625
it’s about decisions being made using balanced,
73
00:03:27.425 –> 00:03:30.065
resilient mindset, um, supported
74
00:03:30.065 –> 00:03:31.905
by robust complete and relevant data.
75
00:03:33.115 –> 00:03:36.425
That’s all. And I also recognize we’ve got a bit
76
00:03:36.505 –> 00:03:37.785
of a diverse audience this morning.
77
00:03:37.785 –> 00:03:40.145
We’ve got some non-financial services institutions,
78
00:03:40.455 –> 00:03:42.465
also got service providers in the group today.
79
00:03:42.925 –> 00:03:45.665
So one, my focus will be on the CCPs 230 journey
80
00:03:45.885 –> 00:03:46.985
for financial services.
81
00:03:47.745 –> 00:03:50.385
I think you’ll find some session in of value
82
00:03:50.765 –> 00:03:52.905
for service providers, getting an understanding of
83
00:03:52.905 –> 00:03:54.265
what your customers will be thinking.
84
00:03:54.315 –> 00:03:55.985
We’ll be invaluable as you work with them
85
00:03:56.405 –> 00:03:58.105
for those non-financial institutions.
86
00:03:58.375 –> 00:04:00.665
Well, I see a lot of value in the mindset, the data
87
00:04:00.685 –> 00:04:03.145
and the model that CPS 230 is requiring,
88
00:04:03.645 –> 00:04:06.065
and I think well implemented it offers a blueprint
89
00:04:06.085 –> 00:04:07.625
for effective, efficient,
90
00:04:07.625 –> 00:04:09.425
and robust operational risk management.
91
00:04:12.215 –> 00:04:14.355
And I’ll try and leave some time at the end for questions.
92
00:04:14.455 –> 00:04:16.795
So if you do wanna raise any via the chat, please do
93
00:04:16.795 –> 00:04:17.955
so and I will come back to them.
94
00:04:20.975 –> 00:04:22.995
So before we go into all of that, a bit about
95
00:04:22.995 –> 00:04:24.315
who we are at Battleground.
96
00:04:26.695 –> 00:04:28.355
And look, the first thing I wanna make clear is
97
00:04:28.355 –> 00:04:30.195
that we’re a software driven consultancy.
98
00:04:30.815 –> 00:04:32.875
We help organizations using software tools,
99
00:04:32.875 –> 00:04:34.035
and we also sell those tools.
100
00:04:34.775 –> 00:04:37.075
But the important thing is that we sell what we use
101
00:04:37.375 –> 00:04:39.155
and we use what we sell.
102
00:04:39.815 –> 00:04:42.115
If something is useful to us working with clients,
103
00:04:42.565 –> 00:04:44.515
it’ll pretty soon make its way into our software.
104
00:04:45.015 –> 00:04:46.755
So at the moment, this means we’re able
105
00:04:46.755 –> 00:04:48.875
to help clients connect business processes
106
00:04:48.875 –> 00:04:51.555
with critical operations, define tolerances
107
00:04:51.555 –> 00:04:52.715
for them in the platform
108
00:04:53.175 –> 00:04:55.235
and in the future, that might mean that we’ll be able
109
00:04:55.235 –> 00:04:57.315
to use the, the, the model
110
00:04:57.415 –> 00:04:59.635
and the platform to bring together a really clear view of
111
00:04:59.735 –> 00:05:02.995
how critical operations are supported by processes, managed
112
00:05:03.015 –> 00:05:06.355
by controls enabled by third parties, all in order
113
00:05:06.355 –> 00:05:07.755
to manage those risks and obligations
114
00:05:09.045 –> 00:05:10.265
as an organization we’ve
115
00:05:10.265 –> 00:05:11.465
existed for, for more than 10 years.
116
00:05:11.485 –> 00:05:12.865
And our founder, Craig Goldberg,
117
00:05:12.865 –> 00:05:14.705
is a former Deloitte partner leading
118
00:05:14.705 –> 00:05:16.185
their business continuity team.
119
00:05:16.645 –> 00:05:18.785
The consultancy team like me have a combination
120
00:05:18.785 –> 00:05:21.305
of senior management and consultancy experience,
121
00:05:21.925 –> 00:05:24.345
and given the areas we work in, crisis management,
122
00:05:24.905 –> 00:05:26.345
business continuity, and risk management.
123
00:05:26.365 –> 00:05:27.665
You can imagine we’ve been watching
124
00:05:27.665 –> 00:05:30.505
and working in CPS 230 closely for some time.
125
00:05:31.085 –> 00:05:33.065
And personally, for those of you who don’t know me,
126
00:05:33.615 –> 00:05:36.265
I’ve worked in senior operational risks roles in banking.
127
00:05:36.615 –> 00:05:39.065
I’ve worked in consulting roles and regulatory
128
00:05:39.085 –> 00:05:41.225
and risk uplift and also in assurance roles.
129
00:05:41.285 –> 00:05:43.385
So my experience is a combination
130
00:05:43.385 –> 00:05:45.025
of being the accountable person
131
00:05:45.325 –> 00:05:47.825
and being the person helping the accountable people.
132
00:05:50.405 –> 00:05:52.215
Look, I wanted to start today with a bit of a story.
133
00:05:53.475 –> 00:05:55.945
Maybe it’ll help introduce me a little bit more as well.
134
00:05:56.245 –> 00:05:58.525
And recently I was leading a regulatory
135
00:05:58.525 –> 00:05:59.885
uplift program for a client.
136
00:06:00.145 –> 00:06:02.285
So my job was to integrate all the bits that needed
137
00:06:02.285 –> 00:06:04.685
to be improved, bring together a team of experts
138
00:06:04.705 –> 00:06:08.245
to deliver the uplift and voila, deliver an uplifted,
139
00:06:08.315 –> 00:06:10.245
transformed and compliant organization.
140
00:06:11.065 –> 00:06:13.245
And this often required presenting information
141
00:06:13.245 –> 00:06:14.605
to stakeholders for decisions.
142
00:06:15.155 –> 00:06:16.885
What would the organization do in response
143
00:06:16.885 –> 00:06:18.365
to a certain set of facts or events?
144
00:06:19.745 –> 00:06:22.085
And what I often found with, with some stakeholders,
145
00:06:22.215 –> 00:06:24.845
there was this zealous focus on whether
146
00:06:24.845 –> 00:06:27.605
or not a solution would deliver something called a compliant
147
00:06:27.655 –> 00:06:31.725
state that’s short-term focus for a short-term fix.
148
00:06:32.465 –> 00:06:35.355
And look, given that the short-term thinking was one
149
00:06:35.355 –> 00:06:37.875
of the major reasons the organization actually needed the
150
00:06:38.115 –> 00:06:41.395
regulatory uplift project, I spent much of my time trying
151
00:06:41.395 –> 00:06:43.235
to guide a set of balanced decisions.
152
00:06:44.275 –> 00:06:47.535
And clearly, I overused one phrase in particular,
153
00:06:48.305 –> 00:06:50.655
compliance isn’t the state, it’s a lifestyle.
154
00:06:51.395 –> 00:06:52.725
And what I mean by that, and,
155
00:06:52.725 –> 00:06:55.205
and what I mean also in the context of resilience,
156
00:06:55.575 –> 00:06:56.925
which I think is, you know, really
157
00:06:56.925 –> 00:06:58.405
what CPS 230 is all about.
158
00:06:58.915 –> 00:07:02.085
It’s not something you have, it doesn’t exist in perpetuity.
159
00:07:02.545 –> 00:07:05.405
You can’t be compliant or be resilient.
160
00:07:05.975 –> 00:07:08.405
Sorry, you can be compliant or resilient today,
161
00:07:08.785 –> 00:07:11.405
but tomorrow the threats change, your processes erode,
162
00:07:11.885 –> 00:07:14.485
customer needs move on, external threats evolve.
163
00:07:15.265 –> 00:07:17.565
All of these things are dynamic means you have
164
00:07:17.565 –> 00:07:20.205
to continually be evolving, making good decisions.
165
00:07:21.145 –> 00:07:22.605
And so your level of compliance
166
00:07:22.705 –> 00:07:25.885
or resilience, well, that’s a function of historic decisions
167
00:07:26.585 –> 00:07:27.645
and there’s very little you can do
168
00:07:27.645 –> 00:07:28.725
today to actually change it.
169
00:07:29.425 –> 00:07:33.045
But there is the need to continually make good decisions,
170
00:07:33.315 –> 00:07:34.325
make good investments,
171
00:07:34.325 –> 00:07:36.485
and execute consistently so
172
00:07:36.485 –> 00:07:40.525
that you can be resilient tomorrow and into the future.
173
00:07:43.075 –> 00:07:44.615
And so with that in mind, well what’s the
174
00:07:44.615 –> 00:07:45.855
agenda for the conversation today?
175
00:07:46.405 –> 00:07:47.575
Well, as I said earlier, I wanted
176
00:07:47.575 –> 00:07:49.375
to give you a clearer understanding of two things,
177
00:07:49.875 –> 00:07:52.575
the mindset shift that Acra Acra is talking about
178
00:07:52.805 –> 00:07:55.455
practically, how can you go about having some real tangible
179
00:07:55.715 –> 00:07:57.095
and practical conversations?
180
00:07:57.795 –> 00:08:01.485
And secondly, what might a connected model look like
181
00:08:01.485 –> 00:08:03.645
that meets those CPS 230 requirements?
182
00:08:04.785 –> 00:08:06.125
And how do I propose to get there?
183
00:08:06.125 –> 00:08:07.685
Well, I’m gonna try and use this simple
184
00:08:07.965 –> 00:08:09.085
approach as I possibly can.
185
00:08:10.225 –> 00:08:13.085
I’m gonna do a recap on the why of CPS 230.
186
00:08:13.625 –> 00:08:16.885
What’s the problem that ABRA have decided needs a new
187
00:08:17.405 –> 00:08:18.645
regulatory hammer to solve?
188
00:08:19.925 –> 00:08:22.685
Secondly, the what, what’s the standard asking us to do?
189
00:08:23.385 –> 00:08:25.645
And to be really clear, today isn’t a deep dive into
190
00:08:26.075 –> 00:08:28.485
what clauses we need to put into what contract
191
00:08:28.505 –> 00:08:32.365
or how to reconcile your current business continuity plans,
192
00:08:32.365 –> 00:08:35.405
maximum available outage with a new tolerance requirement.
193
00:08:35.865 –> 00:08:38.205
I’m more than happy to have those conversations, of course,
194
00:08:38.705 –> 00:08:40.525
um, and, and do on a regular basis.
195
00:08:41.065 –> 00:08:43.885
But one thing that I often find when talking about CPS230
196
00:08:43.885 –> 00:08:45.805
30 is that there is this tendency
197
00:08:45.805 –> 00:08:48.605
to drop immediately into the detail.
