Is your operational risk appetite wishful thinking?

This is one of the challenging questions that will hit the top of the 'hot topics pile' sooner or later for those preparing to comply with #CPS230. It's not easy to admit that you actually are operating with more operational risk than you have appetite for - but with higher onus on overseeing operational risk, the conversation is probably coming to a Board table near you.

Remember the 2019 ASIC Corporate Governance Taskforce? It noted this happened more often than not when it’s came to compliance risk (which APRA designates an operational risk under CPS230). In essence, they posed a challenge to be clear on whether your risk appetite was the desired-and-documented or the lived-and-tacitly-accepted one.

Some things to think about...

❓ Is your incidents rating scale calibrated so that the most severe are those that are likely to have material financial impact or material impact on critical operations?

❓ If your understanding of your control environment is limited or untested, and you have no or low operational risk appetite, are you
(a) preparing to be very good at remediation planning, execution and reporting as you document and test your controls? or
(b) looking to recalibrate your operational risk appetite with your Board? or
(c) seizing the opportunity to move to customer-centric, critical operations focus on controls and ultimately lean into a more comprehensive reset of your risk appetite? or
(d) something else?

🚩 CPS230 is swinging the pendulum. It asks for more granular reporting to the Board and APRA for material operational risks, done in the context of risk appetite, and especially for those processes that directly or indirectly impact customers.

🤞 Hopefully, this also swings the pendulum to tighter and earlier connection between process improvement (to products, services and operating models) and operational risk improvement.