CPMS SOP

Question 1

What does CPMS stand for?

Answer 1

Control and Process Management Standard

Question 2

What is the purpose of the CPMS?

Answer 2

Mandates the relevant activities, roles, and responsibilities required throughout the lifecycle of controls and processes.

• Provides simple, standardised approach for controls/processes.
• Provides clear accountability, roles, and responsibilities.
• Enables embedding of intelligent controls within processes for operational resilience.
• Supports better customer and business outcomes.
• Supports compliance

Question 3

What is a Control?

Answer 3

A series of measurable activities designed to reduce risk, comply with obligations, and enable a process to consistently achieve its expected outcomes.

Question 4

What 4 elements must a control contain?

Answer 4

1. Standard (expectation of what must go right).
2. Input (a way to gather information about the actual situation).
3. Comparison (a way to compare the actual with expectation).
4. Correction (a way to respond to deviations).

Question 5

What is a “common” control?

Answer 5

One control operated across the Enterprise, with a single Control Owner/Manager, a single control design, and is operated the same way on a standard, consistent process. There can be multiple people opeating the control within different businesses.

Question 6

What is a “common” process?

Answer 6

A process that is operated uniformly across the enterprise with a single Process Owner (but one or more Process Model Owners).

Question 7

What are the 2 control methods?

Answer 7

1. Automated
2. Manual

Question 8

What is an automated control?

Answer 8

• A control with all 4 components (Standard, Input, Comparison, Correction) automated by systems BUT:
• The Correction component can be manual so long as this is corrected via the system.

Question 9

When can a control have a manual component but still be considered automated?

Answer 9

Where an automated control has manual intervention for Correction but the Correction is performed via the system.

Question 10

Who should own an Automated Control?

Answer 10

Control ownership resides with whoever has decision rights for the control design (it does not reside with who operates the control).

Question 11

Can a control be considered Automated if one or more components require manual intervention (other than the exception for manual intervention with automated correction)?

Answer 11

No - it will be considered a Manual Control

Question 12

What are the 3 control types?

Answer 12

1. Preventative
2. Corrective
3. Detective

Question 13

Define a Preventative Control?

Answer 13

Identification and correction of a deviation occurs before or at the same time,

Question 14

Define a Corrective Control?

Answer 14

Corrects a deviation after it has occurred.

Question 15

Define a Detective Control?

Answer 15

Identifies a deviation after it has occurred.

Question 16

What is an IT Asset control?

Answer 16

A control implemented and operationalised on a specific IT asset. Intended to reduce risk, comply with obligations, or enable a process to consistently achieve expected outcomes.

Question 17

What are Third Party Controls and Processes? What must we do for them?

Answer 17

Controls and processes operated by a third party where NAB does not have decision rights for the control or process design.

• Must have monitoring controls for these.
• Do not need to be documented in GRACE/NPH.

Question 18

What is an evidentiary control?

Answer 18

Evidence to demonstrate that an obligation requirement outcome has been met and demonstrates compliance at a point in time only.

Question 19

Are evidentiary controls considered controls as per the Standard definition?

Answer 19

No, as they do not have any Correction.

Question 20

What is C3 Tier?

Answer 20

Classification of Business Activity criticality based on the severity and time to impact from disruptions to Customers, Company, and Country.

Question 21

What are Critical Operations?

Answer 21

Processes that when disrupted beyond tolerance levels under severe but plausible scenarios would have a Critical financial or non-financial impact due to the time-critical nature of the process on Customers, Company, or Country.

Question 22

What are Critical Operation Processes?

Answer 22

The group of Level 4 business activities required to deliver the time sensitive outcomes of a Critical Operation.

These processes must be approved for inclusion in the CO by Owners, based on the assessed relevance, time sensitivity, and importance to the in-scope outcomes required for the CO.

Question 23

Who is responsible for the oversight and governance of control and process management?

Answer 23

Operational Risk & Controls (OR&C)

Question 24

What are Operational Risk & Controls (OR&C) responsible for?

Answer 24

• Standard for Control/Process/Instructional Content management.
• Control testing independent of Control Owner.
• Manage GRACE and interface with other systems (e.g., NPH, SAP, SNAB).
• Manage PACE methodology.
• Reporting/insights for Control and Process management.