198
00:08:50.185 –> 00:08:52.445
And perhaps that’s where people are most comfortable,
199
00:08:52.715 –> 00:08:54.085
they have the most experience.
200
00:08:54.665 –> 00:08:55.965
But I think as you’ll see,
201
00:08:56.065 –> 00:08:57.965
the real value is keeping our heads elevated.
202
00:09:00.195 –> 00:09:01.735
And so thirdly, the how,
203
00:09:02.035 –> 00:09:04.335
and again, this isn’t the how in the minute detail,
204
00:09:04.595 –> 00:09:07.495
but more about how you can start to have conversations about
205
00:09:07.495 –> 00:09:11.695
that CPS 230 lifestyle I spoke about that you
206
00:09:11.695 –> 00:09:13.215
and your organization will need to live
207
00:09:13.595 –> 00:09:15.335
and I think sooner than you, you might think.
208
00:09:15.995 –> 00:09:17.975
And finally, the ready set go.
209
00:09:18.315 –> 00:09:19.695
The things we ought to be doing now
210
00:09:19.835 –> 00:09:21.895
or have done already to make the most of the work
211
00:09:22.165 –> 00:09:24.375
that CPS 230 will require.
212
00:09:27.775 –> 00:09:31.785
So why, why CCPs 230? Why now?
213
00:09:32.575 –> 00:09:34.705
Well, I think when you glean through all the leaves
214
00:09:34.765 –> 00:09:36.465
and pronouncements and end trails
215
00:09:36.485 –> 00:09:38.225
and speeches, I think there are three things
216
00:09:38.225 –> 00:09:39.425
that start to become clear.
217
00:09:40.815 –> 00:09:44.485
It’s about interconnections, it’s about control failures,
218
00:09:45.105 –> 00:09:46.885
and it’s about regulatory pressure.
219
00:09:47.925 –> 00:09:51.475
So let’s take these in turn, interconnections,
220
00:09:53.295 –> 00:09:56.315
modern financial institutions, many
221
00:09:56.575 –> 00:09:58.435
or modern institutions, even those of us
222
00:09:58.435 –> 00:09:59.715
who aren’t financial on the call,
223
00:10:00.105 –> 00:10:02.355
they’re less a single organization and,
224
00:10:02.355 –> 00:10:05.755
and more an orchestration of many different organizations,
225
00:10:05.905 –> 00:10:07.915
whether it’s technology, call center,
226
00:10:08.385 –> 00:10:10.035
marketing administration,
227
00:10:10.035 –> 00:10:13.735
or claims core banking or something else.
228
00:10:14.645 –> 00:10:17.015
Financial institutions rely on service providers
229
00:10:17.015 –> 00:10:18.455
for large chunks of what they do.
230
00:10:19.285 –> 00:10:21.865
And even if they don’t rely on a single financial, uh,
231
00:10:21.865 –> 00:10:24.505
single outsource provider in an outsourced manner,
232
00:10:24.555 –> 00:10:27.145
end-to-end the value chain can rely more on third parties
233
00:10:27.375 –> 00:10:28.585
than internal capability.
234
00:10:29.445 –> 00:10:30.585
And these interconnections,
235
00:10:30.585 –> 00:10:33.585
they require a deep understanding of what you want to do
236
00:10:34.565 –> 00:10:36.745
and alignments of interest across a range of parties
237
00:10:37.445 –> 00:10:39.985
and flexibility in operations when things go wrong
238
00:10:40.005 –> 00:10:41.065
to fix them swiftly.
239
00:10:41.845 –> 00:10:43.955
These aren’t always things that are present at even the most
240
00:10:43.985 –> 00:10:46.875
aligned supplier relationships, let alone the average.
241
00:10:47.585 –> 00:10:50.965
Then we have control failures,
242
00:10:51.065 –> 00:10:52.605
and they might be the high profile ones
243
00:10:52.605 –> 00:10:53.645
that are on the screen
244
00:10:54.185 –> 00:10:56.765
or the less high high profile ones that never make the press
245
00:10:57.105 –> 00:10:58.965
or even make it outside of an organization.
246
00:11:00.105 –> 00:11:01.605
But I think even if you go back as far
247
00:11:01.605 –> 00:11:04.605
as the 2018 Financial Services Royal Commission,
248
00:11:04.875 –> 00:11:06.605
what you see is a lot of examples
249
00:11:06.605 –> 00:11:08.645
of control failures driving conduct challenges.
250
00:11:09.465 –> 00:11:11.085
Yes, it’s wrong
251
00:11:11.085 –> 00:11:13.445
to charge dead people life insurance premiums,
252
00:11:14.185 –> 00:11:17.165
but if the system that processes claims doesn’t talk
253
00:11:17.165 –> 00:11:20.645
to the system that processes premiums well, is that a,
254
00:11:21.535 –> 00:11:22.635
is that a design feature?
255
00:11:22.695 –> 00:11:23.995
Is that a buck? What’s the issue?
256
00:11:23.995 –> 00:11:27.995
What’s the challenge there? And control failures also play a
257
00:11:27.995 –> 00:11:29.315
massive role in many of the cyber
258
00:11:29.315 –> 00:11:31.555
and data privacy breach breaches we’ve seen
259
00:11:31.555 –> 00:11:32.595
in recent months and weeks.
260
00:11:33.575 –> 00:11:35.155
The inability to connect risks
261
00:11:35.255 –> 00:11:36.755
and controls together in a way
262
00:11:36.755 –> 00:11:39.835
that means they can be confident that systems are secure
263
00:11:40.455 –> 00:11:41.795
is not going to cut it.
264
00:11:43.085 –> 00:11:44.865
And then finally, regulatory pressure.
265
00:11:45.315 –> 00:11:46.565
Everybody else is doing it.
266
00:11:46.625 –> 00:11:51.205
So why can’t we, the uk, the US asic,
267
00:11:51.745 –> 00:11:52.845
all active in the space
268
00:11:52.865 –> 00:11:54.925
and APRA continuing to raise the bar.
269
00:11:56.805 –> 00:11:58.145
But I think there’s also another way
270
00:11:58.285 –> 00:11:59.665
to thread this together,
271
00:12:00.485 –> 00:12:01.745
and I think it might be useful
272
00:12:02.125 –> 00:12:03.585
to start thinking about the mindset
273
00:12:04.015 –> 00:12:06.825
that CPS 230 is wanting us to start using
274
00:12:07.405 –> 00:12:09.385
to think about some of these drivers as well.
275
00:12:10.515 –> 00:12:11.775
So some years ago I was working
276
00:12:12.445 –> 00:12:14.135
with the product team at an A DI
277
00:12:15.345 –> 00:12:17.085
and they said they had three main problems,
278
00:12:17.885 –> 00:12:18.915
might have had a few more, but
279
00:12:18.915 –> 00:12:19.955
they said they had three main ones.
280
00:12:20.775 –> 00:12:23.835
The first one was they had a long list of broken products.
281
00:12:24.575 –> 00:12:26.395
The product wasn’t operating as desired.
282
00:12:26.395 –> 00:12:27.635
They couldn’t confirm if it was,
283
00:12:27.805 –> 00:12:29.955
there might have been some regulatory challenges there.
284
00:12:31.585 –> 00:12:33.465
Secondly, they wanted to develop
285
00:12:33.505 –> 00:12:35.185
and release a whole bunch of new products
286
00:12:35.455 –> 00:12:38.865
because in addition to being broken the existing products,
287
00:12:38.865 –> 00:12:40.745
well they needed more flexibility
288
00:12:40.965 –> 00:12:42.185
in order to be competitive.
289
00:12:43.685 –> 00:12:45.985
And thirdly, they were struggling with the capacity
290
00:12:45.985 –> 00:12:49.225
of the operational and technology teams in the organization
291
00:12:49.765 –> 00:12:51.425
who couldn’t deliver at the pace required
292
00:12:51.735 –> 00:12:52.945
with the accuracy needed.
293
00:12:54.005 –> 00:12:55.865
The technology teams didn’t have the capacity
294
00:12:55.865 –> 00:12:57.585
to make the changes they wanted them to.
295
00:12:58.965 –> 00:13:01.665
So they had too much to do and not enough to do it with.
296
00:13:02.935 –> 00:13:04.875
And so I went and talked to some operational leaders,
297
00:13:05.905 –> 00:13:08.125
and as you can imagine, the story about technology was the
298
00:13:08.125 –> 00:13:10.725
same, no capacity, poor reliability, inability
299
00:13:10.725 –> 00:13:12.725
to keep promises, all that sort of stuff.
300
00:13:13.945 –> 00:13:15.765
But when I asked them to open up about product
301
00:13:16.415 –> 00:13:17.685
after a while, it became clear
302
00:13:17.685 –> 00:13:20.325
that the operations teams didn’t know what the priority was.
303
00:13:20.705 –> 00:13:23.645
Was it growth or compliance? Was it change or remediation?
304
00:13:25.375 –> 00:13:26.395
And I’m not even gonna tell you what
305
00:13:26.395 –> 00:13:27.435
the technology folks had to say.
306
00:13:27.435 –> 00:13:31.725
You can probably guess. Now, this isn’t the story about
307
00:13:31.985 –> 00:13:33.925
how I came in and saved the situation.
308
00:13:34.945 –> 00:13:37.215
Truth be told, there continue to be challenges
309
00:13:37.285 –> 00:13:38.455
with with all of those teams.
310
00:13:38.955 –> 00:13:42.255
But I want to talk about how we started to get these groups
311
00:13:42.355 –> 00:13:44.855
to communicate a little bit more with each other.
312
00:13:45.675 –> 00:13:48.095
And that’s the model on the screen, the diagram on the page.
313
00:13:50.175 –> 00:13:52.955
And if we accept that the whole financial relationship
314
00:13:53.415 –> 00:13:56.835
starts with a customer, a depositor, a Superfund member,
315
00:13:57.395 –> 00:13:59.195
somebody who wants insurance, well,
316
00:13:59.195 –> 00:14:01.475
they enter into a relationship with the organization.
317
00:14:02.335 –> 00:14:04.515
And usually we’ve got somebody who signs a letter
318
00:14:04.935 –> 00:14:06.635
and says, welcome, whatever it might be.
319
00:14:07.305 –> 00:14:09.595
They metaphorically shake the customer’s hand
320
00:14:09.595 –> 00:14:11.795
and they say, you can trust us to do some things.
321
00:14:12.365 –> 00:14:13.955
We’ve set them out in our PDS,
322
00:14:14.045 –> 00:14:15.795
we’ve set them out in our Ts and Cs.
323
00:14:15.845 –> 00:14:17.995
There are some laws that we’re actually operating under.
324
00:14:18.735 –> 00:14:20.915
And there are also likely to be some other expectations
325
00:14:20.935 –> 00:14:22.555
and assumptions that the customer’s made.
326
00:14:23.025 –> 00:14:24.555
They can contact reasonably quickly,
327
00:14:24.705 –> 00:14:27.775
they’ll be honest in your dealings, those sorts of things.
