The Australian Prudential Regulation Authority (APRA) is consulting on a new prudential standard designed to strengthen the management of operational risk in the banking, insurance and superannuation industries.
Operational risk is the potential for financial loss or material disruption as a result of inadequate or failed internal processes or systems, the actions of people or external drivers and events, such as a pandemic or natural disaster.
In a consultation package released today, APRA proposes to introduce a new cross-industry Prudential Standard CPS 230 Operational Risk Management, which will set out minimum standards for managing operational risk, including updated requirements for business continuity and service provider management.
Chair Wayne Byres said APRA was moving to strengthen standards of operational risk management in response to changing business models, lessons from recent years and developments in global good practice.
"Disruptions to financial services – even temporarily – can have a major detrimental impact on the community.
"In strengthening the ability of APRA-regulated entities to identify, manage and respond to operational risk events, APRA is seeking to enhance operational and financial resilience, as well as financial stability.
"The proposed CPS 230 will also help ensure APRA-regulated entities meet the challenges posed by ongoing innovation and technological change in the financial services industry,” Mr Byres said.
The proposed new standard includes requirements for regulated entities to:
- maintain effective internal controls for operational risk, commensurate with the size, business mix and complexity of the activities they undertake;
- be prepared and ready to ensure continued delivery of critical operations during periods of disruption; and
- effectively manage the risks associated with the use of service providers.
The new standard will incorporate updated requirements for service provider management (currently outsourcing) and business continuity management that are currently contained in prudential standards CPS 231 Outsourcing and CPS 232 Business Continuity Management (and the corresponding superannuation standards SPS 231 and SPS 232 and private health insurance standard HPS 231). These five standards will be replaced by the new CPS 230.
After reviewing industry feedback in response to the consultation, APRA expects to release the final CPS 230 early next year, before the new standard comes into force from 1 January 2024.
The consultation package is available on the APRA website at: Operational risk management.