Operational Risk Management - CPS 230
The Australian Prudential Regulation Authority (APRA) has released a guide that covers the new standard on Operational Risk Management - CPS 230. The standard came into force this month.
Although APRA’s standards are intended for companies operating in the Australian financial market, we think the standard and guide provide very good advice for most organisations that are concerned about their operational resilience.
The standard addresses the following:
The assessment and management of a wide range of operational risks, including legal, regulatory, compliance, conduct, technology, data and change management risks.
Business continuity and how organisations should identify time critical business activities and estimate their tolerance for having them unavailable. Importantly, the business continuity plan should document the recovery procedures and workarounds if any supporting resources (people, facilities and IT systems) become unavailable because of a disruption.
Development of a policy for dealing with material service providers. This policy should cover how to identify, manage and monitor the service providers that have a significant impact on the organisation’s operations. They should also evaluate the risks posed by these service providers, sign formal contracts with them, track their performance and carefully manage any major changes in their arrangements.
Managing outsourced IT services
We find that many organisations have outsourced large parts of their IT infrastructure to service providers and as a result they have often yielded management and control to others.
This makes it challenging for the CIO to ensure that the recoverability of IT systems meet the needs of the business. Some Software as a Service vendors will not warrant a Recovery Time Objective. Often, the outsourced system (and its data) only exists at one location, making it a single point of failure.
It is critical that business management identifies the time critical activities and their tolerance to disruption. These requirements should be communicated to IT management, so that the critical IT systems have the necessary resilience to support the business during disruptions.