Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.
An integrated resilience workspace that seamlessly integrates 10 core solutions into one, easy-to-use software platform.
The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.
Explore Noggin's integrated resilience software, purpose-built for any industry.
Continuity Management Software
Updated August 21, 2023
An independent statutory authority, the Australian Prudential Regulation Authority (APRA) supervises financial and related institutions across the banking, insurance, and superannuation sectors.
APRA is accountable to the Australian Parliament, who has tasked the authority with the duty to maintain the safety and soundness of the financial industry. More specifically, APRA is responsible for protecting the interests of depositors, policyholders, and superannuation fund members.
To promote the stability of the financial system, APRA works in tandem with other regulatory bodies, including the Australian Treasury, the Reserve Bank of Australia, and the Australian Securities and Investments Commission.
The failure of just one regulated institution can undermine the stability of the financial system. For that reason, APRA is obliged to maintain a low incidence of failure among the entities it regulates.
Of course, APRA can only do so much. Instead, it must compel the management and directors of those entities (most likely the Board of Directors) to ensure that their own institutions remain sound.
APRA primarily does so through the imposition of prudential standards. These standards largely involve risk and business continuity management. The reason they are put into place is to increase resilience to business disruption arising from internal and external events and reduce impact on business operations, reputation, profitability, depositors, policyholders, and other stakeholders.
Key standards address capital adequacy, liquidity, and governance to ensure that systemic risks (i.e., risks that would endanger the system as a whole) are properly managed.
Outsourcing falls under this rubric, as well. And so, in July 2016, APRA released Prudential Standard CPS 231 Outsourcing, to which the subsequent guide provides a primer.
Outsourcing, the regulation of which CPS 231 tackles, is entering into an arrangement with another party (including a related body corporate) to perform, on a continuing basis, a business activity that currently is, or could be, undertaken by the institution itself.
Although handed down by APRA, CPS 231 derives its statutory authority from subsections of existing parliamentary law. Those laws include:
What then does the standard do? According to its text, the prudential standard requires that all outsourcing arrangements involving material business activities entered into by an APRA-regulated institution and a “Head of a group” be subject to appropriate due diligence, approval, and ongoing monitoring.
Further, all risks arising from outsourcing said material business activities must be appropriately managed to ensure that the APRA-regulated institution, or the group it heads, is able to meet its financial and service obligations to its depositors and/or policyholders.
Understanding what constitutes material business activity is key to complying with the standard. Material business activity comprises any activity that has the potential, if disrupted, to have a significant impact on the APRA-regulated institution’s or group’s business operations or ability to manage risks effectively, as regards the following:
How to comply? Well, the most salient requirements of this standard include:
As with many risk management standards, CPS 231 imposes timely notification requirements on regulated entities should they get into outsourcing arrangements involving material business activity.
For starters, APRA-regulated institutions must notify
the authority as soon as possible after entering into an outsourcing agreement; in any event, no later than 20 business days after execution of the outsourcing agreement. This notification requirement applies to all outsourcing of material business activities.
What’s more, when APRA-regulated institutions notify APRA, they must also provide a summary of the key risks involved in the outsourcing arrangement and the risk mitigation strategies put in place to address these risks. APRA also has the discretion to request additional material where it considers it necessary to assess the impact of the outsourcing arrangement on the institution’s risk profile.
Taken from this vantage, CPS 231’s requirements simply extend risk management best practices to the realm of outsourcing. Requirements for APRA-regulated institutions, here, include:
For APRA-regulated entities, compliance with CPS 231 might seem like a lot. However, adhering to best practices in risk management, business continuity, and outsourcing is beneficial in and of itself.
Furthermore, digital technology can help. Integrated platforms, like Noggin, give APRA-regulated institutions the risk management functionality to identify, assess, manage, mitigate, and report on risks associated with outsourcing.
Business continuity is also a critical component of outsourcing. Here, Noggin Continuity enables APRA-regulated entities to automate key functions that are crucial to compliance (e.g., recovery should disruption occur). Other Noggin Continuity capabilities that can help with compliance include:
Finally, APRA-regulated entities are being asked to do their part to ensure the stability of the financial system. That means implementing best practices in risk management, business continuity, and outsourcing, to mitigate key threats.
If those measures sound daunting, they don’t have to. Digital technologies, like Noggin’s suite of safety and security management solutions, can help regulated entities comply with their requirements expeditiously, while getting the jump on the competition.
i. This standard applies to (a) authorised deposit-taking institutions (ADIs), including foreign ADIs, and non-operating holding companies authorised under the Banking Act (authorised banking NOHCs); (b) all general insurers, including Category C insurers, non-operating holding companies authorised under the Insurance Act (authorised insurance NOHCs) and parent entities of Level 2 insurance groups; and (c) all life companies, including friendly societies and eligible foreign life insurance companies (EFLICs), and non-operating holding companies registered under the Life Insurance Act (registered life NOHCs).