CPS 230 Postcard #5

Question 1

What is the title of CPS 230?

Answer 1

Operational Risk Management

Question 2

Which regulator set the regulatory requirement known as CPS 230?

Answer 2

APRA

Question 3

What are the general goals of CPS 230?

Answer 3

Strengthening operational resilience & reducing disruption to customer, company & country

Question 4

What are the three main expected outcomes of CPS 230?

Answer 4

1. Effectively managing risks.
2. Maintaining COs within tolerance levels through severe but plausible disruptions.
3. Effectively managing the risks associated with the use of service providers.

Question 5

What are the 3 key dates for NAB regarding CPS 230?

Answer 5

• 31 Dec 24: Internal readiness target
• 1 July 25: Effective date
• 1 July 26: Material Service Provider contracts udpated

Question 6

What 2 key things must we do to fundamentally shift how we manage Critical Operations?

Answer 6

1. Maintain/Strengthen COs, which often span across Divisions, while recognising FAR accountabilities.
2. Effectively connect, manage, and strengthen the ecosystem of each CO, comprising the service providers, technology assets, office locations, and enabling teams that support them.

Question 7

How many Critical Operations does NAB have?

Answer 7

17

Question 8

Regarding Critical Operations, what are some workstream highlights completed in April?

Answer 8

1. Reduced COs from 19 to 17
2. Progressed BIAs for COs
3. L4 Processes validated by CO Owners.
4. Updated NFI/FI tables to support Risk Profiles.
5. ‘Critical Process’ measure for prioritising PACE delivery at NAB has been retired.

Question 9

Why are we mobilising Critical Operations? (6 steps)

Answer 9

1. COs defined (based on L4 processes)
2. Dependencies mapped (based on BIAs)
3. Impact Tolerance Levels defined and tested
4. Risk Profiles approved
5. Gaps & exposures identified
6. Remediation plans approved (for elements negatively impacting the resilience of COs)

Question 10

What activities will CO owners be completing in April?

Answer 10

• Validate L4 processes by 30 April
• Triage sessions to identify FY25 funding requirements

Question 11

What activities will CO owners be completing in May?

Answer 11

• L4 processes for all COs documented in PH by end of May

Question 12

What activities will CO owners be completing in June?

Answer 12

• CO Owners define tolerance levels
• CO Risk Profiles commence

Question 13

What activities will CO owners be completing in August?

Answer 13

• Gaps in L4 processes certified
• Commence drafting Customer Playbooks

Question 14

What activities will CO owners be completing in September?

Answer 14

• BIAs approved by CO Owners

Question 15

What activities will CO owners be completing in October?

Answer 15

• Risk profiles approved by CO Owners
• MSP register confirmed
• Findings raised in GRACE

Question 16

What 5 CPS 230 features have already been completed?

Answer 16

1. Identify Critical Operations
2. Identify CO Owners
3. Identify CO Processes
4. Tech Integration
5. Define Framework

Question 17

When was Identify Critical Operations completed?

Answer 17

Oct 23

Question 18

When was Identify CO Owners completed?

Answer 18

Dec 23

Question 19

When was Identify CO processes completed?

Answer 19

Feb 24

Question 20

When are the two CO drops?

Answer 20

April and June 24

Question 21

When will CO reporting be delivered?

Answer 21

August 24