CPS230 not so FAR away
APRA have extended the CPS230 Operational Risk compliance date by 18 months, phew!
Parliament remains sitting on the FAR legislation (but not for long), double phew!
So with this new found "luxury" of time, how could an Executive team use this to their advantage? We think it is by rethinking the pathway to compliance for these two regulatory changes. Of course compliance should be an outcome, but make sure it is only one of the outcomes.
How could your teams' effort to comply drive greater business benefit?
There are a few angles you could approach this from - but they all need a structured understanding of your business and some serious consideration of how you want to connect the dots.
Uplift Risk Culture - Target activities to uplift 3 of APRA's 10 risk culture dimensions: (a) Responsibility and Accountability; (b) Risk Governance and Controls; (c) Risk Appetite and Strategy. All of these are termed, "Architecture" dimensions which form the basis of giving clarity to your teams.
Embed Accountability - When you are preparing FAR accountability statements, don't just stop at the Accountable Persons. Go deeper into the organisation until you get to Process/Control Owners (maybe your "Heads of" or "Line Managers"?) and make sure these roles connect their control management activities to your Accountable Persons reasonable steps. Leverage your 3 Lines teams allocate resources effectively to testing, assurance and audit, giving challenge and comfort over reasonable steps.
Process and Service Resilience - Are you digitising or trying to find ways to streamline cost to deliver services? If so, make sure you also incorporate compliance, operational risk and resiliency into your design considerations. It will save you dollars and time in the long run.
If you are considering how to tackle the "mandatory" risk work in the coming weeks or months, I would be happy to have a chat to you about your planning considerations.
Kate Gannon
Director, August Advisory
PS: For a little more explanation on our model to connect the dots, see below. PPS: We have frameworks & tools - not just ideas - to help get you and your teams moving, too.
CONNECT ROLES + CONTROLS + PROCESS
CLEAR ACCOUNTABILITIES
Ensure your FAR program delivers an approach to administer, manage responsibilities across Board and Executive and embed deeper into your leadership team, and a key pillar in supporting a culture of accountability and risk-based decision making.
... supported by clear REASONABLE STEPS
The demonstrable actions taken individually or collectively by Board, Executives and key decision makers to meet their responsibilities with due care and expertise, including to prevent, detect and resolve problems.
CONTROL MANAGEMENT
A structured approach to set control expectations; classify control environments; identify, design and document controls; improve control efficiency and effectiveness; test, assure and monitor controls.
... supported by clear CONTROL OBJECTIVES
One or more objectives agreed to support the risk or compliance requirements of a given process allowing process owners to improve the control environment within Board-approved appetite through process improvement or control optimisation.
PROCESS MANAGEMENT
An approach to classify processes, allocate process ownerships, identify dependencies and structure risk, obligation and control management to support optimal resource allocation to deliver and enhance processes over time.
... supported by clear PERFORMANCE OBJECTIVES
A set of balanced objectives agreed to support enterprise, product, functional or process outcomes that are used to guide decision making by accountable managers within Board-approved Strategy.