In a speech to the RMA Australia CRO Conference, Wayne Byres, Chair of the Australian Prudential Regulation Authority (APRA) set out his view of the key points of the regulator’s approach to operational resilience regulation.
In the speech Mr. Byres made it clear that APRA sees operational resilience as a method of responding to operational risks.
Key points from the speech include:
- COVID-19 drew sharp attention to operational resilience and ‘while some corners were cut in the haste to adapt, the operational resilience of the system held up well, as evidenced by the lack of any notable disruption to essential financial services’. However … ‘that reflected a trilogy of long-term planning and investment, on-the-spot ingenuity and judgement, and an element of luck. Our collective goal needs to always be to reduce our reliance on the latter’.
- The lessons from COVID-19 ‘have been important inputs into the design of our new prudential standard on operational resilience. Given that disruptions to financial services – even temporarily – can have a major detrimental impact on the community, Prudential Standard CPS 230 Operational Resilience seeks to ensure that financial institutions have robust frameworks in place to protect and preserve the reliability of their critical operations – for the benefit of their customers and the broader financial system.’
- In particular, CPS 230 establishes new requirements for each financial institution to:
- Identify, assess and manage their operational risks, with effective internal controls, monitoring and remediation;
- Be able to continue to deliver its critical operations within tolerance levels through severe disruptions; and
- Effectively manage the risks associated with the increased usage of service providers, through a comprehensive service provider management policy, formal agreements and robust monitoring.
- A key element of the new standard is an increased emphasis on data and analytics to inform risk management and decision-making. For example, the standard requires each institution to:
- Undertake an assessment of its operational risk profile, with a defined risk appetite supported by indicators and limits;
- Maintain appropriate and effective information systems to monitor operational risk, compile and analyse operational risk data and facilitate reporting to the board and senior management; and
- Ensure that operational risk incidents and near misses are identified, escalated, recorded and addressed in a timely manner.
- In terms of operational risk data, APRA has been examining the availability and quality of data at the largest institutions, including interrogating each institution’s own data from their governance, risk and compliance systems. ‘What we have seen is that … the challenge is less about a lack of data, and more about how to draw together a wide array of data – often produced at a quite granular level – to “join the dots” and produce information and insights that are useful for decision-makers.’
- In promoting a stronger focus on data, metrics, limits and tolerances, ‘we do not want to see executives and boards flooded with numbers. That would not be helpful. Rather, we need risk managers to use that information to provide meaningful insights. Doing so will aid the detection of genuine shortcomings and vulnerabilities, as well as improve the ability to take timely action to address the root cause of problems.’
- ‘Having emphasised how important the availability of good data is to risk management … it would obviously be a mistake to think that good data will solve all our collective challenges. It is necessary, but not sufficient. We also need risk managers with the requisite skills, knowledge and capability to make something of that data. If I could add to the list, they also need integrity to do what’s right, intuition to sense what’s wrong, and a heathy dose of courage to pursue both.’