The Remarkables podcast: Stories of people improving communities and inspiring youth. Listen now.
“Managing operational risk can be complex because its decentralised”.
APRA defines operational risk as “risks that may result from inadequate or failed processes or systems, the actions or inactions of people or external drivers and events”.
One of the most common ways of managing operational risk is through a system of effective internal controls. Control failures however can lead to events as varied as mis-selling, data breaches and underpayments – hence, APRA’s focus on strengthening operational risk management.
It is not possible for an entity to maximise its operational resilience without effectively managing its operational risk.
Financial risks such as credit, insurance or market risks are generally managed on a centralised basis within defined strategies and limits. APRA notes that “operational risk is inherent in all products, activities, processes and systems” and therefore, it is not possible to adopt the same centralised model of risk management.
CPS 230 states that:
This approach aligns with the three lines model of risk management that form the basis for the approach to risk management as set out in CPS 220.
To be the most effective, operational risk should be managed where it occurs and therefore is largely the responsibility of business lines or Line 1. As such, management of operational risk is “de-centralised”, making activities such as controls assurance, Line 2 oversight and dashboard-style reporting critically important to drive consistency and effectiveness across the organisation and to enable the Board to have oversight of any processes, systems or parts of the organisation that may not be operationally resilient.
APRA expects that entities “should maintain internal controls to detect and manage operational risks within appetite”. This includes the following components:
It’s important these components operate as a framework and not in isolation – the framework should guide the required considerations and be kept up to date.
Effective operational risk management is dependent upon linkages being made based upon the information derived from the different components of the framework so that the appropriate decisions can be made.
Based upon our experience in supporting our clients to implement and refresh their enterprise risk management and operational risk management frameworks or responding to APRA requirements and recommendations regarding these, following are some of the elements that we consider to be fundamental to the effective management of operational risk. These should also assist in overcoming some of the complexity arising from the decentralised nature of operational risk.
To support managing operational risk where it occurs – in the business – Line 1 needs the capacity to maintain their own operational risk profile. This includes recording and managing incidents and maintaining an internal controls assurance program. Once an entity is of sufficient size, investing in an MIS may not only streamline risk management but improve its consistency. Line 2 maintaining risk registers and profiles in spreadsheets will no longer be sustainable.
An MIS enables linkages to be made that support a more accurate assessment of residual risk and the level of operational risk carried by the entity. Risk dashboards can also be automatically generated that enables more insightful analysis to be provided to the Board.
We often come across entities that have too many risks in their profile relative to the size, complexity, and nature of their business. Without a clear risk taxonomy, the number of risks may become unmanageable making it difficult to undertake meaningful analysis and impair the understanding of key risks.
Identifying operational risks and understanding and treating operational vulnerabilities is a critical ingredient for operational resilience.
A risk taxonomy should generally consist of two levels:
Our clients will often ask us for suggestions of lead indicators for operational risk. The best lead indicator of operational risk are controls assurance results because they not only provide evidence of the adequacy of controls over material risks but also information about control weaknesses to enable improvements to be made.
When instances of control ineffectiveness are identified, they not only need to be rectified but consideration given to whether the level of residual risk has increased. This situation may only be temporary until such time that remediation actions are completed.
Root cause analysis may assist entities to understand why something went wrong and prevent its reoccurrence. It can also assist entities to better understand what is working well and how this can be extrapolated across other processes or functions.
Better practice is to require root cause analysis as part of an entities’ situation (formerly breach and incident) process. Without understanding the root cause, remediation may be incomplete or address only the symptoms rather than the root cause.
At its simplest, root cause analysis may just involve solving “the 5 whys”. Root cause analysis is also a useful tool when analysing disputes and complaints to determine whether there are systemic issues that may give rise to customer detriment.
Many entities leverage third party and related service providers as part of their operating model. Whilst outsourcing can increase the level of operational risk, it may also mitigate it. Replacing CPS 231: Outsourcing with CPS 230 is acknowledgement that using service providers is an established and integral part of service delivery.
Our next technical guide will provide an overview of third-party service provider management.
Proactive stress testing to manage macroeconomic risk, strengthen financial stability and banking
Grant Thornton worked with AUSTRAC (the federal Anti-Money Laundering regulator) to support the development of their new AML/CTF Starter Kits released this week, designed specifically for Tranche 2 sectors including lawyers, real estate professionals, accountants, and conveyancers.
The Federal Court’s $5.8M ACL decision signals a new era for privacy, cybersecurity, and governance in Australia. It reinforces that privacy and cyber obligations start Day 1 of any acquisition, governance failures will be scrutinised, and accountability cannot be outsourced. Boards must ensure robust oversight, deep cyber due diligence, and forensic incident response. With OAIC escalating regulatory enforcement, organisations face heightened legal, financial, and reputational risks.
