In a speech late last month, Therese McCarthy Hockey, an Executive Board Member at the Australian Prudential Regulation Authority (APRA), explained that the regulator will punish deficiencies in operational resilience and governance in the transition to the regulator's new prudential standard on operational risk management.
The new standard, CPS 230, sets out expectations for regulated entities to manage operational risks, including cyber and reputational risks, more effectively. While CPS 230 does not come into full effect until July 2025, APRA will assess entities' preparedness for the requirements throughout 2024. "Prudent boards should not be waiting until the new year to start thinking about how to meet their new commitments," Hockey said. "They need to move now."
In this transition, APRA expects boards to focus on three key actions:
- Putting the right governance arrangements in place;
- Identifying critical operations and material service providers; and
- Beginning to develop a new organizational mindset.
Throughout the process, governance will be a critical aspect of APRA's engagement with entities. The regulator will look to ensure the governance of the change management process is robust, as this will be essential to implementing the new standard successfully.
"APRA has delivered a longer than usual implementation period for our new standard on operational resilience given the scale of the change – now it's up to banks, insurers and super trustees to deliver on the new requirements," she concluded. "Should they fail to do so, don't be surprised to see APRA apply a little heat of its own."