328
00:14:29.155 –> 00:14:32.135
But in order to deliver on these promises, the group
329
00:14:32.135 –> 00:14:33.295
that have gone out and shaken hands
330
00:14:33.295 –> 00:14:35.775
with the customer product in this model, they have
331
00:14:35.775 –> 00:14:38.495
to make sure it all happens and they can’t do it themselves.
332
00:14:39.125 –> 00:14:41.655
They’ll have to get help from operations and technology and
333
00:14:41.655 –> 00:14:43.175
and other groups across the organization.
334
00:14:44.575 –> 00:14:46.075
So what we’ll find is there’ll probably be another
335
00:14:46.075 –> 00:14:47.155
set of agreements in place.
336
00:14:47.655 –> 00:14:49.035
It might be performance reporting,
337
00:14:49.035 –> 00:14:51.325
it might be service level agreements, whatever it might be.
338
00:14:52.505 –> 00:14:54.885
But we’ll also start to see constraints emerge
339
00:14:55.305 –> 00:14:58.805
and inability to perform at the level expected, perhaps
340
00:14:58.805 –> 00:15:01.165
because those expectations haven’t been clearly defined,
341
00:15:01.465 –> 00:15:02.525
or maybe they aren’t funded
342
00:15:02.785 –> 00:15:04.205
or maybe those aren’t well understood.
343
00:15:05.245 –> 00:15:06.985
And of course we’ve got a range of groups
344
00:15:07.785 –> 00:15:08.905
internal to the organization.
345
00:15:09.565 –> 00:15:11.225
So we might start to see some challenges
346
00:15:11.415 –> 00:15:13.185
with objectives and alignment.
347
00:15:15.065 –> 00:15:16.885
I’m sure you might be starting to see some of
348
00:15:16.885 –> 00:15:19.965
what these challenges might be in your organizations if you
349
00:15:19.965 –> 00:15:21.485
start thinking about that construct.
350
00:15:22.505 –> 00:15:23.685
But before we go too far,
351
00:15:23.965 –> 00:15:25.405
I just wanna layer on one more thing.
352
00:15:28.235 –> 00:15:31.935
And that is that many of these activities are wholly
353
00:15:31.935 –> 00:15:33.535
or largely reliant on third parties.
354
00:15:34.195 –> 00:15:36.855
And again, we’ve got another layer of expectations
355
00:15:36.915 –> 00:15:39.815
and assumptions and constraints and agreements in place.
356
00:15:41.365 –> 00:15:43.935
What does this mean? So, so what, well, we’re starting
357
00:15:43.995 –> 00:15:46.735
to see how hard it can be to have a clear end
358
00:15:46.735 –> 00:15:48.815
to end understanding of how these dots connect.
359
00:15:49.835 –> 00:15:51.895
How well does the product team really understand
360
00:15:51.895 –> 00:15:54.855
or need to understand what a breakdown in expectations
361
00:15:54.855 –> 00:15:57.375
between IT and an IT service provider means?
362
00:15:58.275 –> 00:16:00.455
How could we adjust our expectations
363
00:16:00.455 –> 00:16:02.615
of those internal teams based on the performance
364
00:16:02.835 –> 00:16:04.055
of their service providers?
365
00:16:05.455 –> 00:16:07.195
But again, this is also a simplification
366
00:16:11.265 –> 00:16:14.315
because those third parties, well,
367
00:16:14.915 –> 00:16:16.365
they have their own support arrangements,
368
00:16:16.365 –> 00:16:17.365
they operate internally.
369
00:16:17.755 –> 00:16:20.245
Sometimes our customers interact directly with them,
370
00:16:20.315 –> 00:16:21.925
sometimes they support one another,
371
00:16:22.745 –> 00:16:24.605
and of course they support other organizations.
372
00:16:26.315 –> 00:16:27.335
So I’m not suggesting,
373
00:16:27.335 –> 00:16:30.575
and I don’t suggest that CPS 230 requires us to map all
374
00:16:30.575 –> 00:16:34.135
of these extended relationships out, at least not those
375
00:16:34.135 –> 00:16:35.255
outside our organization.
376
00:16:36.335 –> 00:16:37.935
I don’t think it’s possible. I don’t think it’s
377
00:16:37.935 –> 00:16:39.135
sensible, I don’t think it’s useful.
378
00:16:40.715 –> 00:16:43.575
But I think this is part of that mindset shift
379
00:16:43.965 –> 00:16:47.615
that CPS 230 is starting to ask us to think about.
380
00:16:48.795 –> 00:16:51.335
And I think it’s as simple and as complex as this,
381
00:16:52.455 –> 00:16:54.315
and it’s complex, not complicated as well.
382
00:16:54.395 –> 00:16:55.115
I think that’s a really
383
00:16:55.115 –> 00:16:56.435
important point that I’ll come back to.
384
00:16:57.655 –> 00:16:59.645
Let’s think about all the elements that connect together
385
00:16:59.665 –> 00:17:01.245
to deliver your critical operations.
386
00:17:02.695 –> 00:17:04.285
Let’s think about how these elements
387
00:17:05.465 –> 00:17:07.275
play from the perspective of all of those
388
00:17:07.695 –> 00:17:08.835
who play a part in delivery.
389
00:17:10.855 –> 00:17:13.355
And let’s think about the expectations and assumptions.
390
00:17:13.825 –> 00:17:16.435
Uncover the constraints, understand the objectives.
391
00:17:19.265 –> 00:17:20.415
Let’s understand all that.
392
00:17:20.415 –> 00:17:24.255
First, you may then consider if you want to,
393
00:17:24.635 –> 00:17:26.775
or even if you’re able to change any of those things,
394
00:17:27.775 –> 00:17:29.555
it might seem on first glance desirable,
395
00:17:29.695 –> 00:17:31.315
but it might not be as you think through it
396
00:17:31.625 –> 00:17:33.675
because you remember C PS two 30.
397
00:17:33.865 –> 00:17:35.275
It’s a risk management standard.
398
00:17:35.945 –> 00:17:37.955
It’s not telling us to reduce the risk to zero.
399
00:17:38.545 –> 00:17:42.195
It’s telling us to understand the risk and to manage it.
400
00:17:47.425 –> 00:17:48.405
And I think if it was all that
401
00:17:48.405 –> 00:17:49.565
simple would be well in our way.
402
00:17:50.415 –> 00:17:52.315
But I think there’s another complicating factor we need
403
00:17:52.315 –> 00:17:54.635
to be actively considering in our CPS 230 efforts.
404
00:17:55.415 –> 00:17:57.835
And that is we’re not managing operational risk in a vacuum
405
00:17:59.225 –> 00:18:02.275
organizations that’ll be subject to strategic or regulatory
406
00:18:02.335 –> 00:18:04.035
or operational pressures amongst others
407
00:18:04.785 –> 00:18:07.875
that can challenge catalyze and complicate our efforts.
408
00:18:09.015 –> 00:18:10.275
So I’ll start with regulation.
409
00:18:12.775 –> 00:18:14.495
I can’t think of any AppD entity
410
00:18:14.495 –> 00:18:17.175
where CPS 230 is the only regulatory challenge,
411
00:18:19.285 –> 00:18:21.425
the most pertinent standards that will require alignment.
412
00:18:21.895 –> 00:18:24.545
It’s far, which I realize isn’t of course a um,
413
00:18:24.545 –> 00:18:26.545
prudential standard, but still very relevant.
414
00:18:26.855 –> 00:18:27.945
Financial accountability.
415
00:18:28.545 –> 00:18:29.545
CP PSS 2 34,
416
00:18:29.745 –> 00:18:32.505
particularly if there are tripartite audit actions
417
00:18:33.765 –> 00:18:35.065
and C PS 1 92
418
00:18:36.695 –> 00:18:38.595
and these regulations, they’re gonna influence
419
00:18:38.595 –> 00:18:40.515
what you focus on for C PSS two 30.
420
00:18:40.665 –> 00:18:42.755
They’ll compete for management focus and budget
421
00:18:42.855 –> 00:18:46.985
and share of mindset integration can seem to offer benefits,
422
00:18:47.205 –> 00:18:49.065
but would need to be carefully considered
423
00:18:50.825 –> 00:18:52.235
from a strategic point of view.
424
00:18:52.625 –> 00:18:55.075
Each organization will have their own agenda, growth,
425
00:18:55.475 –> 00:18:57.955
survival, digital reinvention, something else.
426
00:18:59.295 –> 00:19:01.915
And I think the long lead time on CPS 230
427
00:19:02.465 –> 00:19:04.515
potentially has caused just as much challenge
428
00:19:04.515 –> 00:19:07.555
for many organizations and trying to get things underway.
429
00:19:09.275 –> 00:19:10.625
Three years from draft standard
430
00:19:10.625 –> 00:19:12.665
to implementation date is a long time
431
00:19:13.165 –> 00:19:14.905
and management is rightly focusing
432
00:19:15.605 –> 00:19:17.265
on delivering on strategy.
433
00:19:18.935 –> 00:19:20.555
And finally, at an operational level,
434
00:19:20.555 –> 00:19:22.595
there’ll be transformation modernization
435
00:19:23.015 –> 00:19:26.555
or automation consolidation, all those things going on.
436
00:19:29.445 –> 00:19:32.105
And what I see is navigating the work required
437
00:19:32.125 –> 00:19:33.345
for CPS 230.
438
00:19:34.685 –> 00:19:37.425
It requires through this jungle, I think in a little bit
439
00:19:37.425 –> 00:19:39.585
of a jungle, it requires a clarity of end state.
440
00:19:40.995 –> 00:19:43.405
That is something that unfortunately has been hard
441
00:19:43.405 –> 00:19:46.405
to draw from regulation and guidance to date,
442
00:19:47.265 –> 00:19:49.485
but that’s what I wanted to talk about now.
443
00:19:53.035 –> 00:19:54.575
So what are we being asked to do?
444
00:19:56.625 –> 00:19:59.035
Well, I think if we try and get a very clear line on
445
00:19:59.035 –> 00:20:00.875
what is required, we end up
446
00:20:00.875 –> 00:20:05.235
with a pretty straightforward activity cycle plan, do
447
00:20:06.035 –> 00:20:07.535
check act,
448
00:20:08.645 –> 00:20:10.415
because that’s, I think all we’re being asked
449
00:20:10.615 –> 00:20:15.055
to do under CPS 230, understand our critical operations,
450
00:20:15.435 –> 00:20:18.315
put controls in place, check if they’re working
451
00:20:19.215 –> 00:20:20.555
and make them better if they’re not.
452
00:20:22.185 –> 00:20:24.605
And I think bringing it back to that level is,
453
00:20:24.605 –> 00:20:25.645
is is really important.
454
00:20:25.675 –> 00:20:28.325
Whether it be a third party control,
455
00:20:28.325 –> 00:20:31.085
whether it be a contract, whether it be business continuity,
456
00:20:31.765 –> 00:20:33.245
whatever the level of technical
457
00:20:33.265 –> 00:20:35.005
detail, how does it connect in?
458
00:20:36.385 –> 00:20:38.805
And I think it really does start with an understanding of
459
00:20:38.805 –> 00:20:41.035
what you do, not just at a basic
460
00:20:41.035 –> 00:20:42.275
level, but at a level of depth.
461
00:20:43.335 –> 00:20:46.995
And I said I wouldn’t go deeply into the standards, but,
462
00:20:47.165 –> 00:20:49.965
but there’s one paragraph of CPS 230 that I’m going
463
00:20:49.965 –> 00:20:51.405
to check by name here,
464
00:20:52.265 –> 00:20:55.645
and I think it’s about as close as the standard goes
465
00:20:55.665 –> 00:20:58.205
to giving you a shopping list, paragraph 27.
466
00:20:59.465 –> 00:21:02.205
And what it says is that as an organization, you need
467
00:21:02.205 –> 00:21:05.085
to identify and document the processes
468
00:21:05.465 –> 00:21:08.725
and resources needed to deliver critical operations.
469
00:21:09.885 –> 00:21:13.785
The people, the technology, the information, the facilities,
470
00:21:14.575 –> 00:21:17.825
service providers, the interdependencies,
471
00:21:19.165 –> 00:21:21.545
and then the associated risks and obligations and data
472
00:21:21.645 –> 00:21:26.585
and controls without a clear, consistent
473
00:21:27.465 –> 00:21:30.625
documentation of those processes and resources.
474
00:21:33.385 –> 00:21:35.385
I think the rest of the work is bobbing about in the notion.
475
00:21:37.445 –> 00:21:39.625
And I think organizations that are focusing on
476
00:21:40.295 –> 00:21:43.185
this deep understanding first will be well positioned
477
00:21:43.435 –> 00:21:46.585
throughout the CCPs 3, 2 30 journey later.
478
00:21:48.665 –> 00:21:50.645
And this is also where we need to set our tolerances,
479
00:21:50.865 –> 00:21:52.925
our operating parameters for these operations.
480
00:21:53.345 –> 00:21:55.485
And again, setting those tolerance is very challenging
481
00:21:55.485 –> 00:21:57.605
without actually really understanding what they are.
482
00:21:59.315 –> 00:22:02.285
Then once we know what we’re doing, we need
483
00:22:02.285 –> 00:22:03.525
to put in place the right controls
484
00:22:03.525 –> 00:22:06.125
to meet the objectives in line with tolerance and appetite.
485
00:22:07.065 –> 00:22:10.165
We need to check if it’s working and do something.
486
00:22:10.165 –> 00:22:11.605
If it isn’t, get back on plan.
487
00:22:14.755 –> 00:22:17.615
So I think it’s not too much of a simplification to say
488
00:22:17.615 –> 00:22:18.775
that in its delivery.
489
00:22:19.845 –> 00:22:22.285
CPS 230 is all about controls.
490
00:22:23.665 –> 00:22:25.205
Now those controls are variable.
491
00:22:25.705 –> 00:22:27.435
There’s deep technology controls,
492
00:22:27.445 –> 00:22:29.235
third party process controls,
493
00:22:30.095 –> 00:22:32.275
and the ownership is wide ranging within
494
00:22:32.295 –> 00:22:33.595
and outside the organization.
495
00:22:35.875 –> 00:22:37.095
And the controls need
496
00:22:37.095 –> 00:22:38.895
to be built based on a solid understanding
497
00:22:38.915 –> 00:22:40.055
of critical operations.
498
00:22:41.705 –> 00:22:43.955
What do you do? How do you do it? What is success?
499
00:22:46.445 –> 00:22:48.745
And I’ve not really yet,
500
00:22:49.125 –> 00:22:51.025
and I don’t really plan to spend a lot
501
00:22:51.025 –> 00:22:54.465
of time drawing distinction other than as examples
502
00:22:54.465 –> 00:22:57.385
between operational risk and business continuity
503
00:22:57.385 –> 00:22:58.665
and service provider management.
504
00:22:59.445 –> 00:23:00.665
And I do that intentionally
505
00:23:01.175 –> 00:23:03.905
because I think we’re better placed to deal with the needs
506
00:23:03.905 –> 00:23:08.385
of the standard holistically rather than reinforcing silos.
507
00:23:09.135 –> 00:23:11.665
CCPs 230 is here to help us break those silos down.
508
00:23:12.785 –> 00:23:15.165
And if we focus on those elements individually,
509
00:23:16.085 –> 00:23:18.605
I fear we won’t help create the mindset we need.
510
00:23:20.125 –> 00:23:22.745
Now that’s not to say technical expertise isn’t necessary
511
00:23:23.565 –> 00:23:25.825
and CCPs 230, it absolutely is,
512
00:23:26.765 –> 00:23:29.705
but it must be applied through an organizational lens.
513
00:23:30.045 –> 00:23:32.105
It must be applied through that understanding
514
00:23:33.245 –> 00:23:35.065
of the operations and the processes.
515
00:23:39.835 –> 00:23:42.615
So how do we progress in order to meet these requirements?
516
00:23:43.665 –> 00:23:46.365
Well, APRA have a helpfully outlined three areas
517
00:23:46.415 –> 00:23:48.845
where they believe organizations should be focusing.
518
00:23:50.465 –> 00:23:53.355
APRA member Therese McCarthy Hockey recently outlined
519
00:23:53.825 –> 00:23:55.995
organizations should be focusing on governance,
520
00:23:56.635 –> 00:23:58.035
critical operations and mindset.
521
00:23:59.535 –> 00:24:01.145
Okay, that’s great, but how?
522
00:24:02.165 –> 00:24:05.025
How, and look, I find
523
00:24:05.045 –> 00:24:09.305
and see that there are four questions that we can consider
524
00:24:09.325 –> 00:24:11.665
to make some practical progress
525
00:24:13.635 –> 00:24:14.975
to connect this mindset shift
526
00:24:15.155 –> 00:24:17.175
to reconcile the technical requirements,
527
00:24:17.675 –> 00:24:19.695
and most importantly, to have the conversations
528
00:24:20.045 –> 00:24:22.295
with the operational leaders that are necessary.
529
00:24:24.175 –> 00:24:26.435
And whenever I talk to operational leaders about risk
530
00:24:26.435 –> 00:24:28.395
management, these are the four questions I use.
531
00:24:31.305 –> 00:24:34.405
And I almost always find I have a far more open trusting
532
00:24:34.425 –> 00:24:37.645
and outcome focused conversation than I had
533
00:24:37.645 –> 00:24:38.645
with earlier approaches.
534
00:24:39.275 –> 00:24:40.845
It’s one of the things, I’ve been doing this stuff
535
00:24:40.865 –> 00:24:43.005
for quite a few years and I’ve got it wrong many times
536
00:24:44.185 –> 00:24:45.325
and I think I’m starting
537
00:24:45.365 –> 00:24:46.765
to learn from some of those mistakes.
538
00:24:48.485 –> 00:24:49.505
And what’s the first question?
539
00:24:49.535 –> 00:24:51.505
Well, the first question is what are we trying to achieve?
540
00:24:51.505 –> 00:24:54.945
What’s the purpose of our activity? Who do we serve for?
541
00:24:54.945 –> 00:24:57.795
What end? What are the customer and the product
542
00:24:57.815 –> 00:24:58.995
and the business requirements?
543
00:25:01.185 –> 00:25:02.465
Secondly, have we designed,
544
00:25:03.365 –> 00:25:04.745
and I use that word intentionally
545
00:25:04.745 –> 00:25:06.185
because whether we’ve documented it
546
00:25:06.185 –> 00:25:09.145
or not, yes, Tim will absolutely be able to get that to you.
547
00:25:09.765 –> 00:25:12.265
Um, whether we’ve documented it
548
00:25:12.265 –> 00:25:16.135
or not, whether we’ve connected or not, or not connected it
549
00:25:16.135 –> 00:25:20.195
or not, we have a design for our organization
550
00:25:20.785 –> 00:25:23.275
targets, policies, decision making constructs,
551
00:25:23.375 –> 00:25:24.635
accountability models.
552
00:25:27.625 –> 00:25:31.105
Thirdly, how are we enabled to meet this design?
553
00:25:31.215 –> 00:25:33.465
What are the human and the data and the technology
554
00:25:33.485 –> 00:25:35.425
and the financial resources we have in place?
555
00:25:37.005 –> 00:25:39.465
And finally, how are we performing and how do we know this?
556
00:25:40.255 –> 00:25:41.945
What data do we have or measure?
557
00:25:42.535 –> 00:25:44.945
What do we do in order to address gaps in performance?
558
00:25:46.515 –> 00:25:49.415
And then finally, how are all of these elements connected?
559
00:25:50.505 –> 00:25:52.765
Is the purpose clearly translated into design?
560
00:25:53.725 –> 00:25:56.065
Is the design even feasible given the enablers?
561
00:25:57.055 –> 00:25:59.795
Are our performance metrics helpful in tweaking performance?
562
00:26:01.735 –> 00:26:04.075
And I’ll go into this construct in a little bit more
563
00:26:04.075 –> 00:26:08.035
because for me it’s so fundamental to that CCP 230,
564
00:26:08.065 –> 00:26:10.075
that operational risk journey.
565
00:26:11.335 –> 00:26:13.505
But if well populated
566
00:26:13.605 –> 00:26:16.025
and connected, it can really start
567
00:26:16.025 –> 00:26:17.905
to give us the insights we, we need
568
00:26:18.325 –> 00:26:20.305
to truly understand our critical operations.
569
00:26:21.325 –> 00:26:23.345
It can tell us who we rely on, who do we need
570
00:26:23.345 –> 00:26:26.745
to align across objectives and constraints and capacity?
571
00:26:27.595 –> 00:26:29.505
Where might our disconnects be coming from?
572
00:26:31.125 –> 00:26:32.825
But I think it can also help us have a bit more
573
00:26:32.825 –> 00:26:35.905
of an open conversation about why our controls might not be
574
00:26:36.145 –> 00:26:39.425
managing our risks, where we might need to tweak
575
00:26:39.445 –> 00:26:40.585
to improve reliability.
576
00:26:42.365 –> 00:26:44.175
And in, in my experience, at least
577
00:26:44.275 –> 00:26:45.775
by couching in this language,
578
00:26:46.335 –> 00:26:48.575
I think we can create a more inclusive description
579
00:26:48.595 –> 00:26:50.335
of our operational risk profile.
580
00:26:50.875 –> 00:26:53.695
And that inclusivity is so important
581
00:26:53.695 –> 00:26:56.775
because the people who manage our operational risks,
582
00:26:56.795 –> 00:26:57.975
we know that aren’t the risk folk.
