Today marks 596 days until the commencement of APRA Prudential Standard CPS 230 Operational Risk Management (CPS 230).
While that number sounds like there remains adequate time to prepare, many APRA regulated firms have already started implementing the principles of CPS 230 and are reaping the operational benefits.
The Singtel Optus Pty Limited (Optus) outage on 8 November 2023 as well as APRA Executive Board Member Therese McCarthy Hockey stating that “CPS 230 is designed to light a fire under our regulated entities” should focus the remaining APRA regulated firms on taking action to prepare for CPS 230.
Our insights arising from the speech of Ms McCarthy Hockey are here: ‘APRA enforcement of operational resilience & cyber preparedness’.
When it comes to severe disruptions to critical operations, the Optus outage shows us that:
It is not a matter of ‘if’, but ‘when’.
While Optus is not an APRA-regulated entity, insights on how APRA-regulated entities should handle disruptions to meet CPS 230 can be learnt from the Optus outage.
Key takeaways of CPS 230
- CPS 230 will replace five existing prudential standards on outsourcing and business continuity (CPS 231 Outsourcing, CPS 232 Business Continuity and the similar prudential standards in the superannuation and health insurance industry being SPS 231, SPS 232 and HPS 231).
- The purpose of CPS 230 is to require APRA-regulated entities to strengthen their management of operational risk, respond appropriately to business disruptions and to manage the risks associated with the use of material service providers.
- The Prudential Practice Guide to accompany CPS 230 is still in draft. The consultation on this draft closed on 13 October 2023.
- CPS 230 will put in place new requirements for private health insurers on business continuity. Private health insurers are not currently subject to business continuity obligations imposed on financial institutions and Registrable Superannuation Entity (RSE) licensees under CPS 232 and SPS 232 respectively.
- CPS 230 will apply to APRA-regulated entities from 1 July 2025, namely:
- authorised deposit-taking institutions (ADIs);
- general insurers;
- life insurers;
- private health insurers;
- RSE licensees; and
- authorised or registered non-operating holding companies.
- Organisations that are not directly regulated by APRA may still be impacted by CPS 230. For example, they may be contractually bound to comply with certain obligations under CPS 230 through their service arrangements with APRA-regulated entities.
- Existing risk management prudential standards state that the ‘Board is ultimately responsible for’ certain matters. In CPS 230, this language has changed to the ‘Board is ultimately accountable for’. That change speaks to the requirements in the forthcoming Financial Accountability Regime (FAR) for APRA-regulated entities which is anticipated to require such entities to identify Accountable Persons with responsibility for operational risk management (for more information see ASIC and APRA consult on FAR | Intensifying the spotlight on bank directors and senior executives’).
The Optus Outage – a matter of when, not if
On 8 November 2023, Optus experienced a nationwide outage. The outage commenced from 4am with gradual restoration from 12pm. At 1.30pm, Optus provided its first public notice on its website stating that some internet and phone services were gradually being restored. Optus apologised for ‘the nationwide service outage that occurred this morning’. At 6.32pm Optus announced that the Optus Network had been fully restored.
The full impact of the Optus outage remains to be assessed but it has resulted in considerable disruption to a range of actors from public transport systems to hospitals, businesses and consumers. Below we consider the lessons to be learnt from the Optus outage for APRA-regulated entities from an operational risk, business continuity and material service provider perspective.
Operational risk management
CPS 230 requires APRA-regulated entities to manage the full range of operational risks, including (but not limited to) legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. Senior management are responsible for end-to-end operational risk management for all business operations.
When APRA-regulated entities are proposing to enter into a material service provider arrangement for a core technology service like telecommunications, the APRA-regulated entity must have due regard to whether it will continue to meet its prudential obligations should the material service provider experience an outage.
For example, an ADI should consider in its risk assessment the circumstances in which a telecommunications outage could occur and the impact such an outage would have on the ADI’s continuing obligation to meet the prudential standards.
Action Point: APRA-regulated entities should put in place robust frameworks, processes and controls to manage technology risks. This may include plans for alternative service provision in the event of prolonged disruption.
Business continuity management
CPS 230 requires APRA-regulated entities to identify its critical operations and establish tolerance levels for:
- the maximum period of time the entity would tolerate a disruption to the operation;
- the maximum extent of data loss the entity would accept as a result of a disruption; and
- minimum service levels the entity would maintain while operating under alternative arrangements during a disruption.
If there has been a disruption to a critical operation outside the tolerance level, an APRA-regulated entity is required to notify APRA as soon as possible, and no later than 24 hours after the disruption has occurred. In addition, an APRA-regulated entity must activate its Business Continuity Plan (BCP) if needed in the event of a disruption and return to normal operations promptly after a disruption is over.
A BCP should include, among other things, a customer communications strategy. In the Optus outage, there was an initial lack of clarity on the reasons for the outage. No information was provided to customers until 1:30pm despite the outage occurring from the early hours of 8 November. No further communication was sent directly to customers via text or email outlining how long the disruption would be.
Action Point: An APRA-regulated entity’s actions in the first 24 hours are critical. While some limited time to ascertain the nature of the disruption is reasonable, APRA-regulated entities must be ready to activate their BCPs and communicate in a timely manner with customers, APRA and the public (including the press).
Material service providers
An APRA-regulated entity must identify its material service providers. Material service providers are defined in CPS 230 as those which the entity relies on to undertake a critical operation or that exposes it to material operational risk. A material service provider may be a third party, related party or connected entity.
CPS 230 deems a provider of core technology services to be a material service provider unless the APRA-regulated entity can justify otherwise.
The material arrangement (e.g. a contract) between the APRA-regulated entity and the material service provider must:
- identify and manage risks that could affect the ability of the service provider to provide the service on an ongoing basis;
- identify and manage risks to the APRA-regulated entity that could result from the arrangement, such as step-in risk or contagion risk;
- ensure it can execute its BCP if needed; and
- ensure it can conduct an orderly exit from the arrangement if needed.
Should CPS 230 have applied on the day of the Optus outage, an APRA-regulated firm that relied on Optus for core technology services would likely have been required to engage their BCP and other contingency measures under its material arrangement with Optus.
Action Point: When reviewing contracts and other such arrangements with material service providers in preparation for CPS 230, APRA-regulated entities should set the tone of future monitoring and supervision. This is important in meeting the requirement for assessing the material service provider’s performance (including under service levels) and the effectiveness of the service provider’s controls.
How we can help
G+T has extensive knowledge and experience of CPS 230. We regularly advise on the end-to-end management of operational risk in accordance with the standard, including drafting, reviewing and negotiating contractual arrangements with service providers, and uplifting and implementing risk and compliance frameworks to embed the requirements of CPS 230.
For more information or assistance, contact our experts.