Financial institutions are rightly some of the most heavily scrutinised institutions in the world of regulation. And with CPS 230 set to raise the bar on compliance within the coming 24 months, the Big 4 — as well as mutual banks and other smaller financial providers — can expect to find themselves within the laser sight of APRA within the next 18 months.

CPS 230 is the new prudential standard set to supersede five existing prudential standards: CPS 231, SPS 231, HPS 231, CPS 232, and SPS 232. It mandates considerable new structures for financial institutions, in particular when it comes to operational risk management. Being beasts with many tentacles, pinning down operational processes across any financial institution is no easy task. Legacy systems, disparate teams and technologies, and in many instances, just plain old apathy, make operational risk management at best a headache, at worst a catastrophic drain on valuable time and resources. It’s hard enough to establish systems to ensure effective compliance, let alone having to prove such systems work — and work well — to the many fastidious eyes at APRA. 

Comparable experiences of entities in the UK and Canada suggest that meeting compliance changes is likely to be a considerable task: time consuming, resource intensive, and touching many to all areas of operations. 

At Holocentric, our goal is to provide operational risk management tools that are simple, robust, and scrutable: intuitive and a pleasure to use for our partner organisations, robust and rigorous in meeting and maintaining compliance, and a blessing for APRA, allowing compliance to be efficiently demonstrated in just a few clicks.

To briefly refresh the three pillars of CPS 230 (and you can learn more about these here), CPS 230 will introduce new requirements and enhance existing requirements across these three core areas:

• Operational risk management: Entities must effectively manage operational risks, and set and maintain appropriate standards for conduct and compliance.
• Business continuity planning (BCP): Entities must clearly identify critical operations, establish acceptable tolerance levels (e.g. maximum period of disruption), and maintain and test BCPs regularly.
• Service provider management: Entities must maintain a comprehensive service provider management policy. The policy must cover how the entity will identify material service providers and manage service provider arrangements, including the management of material risks associated with these arrangements.

The most commonly used definition of Operational Risk can be found in the Basel II regulations. The Basel II definition of operational risk is:

 *Note: APRA has removed reputational risk from the list of risks included as part of operational risk, as typically reputational risk is an outcome of an operational risk incident or event, rather than an operational risk itself. See APRA Operational Risk Response Paper, July 2023. 

Operational Risk events cost firms hundreds of millions, and often billions, of dollars. As Philippa Girling [et al.] argue in the latest edition of Operational Risk Management: A Complete Guide for Banking and Fintech (2022), ‘[…] broken processes and poorly trained staff can result in many small errors that add up to serious downward pressure on the profits of a firm.’ In other words, operational risk management is not only about meeting compliance. It’s about managing — and ideally minimising — unnecessary cost. 

The relevant types of operational risk Operational risks include (but are not limited to):

• legal risk
• regulatory risk
• compliance risk
• conduct risk
• technology risk
• data risk
• change management risk

In essence, an operational risk management program should ensure that operational risk is identified, assessed, monitored, controlled, and mitigated. A successful operational risk program should combine both qualitative and quantitative approaches to ensure that operational risk is both appropriately measured and effectively managed.

There are 3 core aspects of measuring and managing operational risks:

• Operational risk profile and assessment
• Operational risk controls
• Operational risk incidents

Under CPS 230 you’ll need to assess the impact of business and strategic decisions on your operational risk profile and operational resilience, and as part of your business and strategic planning processes. This must include an assessment of the impact of new products, services, geographies and technologies on your operational risk profile.

As noted in APRA’s Prudential Practice Guide, for activities associated with crypto-assets, operational risk management is particularly important, and encompasses heightened risks in relation to fraud, cyber, conduct, financial crime and technology. 

Under CPS 230, you should expect to:

• implement risk assessments across the whole entity, encompassing all business activities, products, and services;
• identify linkages across all components of the framework (risks, obligations, key data and controls);
• allocate risks and controls to owners at an appropriate level of seniority to manage the risks;
• keep clear records and substantiation of assessments, including information on actual events;
• implement clear escalation protocols for risks requiring Board and senior management action, including formal acceptance of risks and actions that are higher rated or exceeding appetite; and 
• aggregate data to support oversight by senior management and the Board

Under CPS 230 you must design, implement and embed internal controls to mitigate your operational risks in line with the organisation’s risk appetite. You must regularly monitor, review and test these controls for design and operating effectiveness. The results of this testing must be reported to senior management and any gaps or deficiencies in the control environment must be rectified in a timely manner. Finally, you must remediate material weaknesses in operational risk management, including controlling for gaps, weaknesses and failures.

In essence, operational risk controls are further delineated into 3 specific tasks: effectiveness, testing, and remediation.

Effectiveness 

CPS 230 requires the establishment of controls that are demonstratively effective at reducing operational risk. Controls must be vetted by appropriate managerial oversight, and consistently analysed against industry best practice.

