AICD submission on APRA operational risk management standard

The AICD supported APRA’s objectives with CPS 230 to enhance the operational resilience of APRA entities and position them to respond to changes in technology and the operational risk environment. The AICD also supported replacing five existing prudential standards across the regulated industries with one cross-industry standard in CPS 230.

Additional key points raised in the submission were:

• support for the ‘Role of the Board’ provisions in CPS 230 noting that the board being ‘ultimately accountable’ and setting the roles and responsibilities of senior managers reflects existing governance practices at APRA entities;
• the Board should be able to delegate some of its responsibilities in respect of business continuity planning and material service providers to the Board Risk Committee;
• support for a proportionate model to application of the material service provider arrangements, based on the Significant Financial Institution distinction;
• expectations for ‘fourth party risk management’ are unclear and there is a limit to what an APRA entity can reasonably have oversight and influence on beyond the primary material service provider arrangement.
• The commencement timeline for CPS 230 should be extended to at least 18 months - 2 years from finalisation of the standard and guidance. Additionally, a transition period and/or grandfathering of existing service arrangements would recognise the significant industry disruption and resource burden that will be placed on entities to renegotiate contracts with material service providers.