583
00:26:58.125 –> 00:27:00.655
It’s operations, it’s product, it’s technology.
584
00:27:01.675 –> 00:27:06.125
Our job is to create a description that includes people.
585
00:27:07.875 –> 00:27:10.615
And so if this model can give us a leg up towards CPS230
586
00:27:10.615 –> 00:27:13.215
30, I think it’s worthwhile thinking about how much
587
00:27:13.215 –> 00:27:15.455
of the data that populates that we might have already,
588
00:27:16.265 –> 00:27:18.415
where it’s stored, is it connected?
589
00:27:19.715 –> 00:27:22.935
How do we connect it? So over the following pages,
590
00:27:23.095 –> 00:27:25.535
I wanna spend a bit of time digging into each
591
00:27:25.535 –> 00:27:26.695
of the data elements that
592
00:27:26.725 –> 00:27:28.335
that we see at least as being crucial.
593
00:27:29.555 –> 00:27:32.895
And what you might wanna do as I do this is, is start a bit
594
00:27:32.895 –> 00:27:35.015
of a mental inventory for your own organization.
595
00:27:35.835 –> 00:27:36.855
You might wanna think about whether
596
00:27:36.855 –> 00:27:39.095
or not you’ve got a clear and agreed view of the data.
597
00:27:40.155 –> 00:27:42.055
You might wanna think about whether you’re storing it
598
00:27:42.055 –> 00:27:43.095
in a consistent manner.
599
00:27:44.825 –> 00:27:47.245
You might wanna think about whether you’ve captured all the
600
00:27:47.245 –> 00:27:49.965
things that you might want enough specificity to measure
601
00:27:49.985 –> 00:27:53.405
and understand clear ownership, but maybe not too much.
602
00:27:54.265 –> 00:27:56.725
And finally think about whether
603
00:27:56.745 –> 00:27:58.885
or not how the data is stored.
604
00:27:59.705 –> 00:28:02.285
Is it that in a way that you can actually connect it?
605
00:28:02.735 –> 00:28:05.165
Could you clearly understand for a given operation
606
00:28:05.665 –> 00:28:06.685
how it’s been designed?
607
00:28:07.105 –> 00:28:10.405
Who enables it? How would we know if it’s going well or not?
608
00:28:18.775 –> 00:28:22.355
And so the first area I wanted to explore was purpose.
609
00:28:23.455 –> 00:28:26.385
What are we trying to achieve? And the kinds of things
610
00:28:26.735 –> 00:28:27.785
that we wanna know here.
611
00:28:29.295 –> 00:28:30.425
Purpose and objective.
612
00:28:30.425 –> 00:28:33.945
It’s not just, it’s not even really our high level business
613
00:28:33.945 –> 00:28:36.385
purpose, those vision things.
614
00:28:36.615 –> 00:28:38.625
Because again, we’re down to the process level.
615
00:28:39.285 –> 00:28:41.105
What’s the actual purpose of the process?
616
00:28:41.885 –> 00:28:43.185
Are we trying to process claims
617
00:28:43.205 –> 00:28:44.905
to a certain level of efficiency?
618
00:28:45.525 –> 00:28:47.105
Do we wanna process a certain number
619
00:28:47.105 –> 00:28:48.505
of transactions per day?
620
00:28:49.735 –> 00:28:52.105
When to connect it to that higher strategic purpose?
621
00:28:52.725 –> 00:28:54.385
But it’s more important to be clear on
622
00:28:54.485 –> 00:28:56.705
how we’ll actually know if we’re doing what we need.
623
00:28:58.795 –> 00:29:00.855
And we need to know who and what need we’re serving.
624
00:29:01.515 –> 00:29:03.965
What are the products, services, customers, channels?
625
00:29:04.785 –> 00:29:07.245
Is this a 30 year mortgage, a multi-year?
626
00:29:07.315 –> 00:29:10.005
Annuity a day-to-day payment card?
627
00:29:12.185 –> 00:29:14.165
We need to know who our internal customers are,
628
00:29:14.815 –> 00:29:16.245
who’s downstream dependent.
629
00:29:17.165 –> 00:29:20.455
They rely on us. So our constraints are their constraints
630
00:29:21.155 –> 00:29:22.495
and we need to understand their purpose
631
00:29:22.555 –> 00:29:23.575
so we can design for this.
632
00:29:25.355 –> 00:29:27.815
And finally, we need to understand the rules we need
633
00:29:27.815 –> 00:29:29.415
to play within and the risks we might,
634
00:29:29.415 –> 00:29:30.415
that might put us off track.
635
00:29:31.645 –> 00:29:33.305
And I’m not saying by putting risk at the bottom,
636
00:29:33.375 –> 00:29:34.505
it’s the least important thing
637
00:29:34.505 –> 00:29:35.905
here, but it’s not the driver.
638
00:29:36.565 –> 00:29:38.825
The driver is the why and the what.
639
00:29:39.205 –> 00:29:40.745
The risk is how we might go off track.
640
00:29:41.985 –> 00:29:43.285
So we need to design for it,
641
00:29:43.935 –> 00:29:45.435
but only in the context of purpose.
642
00:29:47.525 –> 00:29:49.745
And you’ll also notice that I’ve delineated some colors
643
00:29:49.745 –> 00:29:51.185
here, some green and some brown.
644
00:29:52.415 –> 00:29:54.115
And this is because in my experience,
645
00:29:54.495 –> 00:29:56.115
and most of you, if you’re coming from a risk lens,
646
00:29:56.115 –> 00:29:59.435
you’ll have a GRC system, a risk intelligence system.
647
00:29:59.495 –> 00:30:01.595
And in that risk system you’ll probably
648
00:30:01.595 –> 00:30:02.755
have obligations and risks.
649
00:30:03.795 –> 00:30:06.175
But many of you will not have the stuff in Brown.
650
00:30:07.225 –> 00:30:09.445
And you’ll see through the following pages that the bulk
651
00:30:09.445 –> 00:30:12.525
of the data that we see as being really fundamental elements
652
00:30:12.545 –> 00:30:16.445
of that CPS 230 model, well,
653
00:30:16.445 –> 00:30:18.205
they’re not traditionally in GRC systems.
654
00:30:19.665 –> 00:30:20.925
And I thought about this for a second
655
00:30:20.945 –> 00:30:22.125
and I thought, does that make sense?
656
00:30:23.375 –> 00:30:25.165
We’re saying that with what a new risk standard,
657
00:30:25.505 –> 00:30:29.005
but most of the data is not in our risk systems.
658
00:30:31.225 –> 00:30:32.925
And I sort of came to the conclusion, yeah,
659
00:30:33.605 –> 00:30:35.855
because I think if our current systems were actually
660
00:30:35.855 –> 00:30:37.695
capturing and connecting the dots,
661
00:30:38.225 –> 00:30:40.015
maybe we wouldn’t need the new regulation.
662
00:30:40.025 –> 00:30:41.495
Maybe we’ll be doing this stuff already.
663
00:30:42.315 –> 00:30:43.335
So I think it makes sense.
664
00:30:47.025 –> 00:30:48.485
And the next area is design.
665
00:30:49.805 –> 00:30:53.505
So how do have we intentionally
666
00:30:53.565 –> 00:30:55.185
or unintentionally over time
667
00:30:56.145 –> 00:30:57.825
designed our organization to meet our purpose?
668
00:30:59.285 –> 00:31:01.545
And I say intentionally or unintentionally, not
669
00:31:01.545 –> 00:31:03.585
because any of the individual decisions
670
00:31:03.995 –> 00:31:05.105
might be unintentional.
671
00:31:05.165 –> 00:31:08.425
I’m sure that there’s always logic, there’s always logic.
672
00:31:08.445 –> 00:31:10.025
People are always making decisions
673
00:31:10.635 –> 00:31:12.065
based on what’s available to them.
674
00:31:12.365 –> 00:31:16.105
But the combined effect is rarely if ever considered
675
00:31:16.875 –> 00:31:18.085
when those decisions are made.
676
00:31:18.665 –> 00:31:21.735
And if they are, that decision making is often
677
00:31:21.755 –> 00:31:22.935
in the hands of a few people.
678
00:31:23.035 –> 00:31:26.925
It may not be shared. So what are we looking at here?
679
00:31:26.925 –> 00:31:28.005
Well, look, I, I think we start
680
00:31:28.005 –> 00:31:29.525
with our process architecture.
681
00:31:29.625 –> 00:31:31.165
How do we organize what we do?
682
00:31:31.865 –> 00:31:34.605
Now in many organizations, this might be under documented,
683
00:31:34.705 –> 00:31:37.205
it might be as not be as well understood as it could be.
684
00:31:38.025 –> 00:31:39.965
But in addition to the what, it’s important
685
00:31:39.965 –> 00:31:41.165
that we understand the limits.
686
00:31:42.075 –> 00:31:43.165
What are the capacities
687
00:31:43.165 –> 00:31:44.965
and the constraints of these processes?
688
00:31:45.665 –> 00:31:48.565
Now, in a traditional factory environment, we’d never try
689
00:31:48.565 –> 00:31:51.165
and switch out one manufacturing process from one line
690
00:31:51.165 –> 00:31:54.125
to another without a whole bunch of control
691
00:31:54.225 –> 00:31:55.285
and check and challenge.
692
00:31:56.755 –> 00:31:58.815
So why do we think we can switch out resources in a
693
00:31:58.815 –> 00:32:00.895
financial process with, with minimal loss
694
00:32:00.895 –> 00:32:02.495
of efficiency or reduction in quality?
695
00:32:04.175 –> 00:32:06.535
Secondly, how have we empowered these processes?
696
00:32:06.595 –> 00:32:07.695
Who makes the decisions?
697
00:32:08.085 –> 00:32:11.215
What does our policy construct tell us who is accountable?
698
00:32:12.655 –> 00:32:14.145
Thirdly and crucially, what are our limits,
699
00:32:14.165 –> 00:32:16.305
our appetite statements, our tolerances
700
00:32:16.935 –> 00:32:18.025
that we’ve set ourselves?
701
00:32:18.215 –> 00:32:21.025
What can we work within, hopefully within our constraints?
702
00:32:21.325 –> 00:32:22.945
But how does that relationship work?
703
00:32:25.045 –> 00:32:26.685
Fourthly, how have we put this together
704
00:32:27.235 –> 00:32:28.525
into a message for our people?
705
00:32:28.915 –> 00:32:31.405
What are they trained to do? What do their instructions say?
706
00:32:31.755 –> 00:32:34.005
What do the processes tell them to do when things go bump?
707
00:32:34.665 –> 00:32:37.295
And finally, how do we design our controls
708
00:32:37.295 –> 00:32:38.695
to keep all these parts on track?
709
00:32:40.215 –> 00:32:42.595
What’s our desired mechanism to keep things working?
710
00:32:44.855 –> 00:32:46.755
And I think there’s a really interesting thought experiment
711
00:32:46.755 –> 00:32:49.515
here in three parts to play along.
