Decoding APRA’s 5 Year Corporate Plan
Updated: Mar 19
Like many of us, the Australian financial system has faced numerous challenges during the past year. As an independent statutory authority, the Australian Prudential Regulation Authority (APRA) plays an important role in protecting the financial wellbeing of the Australian community. Its role is to oversee the prudent management of regulated institutions, so that they can reasonably meet their financial obligations to customers.
What’s reasonable? Well, not living in fear of a major cyber security breach for a start. However, that eventuality has been increasingly likely for some years now since the acceleration of cloud based services for business.
Also reasonable, now more than ever, is for customers to receive services that focus on their best interests and not those of the service provider. Transparency is the only way to ensure that happens.
Reducing the risk profile of financial service organisations
Needless to say, APRA felt it necessary to introduce a new set of mandates to its membership of regulated entities. These are obligations intended to reduce organisations’ risk profiles. Broadly speaking, APRA requires of the businesses under its governance, which include banks, credit unions and other authorised deposit taking institutions (ADIs), superannuation funds, life insurance companies, friendly societies, general insurers, non-operating holding companies and private health insurers, the following:
Well maintained resilience
Improved outcomes for superannuation members
Transformation of governance, culture, remuneration and accountability
Improved cyber resilience across the financial system.
The plan sets out APRA’s strategic objectives over five years, paying particular attention to the immediate priorities over the next 12-18 months. Given the continued high level of uncertainty in the operating environment, APRA has embedded some flexibility in the latter years of the plan with respect to the timing of planned deliverables.
What does the next year and a half have in store for APRA organisations? Let’s take a look at the broad categories listed above in real terms.
Financial service organisations must be resilient, says APRA. It’s referring to the operational systems and processes that ensure business continuity in unusual circumstances. Can there be any circumstances more unusual than a pandemic? One that came on the heels of Australia’s most devastating bushfires, too! Like it or not, these conditions have adverse effects on the market, with service providers and their third party suppliers exposed to increasing risk of failure. Therefore, there must be recognition of risk and contingency planning to mitigate it, says APRA.
A key takeaway for businesses is to improve their board risk reporting. It’s a contentious issue. If risk reporting is too detailed, will it be consumed and acted upon? Too little and are we exposed?
Our recommendation and the methodology we put in practice for our clients is to conduct a thorough risk scoring exercise across the organisation to understand precisely where your biggest risk lies. It should be correlated with your business objectives, giving you adequate context for presenting to the board the risks that could most benefit from their knowledge and expertise in ways that safeguard organisational value. Remember, APRA is making board directors personally responsible for risk, with the prospect of individual as well as corporate fines for those not adequately managed.
Equally, it pays to have in place a plan for all types of risk, including clear escalation paths. Most importantly, risk assessment is not a set and forget exercise. Appointing an agency to support your ongoing risk program in the same way that you might engage a website manager to keep your digital presence up and running is simply smart business.
Improved outcomes for customers
While super is under the microscope when it comes to outcomes, this actually applies to everyone. It stands to reason that investment risk is a factor in industries that invest on behalf of their members. Equally important is the viability of those companies that people trust with their money. Once again it comes back to data collection and an organisation’s ability to spot and mitigate risk before it gains an impact foothold on members.
Governance, culture and accountability
This is a big nut to crack. APRA is not just demanding a change in behaviour but a change in collective mindset when it comes to Governance, Risk & Compliance (GRC). Effectively, it’s requiring organisations to implement and maintain a GRC-first culture throughout every function, and through the entire supply chain.
This means risk can’t be an item on a company’s checklist. It can’t be done on a shoestring just because Go-To-Market has far more exciting uses for funding. It can’t be piled onto the shoulders of one person in the hope that they will keep you in the clear. It must be institutionalised on a grand scale.
This means better and properly maintained employee protocols and cyber-security awareness programs. It relies on the transparent communication of risk, as well as the policies that address risk from department to department. It requires risk to truly be a whole of business challenge, collectively owned by everyone in the organisation and ecosystem.
