An important driver behind the introduction of APRA's CPS 230 standard was the control failures observed in recent years. Effective controls management is a key component of CPS 230, with a clear expectation that your controls are implemented, well designed, and are regularly assessed to provide confidence that they are operating as intended.
In Protecht’s recent The road to CPS 230: Getting your operational risk controls in order webinar, we explored how you can develop your controls capability to enable effective management of your organisation's operational risk profile.
We had great feedback from our attendees, including the questions answered below. If you missed the webinar live, then you can view it on demand here:
Questions
Q1: Do you consider that FAR Reasonable Steps will uplift “evidence” of controls?
Q2: How would you go about creating new controls where none exist? Would the business create the control on their own or would they need to work with the Line 1 team?
Q3: Any suggestions on embedding CPS230 within the business at the ground level?
Q4: How do you recommend documentation or monitoring of controls operated by third parties? What about fourth parties?
Q5: Do you have an opinion about the separation of duties regarding controls?
Q1: Do you consider that FAR Reasonable Steps will uplift “evidence” of controls?
Under FAR, an accountable entity must take reasonable steps to:
- Conduct its business with honesty and integrity, and with due skill, care and diligence
- Deal with the regulators in an open, constructive and cooperative way
- In conducting its business, prevent matters from arising that would adversely affect the accountable entity’s prudential standing or prudential reputation
- Ensure that each of its accountable persons meets their accountability obligations
- Ensure that each of its significant related entities (SREs) complies with the above
Similar obligations apply to accountable persons. Those people, and the entity, will want to demonstrate that they have taken those reasonable steps. The easiest way to do so is to retain some form of evidence.
For FAR, this goes beyond controls, but does include them. Aligned with CPS 230, evidence of controls demonstrate how material risks are being managed, while also demonstrating more broadly that the business is being conducted with due skill, care and diligence. Given the increase in accountability, it would not be surprising for those accountable people to embrace the ‘show me, don’t tell me’ mindset to increase their level of assurance.
< Back to topQ2: How would you go about creating new controls where none exist? Would the business create the control on their own or would they need to work with the Line 1 team?
Line 1 should be aligned with the business, though their scope might sit across multiple business units, depending on the structure of your organisation. When no controls exist, the business should prompt creation of the control. This would typically be a manager or someone with responsibility for the risk or area that needs to ‘be controlled’. After all, they will need to implement the control, which may include resources and a budget.
Your Line 1 team may be better equipped to design controls, covering some of the components of good design that we touched on in the webinar. Line 1 might propose the control and how it might operate, and capture all of the information as part of your controls documentation process to ensure it is consistent. However it will need buy-in from those that operate it. It might also need verification from the associated risk owner, as ultimately that is what is being managed.
< Back to topQ3: Any suggestions on embedding CPS230 within the business at the ground level?
This will depend on where you are in the maturity journey, but education, awareness and mindset shift may be what is needed. At a high level this could include:
- Why change is needed (the drivers of CPS 230, not ‘because the regulator said so’)
- Demonstrate the tone at the top (show that the executives and board want this to happen)
- Cover the mindset shift; focus on external impact for disruption, not internal impact
- In particular, focus on why critical operations are the centre of the operational risk profile, and how this will influence changes to current practice
Q4: How do you recommend documentation or monitoring of controls operated by third parties? What about fourth parties?
There are multiple ways you can consider monitoring of controls operated by third parties. Here are the main ones:
- Recorded like any other control in your control register. This is not common, and requires you to have sufficient transparency into the control so that you can assess it directly, even if the third party performs it
- The third party provides you evidence of their testing or assurance process, which you then update in your records. This is more typically aligned to vendor risk management
- The third party provides you evidence of testing performed by an independent assessment. This is typically aligned to vendor risk management
- Collection of metrics such as Key Controls Indicators. Unless you have direct visibility into these metrics, these are likely to be self-reported by the third party
- Attestations by the third party. These are typically the weakest level of assurance, but may be supported by some evidence
Taking that down another level to fourth parties becomes more challenging. Based on formal agreements, some of the above may still apply, or is allowed to be shared across the supply chain. However, some organisations also have ‘trust centres’ where they are open and transparent about their control environment. They may have SOC reports or other independent assurance that is completed and uploaded into a portal that they make available.
< Back to topQ5: Do you have an opinion about the separation of duties regarding controls?
I believe this related to our discussion about the distinction between control owner, control operator and control tester, and the more general functions of identifying control improvements and then implementing them.
In some organisations, those roles will be combined or may differ across different parts of the organisation. The control owner is accountable for making sure it is designed effectively, which may be different from someone (or a group of people) operating it. A good example are shared controls, such as where HR own a control, but it is operated by leaders across the organisation.
Ideally a control tester in Line 1 should be independent of the control operator. A control operator may make assumptions or take shortcuts, when a new set of eyes can more objectively identify potential control weaknesses.
As part of their ‘review and challenge’ role, Line 2 might identify potential improvements and suggest potential changes to control design, but the final decision, and the actual implementation should sit with Line 1.
< Back to top
In Protecht’s recent The road to CPS 230: Getting your operational risk controls in order webinar, we explored how you can develop your controls capability to enable effective management of your organisation's operational risk profile. If you missed the webinar live, then you can view it on demand here: