Protecht recently delivered six hours of training on the APRA CPS 230 standard training to over 40 attendees, hosted by David Tattam, Chief Research and Content Officer, Michael Howell, Research & Content Lead, and Hela Ebrahimi, Senior Risk Consultant.
Below are the polls we asked attendees during the training. We weren’t able to get to all questions asked during the training, so we’ve answered them below for everyone’s benefit. Polls were anonymous. Note that our attendees included some non-regulated entities, which may have influenced some results.
View all of Protecht's resources on the APRA CPS 230 standard in one place:
Polls
This poll was driven from a discussion about ensuring business continuity response considers the end-to-end value chain and avoid silo thinking. This shows a fair mix of how business continuity plans are currently implemented. I threw critical operations in as a red herring – while they are the centre of the operational risk profile, I don’t have confidence that this is the right approach, given the many-to-many relationships between critical operations and the underlying processes and resources that support them.
The response to this poll highlights the massive shift in mindset that is still needed, with only one respondent stating they measure customer impact directly. By way of example, if your impact measures are ‘X% of our customer base leave’ or ‘$X million in customer remediation’, you are measuring impact to the organisation, not the impact to the customer.
Another mindset shift required – though perhaps many have not yet turned to defining their tolerance levels, which may explain why so many have not yet defined material adverse impact. Of those that have, nearly all have defined criteria both for customers and their role in the financial system. Defining these will be essential in justifying the tolerance levels that are set.
This was perhaps a little more skewed to narrative that I expected, but I see that as a good thing. The all-hazards approach (responding to a lack of a type of resource regardless of why) has its place, but narratives and events help to stress response capability, particularly to help identify when some of our responses might not be effective and how we can adapt them.
We expect these responses are based on where many are in their CPS 230 journey. While there is an expectation to have identified your material service providers, nailing down the related processes to adopt moving forward – particularly related to controls and ongoing assurance over material service providers – will take some time and thought.
A bit of a spread here, but notably over half are still (or need to start) identifying their material service providers. APRA had previously laid down an expectation (not an enforceable one, mind you) that they should be identified by 30 June, so there is still some work to be done here.
The lack of integration isn’t surprising to us. This is an area we advocate for, to use consistent processes, libraries and tools to improve integration and streamline processes. CPS 230 doesn’t require 3 distinct disciplines – it is an integrated whole that aligns. It’s great to see more than half have some level of integration, and I’m sure focus will only increase not only as we approach the implementation deadline, but continued improvement beyond it.
Questions
Q1: What % of the critical operations/processes should be tested in each scenario cycle for the business continuity requirements?
Q2: Would the ERM business unit be a internal material service provider if there is agreement between the BU entity and other entry within the same company ?
Q3: We are having a debate about whether a power supplier can be considered an MSP as they impact on the provision of all of our critical operations.
Q4: Do you have a view on how best to capture fourth party providers? Do we rely on third party providers to give us this?
Q5: When we document MSP management/policies in the register, do we include contingencies if they don't provide designated services?
Q6: What's your view on having a concise policy for the board to be aware of key governance requirements and high-level risk and reward and then support that policy with standards/procedures?
Q7: Any suggestions for working with MSP who are pushing back on the APRA access?
Q8: Is there an expectation in CPS230 that we need to also look into people measures/capabilities internally e.g. knowledge management, skills sharing & transfer, etc?
Q9: We have a lot of mortgage brokers, probably hundreds. How should we address the materiality requirements of Sec 50(a) in CPS 230 in relation to mortgage brokerage?
Q10: Should internal audit review all our existing material suppliers as well as the ones we have now identified as Material Service Providers under CPS 230?
Q11: Lot of terminology with standards such as criticality, materiality, key etc. Any guidance on defining these?
Q12: The Accountable Person needs to have visibility of the health of controls whether their business unit is responsible for performance or not. Linking their risk to the controls that manage it is one way, is there any other way they can get visibility?
Q1: What % of the critical operations/processes should be tested in each scenario cycle for the business continuity requirements?
There is no perfect answer, and needs to be principles based. In their guidance, APRA include a 3-year cycle. It’s only a soft suggestion, but I think is a good starting point. APRA requires an annual business continuity exercise as a minimum, but proportionality applies. If you do only run one major exercise each year, you should support it with sufficient desktop reviews. Some of those exercises will cover more than one critical operations; some might focus on a specific one.
I would propose that your 3-year cycle (or other chosen timeframe) should include not only each critical operation, but each of the difference tolerance level types as well. This will take some forward planning, but ensure your planning remains dynamic enough to adapt to the changing business environment.
Q2: Would the ERM business unit be a internal material service provider if there is agreement between the BU entity and other entry within the same company ?
[In relation to risk management being a listed material arrangement if provided by a service provider]
If they are internal they may not be a material service provider, but in its recent response to industry when it launched the CPG 230 guidance, APRA suggested that you still need to manage material risks across the organisation. This should include service levels agreements between business units.
Q3: We are having a debate about whether a power supplier can be considered an MSP as they impact on the provision of all of our critical operations.
There are some fundamental resources and services we all rely on, particularly power and telecommunications. On the one hand, they could argue that they don’t directly support any financial services. On the other, they are absolutely critical.
