Navigating compliance under CPS 230

Thursday, 01 February 2024

Sarah Mitchell & Daniel Delimihalis  photo
Sarah Mitchell & Daniel Delimihalis
Employment law and accountability specialists at King & Wood Mallesons

    How to navigate conduct, compliance and operational risk management under CPS 230.

    The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Hayne Royal Commission) identified instances of operational risk management deficiencies across the financial services sector. The Australian Prudential Regulation Authority (APRA) further identified — in their consultation for prudential standard CPS 230 — recent operational risk challenges, including pandemics, technology risks and natural disasters, to emphasise the importance of organisations being able to manage and respond to operational risks.

    We examine three requirements of CPS 230 from a conduct and accountability perspective: the management of conduct risk as an operational risk issue, implementation of controls to manage operational risks and management of conduct risks arising from the use of material service providers.

        1. Conduct as an operational risk issue

    CPS 230 requires boards and senior managers of entities to set/maintain appropriate standards for conduct/compliance, reflecting that failed internal systems and conduct drive operational risks.

    Key board responsibilities under CPS 230 include: accountability for oversight of operational risk management; setting clear roles and responsibilities for senior managers for operational risk management; overseeing operational risk management and the effectiveness of key internal controls in maintaining the firm’s operational risk profile within risk appetite; ensuring senior management takes action to address areas of concern; receiving regular updates on the organisation’s operational risk profile; and approving the service provider management policy and reviewing risk and performance reporting on material service providers.

    Senior management responsibilities include responsibility for operational risk management across the end-to-end process for all business operations, including legal, regulatory, compliance, conduct, technology, data and change management risk. (Note: this is not an exhaustive statement of responsibilities under CPS 230.)

    Boards and management need to ensure appropriate standards of conduct are maintained across the organisation, and operational risk frameworks clearly assign accountability for operational risk across three lines of defence and end-to-end business processes, including through value chains and accountability statements under the incoming financial accountability regime (FAR). It is also important to ensure appropriate consequences are applied for conduct that does not align with the organisation’s expectations and operational risk frameworks.

    Learnings leveraged from adverse risk events created by conduct risk failures will also be important in informing the design, operating effectiveness and ongoing oversight of operational risk management frameworks and related obligations, controls and reporting mechanisms.

        2. Implementation of controls

    A key component of CPS 230 is the requirement to implement controls to ensure compliance obligations are met, and operational risks are identified and mitigated. Entities are required to design, implement and embed controls to mitigate their operational risk in line with risk appetite and to meet compliance obligations.

    They will also have to regularly monitor, review and test controls for design and operating effectiveness, the frequency of which must reflect the materiality of the risks being controlled, with testing results reported to senior managers and gaps in the control environment rectified in a timely manner. Finally, organisations will be required to remedy material weakness in controls gaps, weaknesses and failures.

    Ineffective controls that fail to identify misconduct and systems failures may develop into serious operational risk and create false confidence in the organisation’s ability to identify and monitor operational risks. For example, where the control is not designed to appropriately test the underlying risk or compliance obligations or enable testing via independent oversight to ensure design and operational effectiveness. Or where a “tick-a-box” approach is adopted to assess whether a control is designed and operates effectively, without holistic consideration of its design or the underlying risks and matters it is meant to address.

    Adequate oversight by the second line is also critical to identifying control gaps and design failures. Risk management failures occur where the relationship between the control and the underlying risk have not been meaningfully examined and the operational risks of business activities have not been adequately assessed to determine whether control gaps exist.

        3. Material service providers

    CPS 230 requires entities to identify, assess, monitor and manage risks associated with the use of service providers and control effectiveness in managing the associated risk, including conduct risk, with reporting requirements to management. CPS 230 places a significant accountability mandate on senior management and organisations in relation to monitoring service providers’ compliance with the performance and risk management expectations of entities.

    Difficulties can arise when there is a set-and- forget attitude and the organisation fails to ensure, through proactive monitoring and effective controls, that performance of outsourced functions is conducted in accordance with relevant service requirements or other obligations.

    There can also be problems when service providers resist change. It is not uncommon to experience pushback from service providers when they are required to meet higher compliance standards. Effective risk management is more challenging in these circumstances and it will be important to have appropriate levers in service agreements in line with CPS 230 for this reason.

    What boards should consider next

    Boards and management should be across their respective responsibilities under CPS 230 and ensure there are appropriate frameworks, systems, processes and reporting mechanisms in place to meet these responsibilities.

    Sarah Mitchell and Daniel Delimihalis are employment law and accountability specialists at King & Wood Mallesons.

    This article first appeared under the headline 'Risk Factors’ in the February 2024 issue of Company Director magazine.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.