In March 2021, the Basel Committee on Banking Supervision released their revision to Principles of Operational Resilience. This has since been used as a guidance for other supervisors and regulators globally into issuing standards into their local jurisdictions.
Since the 2021 Basel Committee publication, the global landscape has faced a series of events that continue to challenge the operational resilience of financial institutions and ensuring stability.
Managing operational risk has emerged as a pivotal element within organizations’ broader risk management strategies. In Australia, the Australian Prudential Regulation Authority (APRA) has finalized the new prudential standard, CPS 230, which sets forth comprehensive guidelines for regulated entities to proactively identify, evaluate, and mitigate operational risks, slated to take effect on July 1, 2025.
One of the primary challenges confronting organizations lies in adopting a enterprise-wide holistic approach to capturing and monitoring controls to gain meaningful insights into their operations. Common pain points include fragmented processes and data, as well as the need for a unified and consistent methodology for assessing both first-line (L1) and second-line (L2) risks.
In collaboration with ServiceNow, NixoraGroup launches a new application designed to aid clients on their journey towards operational resilience. The Control Assurance application plays a pivatol role in achieving and upholding compliance with CPS 230 by delivering impartial and rigorous validation of an organization’s internal controls’ effectiveness.
Control Assurance: A Pillar of CPS 230 Compliance
Control Assurance encompasses the systematic and ongoing evaluation of the effectiveness of internal controls in mitigating operational risks.
Features include:
ü Assessing the design, implementation, and operating effectiveness of controls;
ü Identifying weaknesses or gaps;
ü Recommending corrective actions.
By providing an independent assessment of the control environment, control assurance helps organizations ensure that their operational risks are managed effectively and that they are in compliance with CPS 230 requirements.
Key Benefits of Control Assurance for CPS 230 Compliance
- Enhanced Risk Identification and Assessment: Control assurance helps organizations identify and assess operational risks more effectively by providing a comprehensive understanding of the control environment. This allows organizations to prioritize risk mitigation efforts and focus on areas with the highest potential for loss.
- Improved Control Design and Implementation: Control assurance provides valuable insights into the design and implementation of internal controls. By identifying weaknesses or gaps in controls, organizations can make necessary improvements to strengthen their risk mitigation strategy.
- Demonstrated Compliance with CPS 230: Control assurance provides auditable evidence of an organization’s commitment to managing operational risks effectively. This evidence can be used to demonstrate compliance with CPS 230 requirements to regulators and other stakeholders.
Integrating Control Assurance into the CPS 230 Framework
To effectively integrate control assurance into the CPS 230 framework, organizations should adopt a multi-pronged approach:
1. Establish a Control Assurance Framework: Develop a clear and well-defined control assurance framework that outlines the scope, objectives, and methodology for control assurance activities.
2. Assign Responsibilities: Clearly define roles and responsibilities for control assurance activities, ensuring that there is appropriate segregation of duties and independence.
3. Conduct Regular Assessments: Perform regular assessments of internal controls, covering all critical risk areas and business processes.
4. Implement Remediation Plans: Develop and implement remediation plans to address identified control weaknesses or gaps.
5. Continuous Monitoring: Continuously monitor the effectiveness of implemented controls and make adjustments as needed to maintain a robust risk management environment.
“By adopting a comprehensive and systematic approach to control assurance, regulated entities can effectively mitigate operational risks, enhance governance, and foster a culture of risk awareness within their organizations.”
Customer Win Story
A Tier 1 Financial Institution aimed at standardizing their control testing process which was spread across the organisations in 10 different teams with different processes, different spreadsheets and approaches. Large amounts of time were consumed in attempting to collate and standardize the information, in order to gain meaningful insights. The organisation aimed to bolster their process with the aim of being proactive rather than reactive.
With the implementation of Control Assurance, testing approach and data was standardised and linked to organisational control goals and regulatory requirements (via Service Now library). Centralized data enabled the detection of enterprise-wide deficiencies and gaps leading to the pro-active development of mitigating actions.
"By adopting a comprehensive and systematic approach to control assurance, regulated entities can effectively mitigate operational risks, enhance governance, and foster a culture of risk awareness within their organizations."
Conclusion: Control Assurance – A Pathway to Sustainable Operational Resilience
Control assurance plays a vital role in ensuring CPS 230 compliance and achieving sustainable operational resilience. By adopting a comprehensive and systematic approach to control assurance, regulated entities can effectively mitigate operational risks, enhance governance, and foster a culture of risk awareness within their organizations. This commitment to sound risk management practices will ultimately contribute to long-term financial stability and stakeholder confidence