712
00:32:49.515 –> 00:32:53.525
If you want to first have a think about your organization
713
00:32:53.585 –> 00:32:56.725
and, and one of your key processes, customer service claims,
714
00:32:57.045 –> 00:33:00.725
handling payments, and think about all this design stuff
715
00:33:01.105 –> 00:33:02.205
and, and ask a question,
716
00:33:05.275 –> 00:33:08.135
how confident are you that all of this design, the,
717
00:33:08.195 –> 00:33:11.495
the process delegations, the limits, the training material,
718
00:33:12.475 –> 00:33:15.335
are internally consistent with one another end to end?
719
00:33:15.805 –> 00:33:18.215
Does our training reinforce our delegation?
720
00:33:18.755 –> 00:33:20.215
Is that all connected with our process?
721
00:33:23.005 –> 00:33:24.445
Secondly, how confident are you
722
00:33:24.445 –> 00:33:26.965
that those elements have actually got a reasonable chance
723
00:33:26.985 –> 00:33:29.485
of delivering on the goals for that process?
724
00:33:29.745 –> 00:33:32.445
The growth in the customer goals, the risk goals.
725
00:33:34.035 –> 00:33:37.175
And that’s what the little blue feedback loop I think really
726
00:33:37.175 –> 00:33:38.375
is important in this model.
727
00:33:38.755 –> 00:33:41.095
We need to be checking if our design will actually meet our
728
00:33:41.095 –> 00:33:43.695
purpose or if we need to adjust one or the other.
729
00:33:45.195 –> 00:33:49.145
And the final question as you ponder this,
730
00:33:51.445 –> 00:33:53.905
do you think your current controls framework gives you any
731
00:33:53.905 –> 00:33:56.075
helpful information about all
732
00:33:56.075 –> 00:33:57.075
of the stuff you’re thinking about?
733
00:33:57.865 –> 00:34:00.205
And if it does, great, I’m really, really happy for you.
734
00:34:01.265 –> 00:34:03.485
And I’d love to learn more about
735
00:34:03.485 –> 00:34:05.205
how you’ve got your control framework doing that.
736
00:34:05.205 –> 00:34:07.965
Because in many of the organizations I speak with,
737
00:34:09.635 –> 00:34:12.165
there’s a level of confidence about one, you know,
738
00:34:12.165 –> 00:34:15.675
people understand what they’re doing, there’s
739
00:34:16.695 –> 00:34:19.025
less confidence about the connectivity.
740
00:34:20.205 –> 00:34:23.225
And when you start talking controls, it’s really quite,
741
00:34:24.555 –> 00:34:25.705
quite disconnected.
742
00:34:27.255 –> 00:34:29.665
Look, again, the green and the brown, it represents
743
00:34:29.665 –> 00:34:31.825
where this data sits today in many organizations.
744
00:34:32.295 –> 00:34:34.145
Look, I absolutely recognize that some
745
00:34:34.145 –> 00:34:36.905
of you will have more in the green than I’ve represented,
746
00:34:37.765 –> 00:34:40.185
but I’d be surprised if you can connect all the dots.
747
00:34:44.005 –> 00:34:47.225
And next we get into I think the real detail
748
00:34:47.225 –> 00:34:49.345
that CPS 230 is asking us for
749
00:34:50.045 –> 00:34:51.585
and with, remember, remember back
750
00:34:51.585 –> 00:34:54.785
to our friend paragraph 27, that sead on my brain
751
00:34:54.845 –> 00:34:56.705
and you know, I think needs
752
00:34:56.705 –> 00:34:58.985
to be sead on a few more is the enablers.
753
00:35:00.195 –> 00:35:02.145
These are the things that we need to have in place
754
00:35:02.165 –> 00:35:03.865
to bring the design to life.
755
00:35:04.985 –> 00:35:07.135
We’ve got our people, the systems they use,
756
00:35:07.155 –> 00:35:09.975
the data they rely on to enable those systems,
757
00:35:11.275 –> 00:35:13.855
the facilities they work in, the structures they rely on,
758
00:35:13.855 –> 00:35:15.455
the upstream dependencies delivered
759
00:35:15.455 –> 00:35:16.655
by others in the organization.
760
00:35:17.955 –> 00:35:20.055
And of course we’ve got the third parties that we rely on
761
00:35:20.155 –> 00:35:22.975
to deliver parts of or all of these processes.
762
00:35:24.415 –> 00:35:26.435
And as we see here, this is an area where I,
763
00:35:26.515 –> 00:35:28.915
I see many organizations haven’t gathered the data
764
00:35:29.335 –> 00:35:30.475
to connect the dots yet.
765
00:35:31.615 –> 00:35:33.275
Yep. Some organizations might have some
766
00:35:33.275 –> 00:35:34.595
of these elements in their risk systems,
767
00:35:35.015 –> 00:35:37.195
but even if they are, are they really connected
768
00:35:37.405 –> 00:35:40.365
with process purpose and design or are they standalone?
769
00:35:40.865 –> 00:35:42.605
Are they sitting in different silos?
770
00:35:44.065 –> 00:35:46.005
And that’s actually one of the challenges that I see
771
00:35:46.435 –> 00:35:49.005
that people have with CCPs 2, 3, 4 in particular.
772
00:35:49.675 –> 00:35:52.005
Because if you can’t connect the technology risk
773
00:35:52.005 –> 00:35:55.405
with the business purpose, how can you actually show whether
774
00:35:55.405 –> 00:35:57.285
you’re managing the risk effectively at all?
775
00:36:00.085 –> 00:36:02.185
And look, here’s another great way to look at this.
776
00:36:02.815 –> 00:36:04.265
With that hypothetical process,
777
00:36:05.605 –> 00:36:08.075
think about whether your organization has put the right
778
00:36:08.115 –> 00:36:11.555
enablers in place to deliver the process design.
779
00:36:12.455 –> 00:36:14.195
And if you haven’t, how would you know?
780
00:36:14.615 –> 00:36:15.755
Except from the thing breaking.
781
00:36:17.875 –> 00:36:20.095
And this actually gets onto one of my bigger bug bears
782
00:36:20.095 –> 00:36:21.215
with control evaluation.
783
00:36:21.315 –> 00:36:23.895
And I’ve been guilty as most over this.
784
00:36:24.795 –> 00:36:27.375
We test a control against a design or an objective.
785
00:36:28.315 –> 00:36:29.855
We find it doesn’t meet that objective.
786
00:36:29.855 –> 00:36:32.095
And then, and then the, the answer is improve the control.
787
00:36:32.855 –> 00:36:36.155
We don’t clearly understand what enables that control
788
00:36:36.745 –> 00:36:38.075
what needs to be traded off
789
00:36:38.075 –> 00:36:39.235
to actually give us a better chance
790
00:36:39.235 –> 00:36:40.475
of delivering on our design.
791
00:36:42.235 –> 00:36:44.055
And that’s why unfortunately a a lot
792
00:36:44.055 –> 00:36:46.415
of control remediations go on a scrap he to die.
793
00:36:47.755 –> 00:36:50.015
So my advice, if you’re looking at a process incident
794
00:36:50.015 –> 00:36:52.055
or a control failure, start
795
00:36:52.055 –> 00:36:54.375
with the getting a clear understanding of the enablers.
796
00:36:55.155 –> 00:36:57.175
And look, if you can’t get that from those involved,
797
00:36:57.445 –> 00:36:58.775
they probably don’t understand the process.
798
00:37:00.465 –> 00:37:03.285
And if they do, you’ll probably quickly find out
799
00:37:03.285 –> 00:37:04.365
where those stresses are.
800
00:37:05.725 –> 00:37:06.985
And please don’t read or listen
801
00:37:07.045 –> 00:37:10.065
or hear this as me saying just spend more money in fix
802
00:37:10.065 –> 00:37:12.345
problems, more enablers, better risk management.
803
00:37:13.285 –> 00:37:14.705
That’s not what I’m saying.
804
00:37:15.805 –> 00:37:17.335
What I’m saying is we need to understand
805
00:37:17.515 –> 00:37:20.335
how we’ve allocated our finite resources across a purpose.
806
00:37:21.445 –> 00:37:23.515
Which of those resource allocations might be
807
00:37:23.515 –> 00:37:24.795
causing us the most pressure?
808
00:37:25.795 –> 00:37:29.485
Are there any allocations we can reduce whether we trade off
809
00:37:30.255 –> 00:37:31.995
or do we just have to continue running hot
810
00:37:32.495 –> 00:37:33.835
and accept that things might break?
811
00:37:34.875 –> 00:37:38.455
And that might be fine if we’re doing so with preparedness.
812
00:37:42.075 –> 00:37:43.295
And the final element of this
813
00:37:43.295 –> 00:37:44.535
model, the performance metrics.
814
00:37:46.175 –> 00:37:48.075
How do we know if we’re using our enablers
815
00:37:48.075 –> 00:37:50.475
to deliver on our design and hence meet our purpose
816
00:37:52.525 –> 00:37:54.745
and those metrics and goals and the like their key here.
817
00:37:54.965 –> 00:37:56.345
But also things like complaints
818
00:37:56.645 –> 00:38:00.185
and issues where we need to apply consequence management,
819
00:38:00.365 –> 00:38:01.825
how our controls are performing,
820
00:38:02.205 –> 00:38:04.305
how well we’re delivering on our improvement actions.
821
00:38:04.805 –> 00:38:06.145
And of course my personal favorite,
822
00:38:06.195 –> 00:38:07.745
those unplanned investments
823
00:38:07.745 –> 00:38:10.745
and process improvement AKA are incidents.
824
00:38:12.145 –> 00:38:14.665
I think the key question to ask here is are we getting the
825
00:38:14.665 –> 00:38:16.345
right information at the right time
826
00:38:16.885 –> 00:38:18.425
to tweak the process design
827
00:38:18.645 –> 00:38:20.945
and enablement so we can stay on track
828
00:38:22.005 –> 00:38:24.785
rather than focusing on managing the metrics we do receive?
829
00:38:25.845 –> 00:38:29.145
And again, much of the data that we see as being vital dots
830
00:38:29.145 –> 00:38:30.945
to be connected, they’re not present in those
831
00:38:31.415 –> 00:38:32.705
risk platforms traditionally.
832
00:38:36.755 –> 00:38:38.975
One of the goals that I set for this session was
833
00:38:38.975 –> 00:38:42.215
to give a view of a connected model that might enable you
834
00:38:42.215 –> 00:38:44.135
to meet CPS 230 with confidence.
835
00:38:45.895 –> 00:38:47.015
I suggest that this model,
836
00:38:48.025 –> 00:38:50.605
it has roots in CPS 230 requirements,
837
00:38:50.625 –> 00:38:52.565
but it does in some areas go but broader.
838
00:38:54.465 –> 00:38:55.555
It’s a blueprint for this.
