Spotlight on APRA’s Operational Risk Management Standard
The financial sector is evolving quickly thanks to rapid advancements in tech that promise new efficiencies and enhanced customer experience.
However, this greater reliance on technology brings with it an increased risk of supplier failure, service deterioration and concentration risk.
As even a minor disruption to financial services can have a significant impact on financial markets, individuals and businesses, the global regulatory landscape has to continue to adapt in response and the latest proposed standard comes from the Australian Prudential Regulation Authority’s (APRA).
Wayne Scott, Regulatory Compliance Solutions lead, NCC Group Software Resilience takes us through the key points of the proposals
What is APRA’s plan?
APRA’s objective is to introduce a new prudential standard for operational risk that will require organisations to identify their service providers deemed as ‘material’ and take steps to manage the associated risks.
What should organisations be aware of?
There are three key areas for organisations to take into consideration in order to remain compliant with the new standard:
- They must maintain effective internal controls for operational risk, reflective of their size and complexity.
- They must also ensure that they are able to continue delivery of their critical operations if business disruption were to take place.
- Finally, they must prove that they can manage the risks associated with their use of service providers.
What are practical steps organisations can take to comply?
The new draft standard requires organisations to put business continuity plans in place. It also asks them to ensure, through legally binding agreements with material service providers, that those plans can be enacted.
We believe that the most effective way of managing operational risk is to embrace a ‘resilience by design approach’. This would include looking to practical business continuity solutions such as software escrow agreements.
Software escrow agreements are one of the most effective, proportional and cost-efficient ways of enabling business continuity when it comes to material service providers. They offer a minimum level of resilience through legal and technical means. This means that business operations can continue while a service is being restored or alternative options are being implemented.
Many financial services firms already use escrow solutions as part of their business continuity planning when mitigating supplier risk. Some third-party service providers themselves have also opted to build these solutions into their offer to support their customers’ compliance with regulatory requirements. Meanwhile, regulators globally are advocating the use of software escrow as part of a proportionate risk management approach.
What happens next?
After reviewing industry feedback in response to the consultation, APRA expects to release the final standard early next year, before the new standard comes into force from 1 January 2024.
There is still a lack of widespread awareness of the benefits of software and technology escrow solutions, and the role they can play in addressing regulatory requirements on outsourcing and third-party risk management.
There is a role for regulators and policymakers, including APRA, to do more to promote and educate financial firms on the benefits of cloud, software and technology escrow solutions for addressing regulatory requirements on outsourcing and third-party risk management. A more widespread awareness of this, and clear guidance on how to implement it, would align with approaches taken by other regulators across the globe.
With the UK Prudential Regulatory Authority (PRA), the Hong Kong Monetary Authority (HKMA), and the Monetary Authority of Singapore (MAS), to name a few, the financial services sector is taking leaps to manage operational risk. If regulators can keep up with the pace of advances in technology, it will be an exciting time for innovation that is as resilient as it is exciting.