Will APRA’s new focus on resilience help banks through ‘the next COVID’?


Will the COVID-19 pandemic strengthen the resilience of Australian banks and financial services companies to internal and external threats in the long term?

That’s the confident prediction of risk and governance consultants at Protiviti, who see a series of policy and supervision priorities announced by the Australian Prudential Regulation Authority (APRA) last month as a determined move to address vulnerabilities in a less predictable – and more digital – future.[1] Like financial regulators in the UK and elsewhere, APRA is using the lessons of the pandemic to strengthen the operational and financial resilience of Australia’s entire financial services system.

APRA’s announcement encourages regulated financial institutions to take part in a series of national consultations to pave the way for stronger regulatory standards on crisis preparedness, including new requirements on recovery and resolution, and revised standards on governance, risk management and operational risk. APRA will also revise existing standards on outsourcing (CPS 231) and business continuity management (CPS 232). These standards along with CPS 234 and the new operational risk standard will form part of a suite of standards under the umbrella of ‘operational resilience.’

This move will assist APRA-regulated entities and their sourcing partners to be more responsive through the evolving pandemic. APRA’s actions closely resemble the stance on operational resilience already adopted by the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority in the UK.

What is operational resilience?

Operational resilience refers to an organisation’s ability to continue providing critical or important business services when faced with a sudden shock or operational disruption.[2] COVID-19 was a classic external shock, forcing banks and other financial companies to adjust rapidly to a new operational and digital landscape, as well as the challenges of multi-site remote working.

APRA’s newly published papers suggest that the authority is seeking to redefine operational resilience to include many areas beyond traditional business continuity – including technology and information security risks, cyber-resilience, third-party risks, disaster recovery, governance, training, and awareness.

It’s not just about getting systems back up after a disruption, but about having robust preventative, monitoring and reporting measures in place to respond promptly to extreme but plausible threat events. It’s also about understanding and mapping critical processes, systems and third parties to critical services, uniting different risk management disciplines across an organisation, and overcoming the silos that remain all too prevalent in many financial institutions.

As part of its wider cyber security strategy, APRA will also enhance its supervisory and oversight actions, including:

  • Tasking regulated institutions to undertake independent (tripartite) audits across their cyber resilience and response arrangements to demonstrate compliance with CPS 234;
  • Launching a pilot cyber information-sharing project to improve industry situational awareness;
  • Using the Council of Financial Regulators’ Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework[3] to test the maturity of financial institutions’ cyber practices by simulating the tactics, techniques and procedures (TTPs) of real-life cyber threats to identify systemic and structural weaknesses that may present a risk to financial markets.

Advice on the frontline

The new regulations will mean that it’s increasingly important to get processes, systems and controls reviewed by an APRA-regulated institution that not only understands the operation and governance of specific services, but the channels, mechanisms and technologies through which they are delivered.

“In such an interconnected sector, banks, insurance and superannuation companies are often plugged into the same networks, using the same suppliers, and ultimately facing the same risks which are managed by a third party,” says Hirun Tantirigama, Protiviti’s APAC operational resilience subject matter expert. “No matter how protected your business may be, a vulnerability in a third-party supplier can wind up having major implications for everyone in your supply chain.”

Tantirigama says the transition to remote operating environments – both for staff and customers – has also raised a host of challenges since the beginning of last year. “Remote working has really tested many companies’ risk management activities, and they’ve realised they can no longer look at their operational risks in isolation – they need to take a more holistic view of all their enterprise risk and resilience arrangements.”

APRA’s publication of supervisory and policy priorities and consultation on new resilience standards are certainly encouraging steps in strengthening the resilience of Australia’s financial system. Both financial institutions and third-party providers will need to get on the front foot about bringing their risk and resilience arrangements into line with their risk appetites, and addressing any structural and control weaknesses before the regulators come knocking.

Protiviti has extensive experience working across the financial sector – from banks and insurance companies to super funds and asset managers – and ensuring their resilience planning and strategies comply with regulatory expectations and standards. Through the design, testing and implementation of tailored resilience plans, Protiviti’s consultants help organisations strengthen their operational resilience arrangements, including business continuity management activities, IT disaster recovery, third party and supplier management, and cybersecurity incident response programs, as well as providing assurance over operational resilience programs and planning and executing crisis simulations to raise Board and executive awareness in this highly demanding field.

Visit www.protiviti.com/AU-en/operational-resilience to access Protiviti’s operational resilience framework and additional thought leadership on the topic.

[1] https://www.apra.gov.au/news-and-publications/apras-2021-supervision-and-policy-priorities

[2] https://www.protiviti.com/AU-en/operational-resilience

[3] The CORIE framework was launched to test the cyber resilience of Australia’s financial services industry.

Edited 20/03/2021