839
00:38:56.725 –> 00:38:58.665
Is it perfect for your organization today?
840
00:38:58.665 –> 00:39:00.825
No, of course not. We’re all different in some way.
841
00:39:01.885 –> 00:39:04.865
But does it offer a model to work to? Absolutely.
842
00:39:06.085 –> 00:39:08.385
And I think crucially for those of us in risk roles,
843
00:39:09.045 –> 00:39:11.345
it offers an operations led conversation.
844
00:39:12.445 –> 00:39:14.865
So I spoke earlier about the risks of letting silos,
845
00:39:14.865 –> 00:39:16.465
whether they be risk or resilience
846
00:39:16.525 –> 00:39:18.025
or vendor management lead here.
847
00:39:19.265 –> 00:39:21.505
’cause CCPs 230 will only ever be part of
848
00:39:21.505 –> 00:39:24.225
what you do each day if it’s being led by your product
849
00:39:24.365 –> 00:39:26.585
and technology and operational leaders.
850
00:39:28.415 –> 00:39:30.035
And this data model, whenever I put it in front
851
00:39:30.035 –> 00:39:31.155
of those people, it resonates.
852
00:39:31.295 –> 00:39:34.595
It talks to them in LA language, it reflects their mindset.
853
00:39:36.355 –> 00:39:38.415
And that’s the thing, if we go on all guns blazing
854
00:39:38.415 –> 00:39:40.335
and tell people they’re gonna have to reinvent themselves
855
00:39:40.335 –> 00:39:43.415
because the regulator says we need a new mindset that
856
00:39:43.415 –> 00:39:46.055
what they’ve been doing up until now is wrong.
857
00:39:46.605 –> 00:39:47.735
Well, we’re in for a tough time
858
00:39:48.715 –> 00:39:51.985
because operational people manage risk every day.
859
00:39:52.345 –> 00:39:53.505
Payments are processed,
860
00:39:53.645 –> 00:39:56.025
claims are handled, pensions are paid.
861
00:39:57.025 –> 00:39:59.045
Is it perfect? No, of course not.
862
00:40:00.415 –> 00:40:04.405
But I think a way forward offers, sorry,
863
00:40:05.005 –> 00:40:07.085
a way forward that respects what it’s done
864
00:40:07.345 –> 00:40:10.425
and builds on it offers far more
865
00:40:11.115 –> 00:40:13.025
value than a way forward that tries
866
00:40:13.025 –> 00:40:14.225
to burn that to the ground.
867
00:40:15.505 –> 00:40:17.085
And that is what this model tries to do
868
00:40:17.505 –> 00:40:20.005
and tries to respect and go forward.
869
00:40:24.405 –> 00:40:25.905
So I’ve
870
00:40:26.025 –> 00:40:28.065
provided a bit of an overview of of some of the key elements
871
00:40:28.065 –> 00:40:29.505
of CPS 230, the mindset
872
00:40:29.805 –> 00:40:33.375
and the data model that will be required in our view
873
00:40:33.375 –> 00:40:35.135
to demonstrate sustainable resilience.
874
00:40:36.495 –> 00:40:39.155
But what should organizations be doing now
875
00:40:39.455 –> 00:40:41.515
to move from preparation to action?
876
00:40:42.825 –> 00:40:44.105
Well, many
877
00:40:44.105 –> 00:40:47.185
of the organizations I think are still in that get ready phase.
878
00:40:48.355 –> 00:40:49.735
So if we think about ready, set, go,
879
00:40:50.065 –> 00:40:52.135
we’re starting the race, I think a lot
880
00:40:52.135 –> 00:40:53.535
of people are still getting ready, but
881
00:40:53.535 –> 00:40:54.735
we’re soon gonna need to get set.
882
00:40:56.385 –> 00:40:59.605
Now, in my view, a lot of the value added, the opportunity
883
00:40:59.705 –> 00:41:03.445
to connect these efforts sits in the get ready stage.
884
00:41:04.725 –> 00:41:06.765
I think there’s also potential for high volatility
885
00:41:06.785 –> 00:41:09.725
and outcomes because this is where it’s important
886
00:41:09.725 –> 00:41:12.125
to build engagement, getting it on the agenda,
887
00:41:12.195 –> 00:41:14.045
getting it on the budget slate.
888
00:41:15.225 –> 00:41:17.485
And I don’t think we can overestimate the importance
889
00:41:17.545 –> 00:41:20.005
of setting a really clear view on what must be true,
890
00:41:20.105 –> 00:41:22.005
what’s our data model, what’s our mindset,
891
00:41:26.685 –> 00:41:27.545
How we are
892
00:41:31.225 –> 00:41:31.885
to get to this?
893
00:41:33.245 –> 00:41:35.495
Because that then drives the activity that follows.
894
00:41:37.835 –> 00:41:39.255
And I think it’s also vital at this stage
895
00:41:39.255 –> 00:41:41.655
to make some key decisions about roles and planning.
896
00:41:42.475 –> 00:41:44.015
And one question we’ve commonly heard is,
897
00:41:44.015 –> 00:41:47.815
will the CPS 230 a project or not our experiences?
898
00:41:47.815 –> 00:41:49.895
In some organizations it is and some it isn’t.
899
00:41:50.715 –> 00:41:52.695
And then the next question is, well, well should it be?
900
00:41:54.495 –> 00:41:56.275
And I think it’s actually more helpful to look at
901
00:41:56.275 –> 00:42:00.515
what we see as the critical success factors for CPS 230
902
00:42:01.055 –> 00:42:03.355
and how you’ll achieve those than work out
903
00:42:03.355 –> 00:42:04.475
whether it’s a project or not.
904
00:42:05.415 –> 00:42:10.025
So will you have a clear shared view of the end state?
905
00:42:11.365 –> 00:42:13.665
Can you get the right access to the right capability
906
00:42:13.685 –> 00:42:15.265
to make good decisions at the right time?
907
00:42:16.775 –> 00:42:17.875
Can you coordinate
908
00:42:17.875 –> 00:42:20.355
and access the resources you need to make progress?
909
00:42:22.205 –> 00:42:25.165
Fourthly? And so fundamentally, are you confident
910
00:42:25.165 –> 00:42:26.445
that the knowledge gained
911
00:42:27.145 –> 00:42:29.645
by doing the work will be institutionalized,
912
00:42:30.195 –> 00:42:32.565
will become part of the way things are done around here?
913
00:42:33.855 –> 00:42:35.435
And finally, have you got a good mechanism
914
00:42:35.455 –> 00:42:36.995
to work out if you’re on track or not?
915
00:42:38.715 –> 00:42:40.995
I think if you can answer those five questions in the
916
00:42:40.995 –> 00:42:43.635
affirmative, then I don’t care whether you’ve got a project
917
00:42:43.935 –> 00:42:46.555
that’s on the side of someone’s desk, whatever it might be.
918
00:42:47.745 –> 00:42:51.195
Realistically, I expect many organizations will put in place
919
00:42:51.275 –> 00:42:54.235
a project model as they transition from get ready
920
00:42:54.235 –> 00:42:56.675
to get set given the volume of work
921
00:42:56.675 –> 00:42:58.315
and coordination required.
922
00:42:59.855 –> 00:43:02.995
And that next phase get set, that’s
923
00:43:02.995 –> 00:43:04.075
where the volume of work is.
924
00:43:04.735 –> 00:43:07.195
That’s where we do the documentation, the control mapping,
925
00:43:07.255 –> 00:43:09.235
the methodology updates, the system upgrades.
926
00:43:09.855 –> 00:43:11.755
And our advice here
927
00:43:12.095 –> 00:43:14.475
and that’s drawn as much from our early experience
928
00:43:14.475 –> 00:43:16.875
of this work as it is from past regulatory efforts,
929
00:43:17.095 –> 00:43:19.395
is the importance of iteration
930
00:43:20.015 –> 00:43:23.915
and maintaining a clear view of the end state first efforts,
931
00:43:24.085 –> 00:43:28.275
first list of critical operations controls, tolerances,
932
00:43:28.955 –> 00:43:30.115
material service providers.
933
00:43:30.465 –> 00:43:33.715
They will update, they will require more data, sorry,
934
00:43:33.715 –> 00:43:34.995
they’ll require update.
935
00:43:35.015 –> 00:43:36.275
As your data improves,
936
00:43:37.065 –> 00:43:39.075
your processes will need to change and evolve.
937
00:43:39.795 –> 00:43:41.395
Incident management, business continuity.
938
00:43:42.895 –> 00:43:45.115
So expect iteration, don’t expect
939
00:43:45.115 –> 00:43:46.155
to get it right first time.
940
00:43:46.815 –> 00:43:48.035
But I think importantly,
941
00:43:49.045 –> 00:43:50.675
start making the trade off decisions
942
00:43:50.755 –> 00:43:52.395
that C ps two 30 will require.
943
00:43:52.855 –> 00:43:56.675
As you get set, start living that resilient lifestyle.
944
00:43:57.815 –> 00:43:59.595
How quickly think about
945
00:43:59.595 –> 00:44:01.195
how quickly you can integrate tolerances
946
00:44:01.195 –> 00:44:03.195
for critical operations into decision making,
947
00:44:03.665 –> 00:44:05.875
even on a scenario or an exercise basis.
948
00:44:06.725 –> 00:44:09.235
Think about how quickly you can move your procurement
949
00:44:09.825 –> 00:44:11.355
that relates to critical operations
950
00:44:11.375 –> 00:44:13.275
to being CCP S two 30 informed.
951
00:44:13.625 –> 00:44:15.035
Because you know what?
952
00:44:15.175 –> 00:44:18.955
Any contract you’ve enter into over the next 18 months
953
00:44:18.955 –> 00:44:20.995
or so will at some stage likely have
954
00:44:20.995 –> 00:44:23.795
to meet CPS 230 requirements if it’s in scope.
955
00:44:25.655 –> 00:44:26.775
And that’s
956
00:44:26.775 –> 00:44:28.615
because as you move from getting set to go,
957
00:44:29.465 –> 00:44:32.245
well the expectation is that CPS 230 is well embedded,
958
00:44:34.125 –> 00:44:36.175
that implementation data’s been pushed out.
959
00:44:36.205 –> 00:44:38.615
Well, there’s an expectation of performance from day one.
960
00:44:39.765 –> 00:44:41.175
Produce the reports you need,
961
00:44:41.205 –> 00:44:42.975
give the board the information they need
962
00:44:43.725 –> 00:44:45.985
to oversight all from day one.
963
00:44:48.765 –> 00:44:51.685
And so to wrap up, I wanna go back
964
00:44:51.685 –> 00:44:55.645
to some words from Wayne Byers of opera a couple years ago.
965
00:44:56.265 –> 00:44:58.565
And I think they form a really clear basis of the ask
966
00:44:58.585 –> 00:44:59.685
for CCPs 230.
967
00:45:02.075 –> 00:45:03.215
And that’s what we’re being asked to do.