Where do you even start when it comes to enforcing a GRC-first culture?
Well, it starts with a GRC strategy. This is not a one size fits all plan. One organization’s perception of risk will be vastly different to another’s. Conducting an analysis of risk across the business and a gap assessment gives you the foundation you need to devise a strategy that works for you.
Setting this in motion requires the right tools or solution. A GRC solution that lets you create and coordinate meaningful policies, controls and maps them to regulatory compliance requirements and automates as many processes as possible to ensure your risk posture can be calculated in real time, on an ongoing basis, is a massive advantage. Not to mention a time and cost saver when it comes to executing what can be otherwise a labour intensive program.
Garnering the advice of GRC experts outside of the corporate ‘forest’ i.e., that can see the woods for the trees, is also a really clever idea for devising the right strategy and for helping with change management.
Finally, while there should be a clear owner of your GRC strategy (over and above giving your poor, stretched head of IT yet another hat to wear), creating a GRC culture depends on input from board members including the CIO and CFO, Human Resources leaders and probably also Legal.
If there’s a shiny penny in the pot, it’s cyber resilience, in that it gets the most media attention therefore the most corporate attention. People flock to it. Cyber security attacks on banks rose 238% between February and April 2020 according to a study by VMware. Understandably it’s got everyone feeling shaken up.
Still there’s an inherent risk of perceiving APRA compliance solely as compliance with APRA’s cyber security mandates. This causes some enterprises to throw large investments into security software without first accurately assessing what’s needed. Spending $3,000 per employee on endpoint and network security, identity and access management, isn’t going to set you straight with APRA if those solutions are not precisely what you need. There’s a faster path to cyber resilience.
APRA outlines its cyber security expectations within the new Prudential Standard CPS 234. Its purpose is to ensure APRA-regulated entities have sufficient infosec protection in place. As of 1 July 2020, third parties that handle information assets relating to APRA regulated entities also need to adhere to CPS 234 standards, producing proof of security controls whenever requested by the APRA regulated entity.
CPS 234 also states:
Board executives must assume accountability for cyber security and are personally liable for non-compliance
Roles and responsibilities must be clearly defined in relation to governance
Information security aligned with an organisation’s threat posture must be implemented and continuously maintained
Third parties must be compliant with CPS 234 requirements
An information security policy framework must be clearly defined to provide cyber security direction
Regular audit and classification of information assets must be undertaken to understand their criticality and sensitivity (therefore risk impact)
An incident management plan must be deployed and tested annually
Control effectiveness must be regularly tested for reassurance that vulnerabilities and threats can be appropriately identified and managed
APRA must be notified within 72 hours of a cyber security incident with the potential to negatively impact customers and other stakeholders
APRA must be notified within 10 business days regarding a control weakness that the organisation is unable to remediate quickly.
This list seems overwhelming. But in fact, there’s a science, backed by world class GRC technology, available to help organisations sail through these points seamlessly. Most importantly, rapidly.
Steps to CPS 234 compliance
Assess Gaps. It starts with a simple gap assessment. Know what you don’t know. And that means your compliance gaps that leave you open to cyber threats.
Review APRA’s cyber security framework against your own and make changes
Ensure your framework extends to third parties
Benchmark the results of your testing program for measuring improvements and spotting troubling indicators early
Automate as many compliance processes as possible to make sure you don’t get left behind. That means deploying world class GRC platform technology.
Ask an expert. Not only is it well advised to lean on people who make compliance their entire world, APRA requires that an organisation’s cyber resilience protocols be independently assessed.
Five year road to being operationally better
There’s no doubt that APRA’s five year plan has bitten some organisations square in the behind. Many more welcome the opportunity to shake off any reputation damage from the past and establish a strong relationship of trust going forward into the future. All are seeking a fast and simple path to compliance.
If FirmGuard’s expert advisory team can help you with your APRA compliance questions, please don’t hesitate to contact us for a no obligation chat.