Under CPS 230, you should expect to:

• develop criteria to ensure consistency of assessments across the entity;
• ensure complete capture of controls, including controls owned directly by the risk owner or by other owners, including related parties and by service providers;
• ensure the adequacy of coverage of controls, including preventative, detective and responsive controls;
• appropriately balance automated and manual controls;
• consider issues and incidents linked to controls, which can be indicators of weakness or gaps in the control environment;
• record the rationale for the control effectiveness assessment; and
• consider any recent changes in the environment or business strategies that could impact control effectiveness.

Control testing 

To tests controls to the level required by APRA, you’ll need to implement testing that is monitored to ensure completion, with exceptions identified, escalated and remediated. Testing will typically include the objectives, scope, approach, success criteria, frequency and roles and responsibilities for testing controls. It will be conducted by staff and teams that are independent of those with operational responsibility for the controls being validated.

Control remediation 

You will need to effectively implement required actions and responses to address identified control weaknesses. This will generally include consideration of:

1.  tactical responses: temporary controls and monitoring to ensure risks are appropriately mitigated until a strategic solution is implemented; and
2.  strategic solutions: changes to processes, people, and systems to improve the management of, and reduce the exposure to, operational risk on a sustainable basis.

Under CPS 230 you must ensure that operational risk incidents and near misses are identified, escalated, recorded and addressed in a timely manner. You must take incidents and near misses into account in your assessment of the organisation’s operational risk profile and control effectiveness in a timely manner. Finally, you must notify APRA as soon as possible, and not later than 72 hours, after becoming aware of an operational risk incident.

In finance even more so than other industries, senior management and Boards need to be fully informed of the risks that face the firm, including operational risk exposures. Operational risks in banking are potentially disastrous, both internally and externally, and can result from ostensibly minor events — from accounting or data entry errors, vendor disagreements, inaccurate or incomplete client records — to major events, such as cyber breaches, fraud, unlawful trading, or negligence.

These events can have catastrophic financial and reputational impacts. An effective operational risk program needs to provide transparency of operational risk exposure to allow senior management to ensure strategic business decisions are fully informed by any operational risk implications. CPS 230 is designed to mandate such operational risk programs, and to systematically embed processes that reduce operational risk. Given the timeline of implementation, with CPS 230 coming into effect in July 2025, financial institutions still have time to address the new requirements properly. Unfortunately, and as evidenced by similar experiments in Canada and the UK, companies that fail to act swiftly and put in place the right frameworks will face an uphill climb to meeting compliance in the coming 18 months, and likely waste a good deal of time and resources in the process.

There are any number of ways to begin to address the significant hurdles of CPS 230, and understandably many financial firms are still seeking out the best approaches. 

Girling [et al.] have examined just some of the approaches to one aspect of risk profiling — Scenario Analysis — and observe the spectrum of approaches being taken: 

To stick with Scenario Analysis, APRA underscores this process as a key part of meeting CPS 230 requirements. The Prudential Guide states that Scenario Analysis ‘enables an entity to consider potential changes to its operating environment and inherent risk profile.’ To this end, APRA expects that a prudent entity will ‘ensure that its scenarios provide sufficient coverage and adequate understanding of financial and operational resilience impacts from severe but plausible operational risk events.’ 

While workshops, text-based process documentation and process mapping (via diagrams and programs like Microsoft Visio) are useful in some instances, they are time and resource intensive, and while they are sufficient to describe processes, they fail to effectively implement change (nor, importantly, to assess the implications of potential change).

Holocentric’s suite of industry-leading tools are designed to make CPS compliance faster, easier, more robust, and to implement change now that will pay dividends over the long term.

In the case of Scenario Analysis, our tools allow teams to conduct regular scenario analysis with a few clicks, as well as risk profiling and assessments — not only demonstrating compliance externally, but reducing the workload for compliance internally.

Users have access to infinitely complex variables by which to measure the likely impact of potential changes within the organisation, from the loss or suspension of teams or team members, to the impact on one system based on the failure of another, to the financial costs or gains from implementing system changes across an organisation.

The financial services sector has until 1 July 2025 to fully comply with APRA’s CPS 230 cross-industry operational risk management standard. CPS 230 is non-negotiable for financial institutions. It requires entities to identify critical operations and document their processes and resources, including people, technology, information, facilities, and service providers. 

Key requirements of CPS 230 include the identification, assessment, and management of operational risks; a significant hurdle to overcome, particularly if financial service providers do not act soon. The requirements are complex: APRA mandates entities to demonstrate transparent risk management accountabilities, efficient operational risk processes, internal controls, and incident management procedures. 

The aid of technology solutions that provide streamlined, dynamic risk management will become increasingly vital to reduce strain on organisations, as they ensure compliance to CPS 230 in the coming 18 months. 

At Holocentric, we’re helping organisations meet CPS 230 requirements, enabling them to efficiently identify and document the processes and resources needed to deliver critical operations. We understand that CPS 230 compliance will be a significant undertaking, and are creating the tools to make life easier for those tasked with compliance. This not only saves valuable time and effort in the short term; it puts in place technology that will make compliance easier in the long run as prudential standards evolve.

• ⁠APRA, Prudential Practice Guide: Draft CPG 230 Operational Risk Management.
• ⁠APRA, Response Paper: Operational Risk Management, July 2023.