968
00:45:03.265 –> 00:45:04.815
We’re being asked to join the dots.
969
00:45:05.485 –> 00:45:07.185
The dots are mostly there.
970
00:45:07.865 –> 00:45:09.905
I think you’ll see from the data model I shared earlier
971
00:45:09.975 –> 00:45:12.065
that the dots may not all be there
972
00:45:12.885 –> 00:45:15.665
and they almost certainly haven’t been connected
973
00:45:15.665 –> 00:45:18.545
or constructed in such a way that they’re easy to connect.
974
00:45:21.065 –> 00:45:23.445
And why not? Well, I think we haven’t had good end-to-end
975
00:45:23.445 –> 00:45:25.205
views of our critical operations
976
00:45:25.915 –> 00:45:27.765
risk systems, process systems.
977
00:45:29.675 –> 00:45:34.365
They haven’t helped us and we haven’t thought about this
978
00:45:35.135 –> 00:45:36.745
perhaps as much as we could
979
00:45:38.215 –> 00:45:40.665
from multiple lenses across the organization.
980
00:45:41.665 –> 00:45:44.205
Our mindsets thinking about
981
00:45:46.855 –> 00:45:49.735
who’s upstream, who’s downstream, how does
982
00:45:49.735 –> 00:45:52.215
that work in an organization which is siloed.
983
00:45:53.325 –> 00:45:55.855
It’s not people who haven’t been thinking about it,
984
00:45:55.855 –> 00:45:57.415
it’s the organization that’s been forcing
985
00:45:58.065 –> 00:45:59.215
their thinking in that way.
986
00:46:00.075 –> 00:46:01.935
And so I think the work we need to do is has
987
00:46:01.935 –> 00:46:03.175
to address both these challenges.
988
00:46:04.215 –> 00:46:06.375
I think we need better connected,
989
00:46:06.695 –> 00:46:10.095
coherent data on our critical operations, their purpose,
990
00:46:10.345 –> 00:46:13.535
their design, their enablers, and their performance.
991
00:46:14.555 –> 00:46:17.375
And we need this data in as in a manner that’s useful,
992
00:46:18.255 –> 00:46:21.725
not disaggregated, not perfect, not perfect,
993
00:46:22.165 –> 00:46:23.525
absolutely but useful.
994
00:46:25.905 –> 00:46:27.485
And I think most of this data exists,
995
00:46:27.665 –> 00:46:30.525
but we need better tools and we need time
996
00:46:30.665 –> 00:46:34.125
to connect the dots because that’s not easy either.
997
00:46:36.355 –> 00:46:37.935
And I think we need to think a bit differently.
998
00:46:39.475 –> 00:46:41.415
If we don’t attempt to understand the pressures
999
00:46:41.415 –> 00:46:43.495
and the constraints and the challenges of those who
1000
00:46:44.555 –> 00:46:48.475
we rely on to do what we do well, I think they’ll continue
1001
00:46:48.475 –> 00:46:49.835
to surprise and disappoint us.
1002
00:46:51.945 –> 00:46:54.285
And at some point that becomes more our fault than theirs.
1003
00:46:55.145 –> 00:46:58.395
If we haven’t set up a process
1004
00:46:59.105 –> 00:47:03.555
that is consistent between purpose design enablers
1005
00:47:03.695 –> 00:47:08.005
to meet performance, then that’s the challenge on the person
1006
00:47:08.265 –> 00:47:10.605
and the people and the groups who have designed those
1007
00:47:12.195 –> 00:47:14.965
processes, not the people who are delivering on them.
1008
00:47:16.195 –> 00:47:19.455
And I think CPS 230 can be a catalyst for better
1009
00:47:19.915 –> 00:47:22.615
and more robust conversations about
1010
00:47:22.615 –> 00:47:26.625
what can actually be achieved and at what level of risk
1011
00:47:27.005 –> 00:47:28.505
and with what level of resources.
1012
00:47:31.285 –> 00:47:33.385
And in my experience, that’s what all leaders,
1013
00:47:34.995 –> 00:47:37.705
not just risk leaders are crying out for.
1014
00:47:41.155 –> 00:47:43.585
Thank you for listening to that presentation.
1015
00:47:43.705 –> 00:47:45.425
I hope as I said that you were able to
1016
00:47:46.325 –> 00:47:48.545
get those two key takeaways, a bit
1017
00:47:48.545 –> 00:47:49.905
of a better understanding about the mindset
1018
00:47:49.965 –> 00:47:50.985
and what that might look like
1019
00:47:51.525 –> 00:47:53.225
and a bit of an understanding about what
1020
00:47:53.225 –> 00:47:54.825
that data model might look like
1021
00:47:55.285 –> 00:47:57.025
and then some thoughts about how to go forward.
1022
00:47:57.965 –> 00:48:00.025
I’m happy to take any questions through the chat
1023
00:48:00.885 –> 00:48:04.905
and also happy to, uh, provide any other other comments
1024
00:48:04.905 –> 00:48:07.225
that anyone may be interested in understanding.
1025
00:48:07.485 –> 00:48:09.305
But at this point, um, if there’s nothing further,
1026
00:48:10.055 –> 00:48:12.265
I’ll be happy to uh, wish you a good day
1027
00:48:12.325 –> 00:48:13.345
and thank you for your time.
1028
00:48:32.135 –> 00:48:35.575
Looks like the, um, questions are minimal.
1029
00:48:36.595 –> 00:48:39.535
As um, Craig indicated we will share the material,
1030
00:48:40.435 –> 00:48:43.775
the recording, and the slides with all of the participants.
1031
00:48:44.295 –> 00:48:46.975
I also note that there may have been some challenges
1032
00:48:46.975 –> 00:48:49.855
with the links, so we will, um, just work out how best
1033
00:48:49.855 –> 00:48:52.455
to make sure that everybody who was interested today, um,
1034
00:48:53.435 –> 00:48:54.455
the material they need.
1035
00:48:54.635 –> 00:48:59.215
And I’m always interested in discussing, um, any element
1036
00:48:59.215 –> 00:49:01.655
of CPS 230 with anybody at any time.
1037
00:49:02.075 –> 00:49:03.695
Tim, you did have a question about supplier.
1038
00:49:05.155 –> 00:49:07.775
I think my read on supplier and I,
1039
00:49:07.815 –> 00:49:10.015
and I sort of come back to, to my approach is there’s gonna
1040
00:49:10.015 –> 00:49:12.095
be a huge amount of work in supplier and third party.
1041
00:49:13.075 –> 00:49:16.415
Um, I think it’s almost certain that every organization
1042
00:49:16.415 –> 00:49:19.895
that is a app regulate entity will have more
1043
00:49:21.535 –> 00:49:24.895
material service providers than material outsourcing.
1044
00:49:25.695 –> 00:49:27.255
I think the work has to start early
1045
00:49:27.515 –> 00:49:29.775
and it has to start with a list of who are those
1046
00:49:30.335 –> 00:49:31.495
suppliers likely to be.
1047
00:49:32.075 –> 00:49:33.415
And where I’ve been working
1048
00:49:33.415 –> 00:49:36.615
with organizations is let’s get a list, let’s rank them,
1049
00:49:37.185 –> 00:49:39.135
let’s work out how critical they are
1050
00:49:39.235 –> 00:49:40.495
and let’s work out a timeline.
1051
00:49:41.075 –> 00:49:45.215
Um, I think the challenge then starts to play out
1052
00:49:45.915 –> 00:49:47.335
as you actually start to uncover
1053
00:49:47.395 –> 00:49:48.575
and say, well,
1054
00:49:48.715 –> 00:49:51.455
can those suppliers do those things we’re asking them to do?
1055
00:49:52.955 –> 00:49:55.255
So then you’re actually saying, well, have we got, you know,
1056
00:49:55.255 –> 00:49:57.055
how do our enablers align with our design?
1057
00:49:57.795 –> 00:49:59.615
But that’s not an easy conversation,
1058
00:49:59.995 –> 00:50:01.775
but I think you have to get to it first.
1059
00:50:02.675 –> 00:50:06.295
So my thoughts are on supplier is iterate,
1060
00:50:06.955 –> 00:50:08.345
bring up the hard things early
1061
00:50:08.535 –> 00:50:11.305
because it will take 12 to 18 months to address that.
1062
00:50:17.525 –> 00:50:19.865
And for those suppliers who might be on the, um, on,
1063
00:50:19.885 –> 00:50:22.505
on the call, I think the only other comment I’d make would
1064
00:50:22.505 –> 00:50:25.845
be think about this lens.
1065
00:50:26.135 –> 00:50:27.405
Think about it now,
1066
00:50:27.875 –> 00:50:29.005
because your, your,
1067
00:50:29.075 –> 00:50:32.365
your customer organizations will be coming to you expecting
1068
00:50:32.945 –> 00:50:34.605
the, you know, you to have thought about it.
1069
00:50:35.205 –> 00:50:37.205
I think that the worst position
1070
00:50:37.205 –> 00:50:40.885
to be from a third party’s perspective is having 10 sets
1071
00:50:40.885 –> 00:50:41.885
of requirements to meet.
1072
00:50:42.425 –> 00:50:45.045
So I would be very much advocating for third parties
1073
00:50:45.225 –> 00:50:46.845
to be able to say, this is
1074
00:50:46.845 –> 00:50:48.685
what we understand our critical operat, you know,
1075
00:50:48.685 –> 00:50:51.165
how we support critical operations to be, this is
1076
00:50:51.165 –> 00:50:52.805
how we are thinking about tolerances
1077
00:50:53.505 –> 00:50:55.445
and this is how we’re thinking about doing
1078
00:50:55.465 –> 00:50:56.525
our testing and our work.
1079
00:50:56.755 –> 00:50:58.285
Does that meet your requirements?
1080
00:50:58.795 –> 00:51:01.845
More so than getting 10 different sets of requirements.
1081
00:51:01.905 –> 00:51:04.405
And that’s what we definitely will see with some
1082
00:51:04.405 –> 00:51:06.885
of those larger providers who might be working with
1083
00:51:07.445 –> 00:51:09.565
multiples is, you know, here’s our,
1084
00:51:09.565 –> 00:51:10.765
here’s our interpretation.
1085
00:51:11.145 –> 00:51:12.325
Do you accept it or not?
1086
00:51:12.515 –> 00:51:13.925
Because if you don’t accept it,
1087
00:51:13.925 –> 00:51:16.805
there might be more cost associated with it as opposed to,
1088
00:51:17.265 –> 00:51:18.845
you know, take, take the work that we’ve done.
1089
00:51:22.275 –> 00:51:25.575
Any other questions from those who are, um, on the chat?
1090
00:51:54.595 –> 00:51:58.015
If not, I will probably call this at two minutes too
1091
00:51:58.275 –> 00:52:00.215
and say thank you so much for your time.
1092
00:52:00.755 –> 00:52:04.375
Um, and have a great day.