My guess is that asking APRA will have you reflect the question back at yourself – what do you think? My suggestion would be to assume they are and enter discussions with them on that basis, and adapt as needed. You probably won’t be the first to ask them.
Q4: Do you have a view on how best to capture fourth party providers? Do we rely on third party providers to give us this?
As a first port of call, yes. I expect many third parties are likely to provide at least the names about their own critical third parties, and perhaps some information about the nature of the arrangement.
Some of your third party providers may have SOC2/Type 2 reports that provide information about their fourth parties. There are also some other monitoring tools out there that can identify fourth parties from publicly available information, you might consider these as well.
Q5: When we document MSP management/policies in the register, do we include contingencies if they don't provide designated services?
I assume this means that the material services they provide can no longer be provided. You should capture contingencies if you’ve developed them (e.g. alternate suppliers on standby you activate). There isn’t a prescribed way you need to do this. If you have mapped a library of resources, you could link those contingencies to that library, or those contingencies might be included as part of your business continuity plans directly. As long as it supports the outcome – enacting that contingency effectively – you have some discretion here.
Q6: What's your view on having a concise policy for the board to be aware of key governance requirements and high-level risk and reward and then support that policy with standards/procedures?
As long as the policy sets the appropriate boundaries within which management standards and procedures can be developed, this can work. A litmus test for those more detailed documents would be to consider whether the board might be surprised about its contents. The high level policy needs to set direction and support decision making.
Regarding service provider policy and procedure - CPS 231 is int until 30 June 2025 before CPS 230 comes in. Do you try and balance both until 30 June 2025 or just introduce CPS 230 ASAP and stop using CPS 231 now?
We suggest working with CPS 230 front of mind. If you developed something purely for CPS 230, it will likely meet the majority of CPS 231. For completeness, we recommend ensuring there are no gaps, but try and address both.
Q7: Any suggestions for working with MSP who are pushing back on the APRA access?
The first question is, why are they pushing back? Ideally they should not have anything to hide. That said, we appreciate that it can lead to discussion about regulatory burden and on-costs. I have no insights into when APRA might activate these clauses, but try and focus on the positive.
Q8: Is there an expectation in CPS230 that we need to also look into people measures/capabilities internally e.g. knowledge management, skills sharing & transfer, etc?
There is no direct expectation. However if these enhance your ability to manage risk or there is a business benefit, then by all means you can implement them. You need to understand the resources required to support your critical operations – you could say that this is an extension of understanding your people requirements. As noted later by the person asking this question, they found this extremely useful when people moved roles to ensure that roles and responsibilities were well understood and that skills were transferred appropriately.
Q9: We have a lot of mortgage brokers, probably hundreds. How should we address the materiality requirements of Sec 50(a) in CPS 230 in relation to mortgage brokerage?
This was the requirement for ADIs to classify mortgage brokerage as a material service provider unless it can justify otherwise. This was answered to a degree by APRA’s most recent response to consultation on CPG 230. They advised that where there are cohorts of service providers, they may not need to be individually captured as material service providers, but you will need to manage material risks they collectively pose.
APRA don’t provide anything prescriptive in this regard. My suggestion would be to capture the material risks that all mortgage brokers pose as part of your operational risk profile. In particular, consider systemic issues that might affect all mortgage brokers. Two that quickly come top of mind are compliance issues (systemic conduct issues in the sector), or concentration risk in the sector, such as all mortgage brokers relying on the same fourth parties.
Q10: Should internal audit review all our existing material suppliers as well as the ones we have now identified as Material Service Providers under CPS 230?
The only requirement for internal audit in CPS 230 related to material service providers is for them to review proposed outsourcing arrangements. Beyond that, internal audit should take a risk-based approach to their audit program – what assurance does the board need? This might include an assessment of the material service provider policy, and assessing whether it is being applied in practice. Part of that assessment could include a review of service providers not currently classified as material.
Q11: Lot of terminology with standards such as criticality, materiality, key etc. Any guidance on defining these?
Some terms in the standard, or commonly used terminology even if not directly part of the standard, may not be defined. The concept of material adverse impact was one we covered in more detail during the training. In these circumstances, you will need to define what they mean to you, and how they will be consistently used.
Q12: The Accountable Person needs to have visibility of the health of controls whether their business unit is responsible for performance or not. Linking their risk to the controls that manage it is one way, is there any other way they can get visibility?
During the training, we crossed briefly into the overlap with the Financial Accountability Regime. One overarching challenge organisations will need to solve is – how do accountable people see all of the information they need to discharge their responsibilities and make informed decisions?
The answer may depend on your framework, and more specifically how you might link data together. Linking an accountable person to a control (in addition to control owners, operators etc) is an option. Another options is to linking the accountable person to a risk, as long as those controls are linked to the risk. It depends on what is required to be achieved.
Conclusions and next steps for your organisation
You can read our CPS 230 white paper that covers how Protecht can help you with your CPS 230 implementation, including how our Protecht ERM system can help support your CPS 230 implementation, the consulting services we can provide in terms of planning and documentation, and the training we can provide for staff in risk and resilience.
Find out more about how Protecht ERM can support your transition to CPS 230 compliance. Schedule a product demo or an introductory phone call today to see how our comprehensive risk management solution can enhance your organisation’s resilience and operational effectiveness: