Prudential practice guide

LPG 230 Operational Risk

  • Life insurance
  • Current
    1 March 2007
Prudential framework pillars
Risk Management
Operational Risk
Supporting

About this guide

Note: Prudential Standard LPS 220 Risk Management has been replaced by Prudential Standard CPS 220 Risk Management (CPS 220). References in this guide to LPS 220 should be read as references to CPS 220.
Prudential Standard LPS 220 Risk Management (LPS 220) sets out APRA’s requirements for life companies in relation to risk management. This prudential practice guide aims to assist life companies in complying with requirements in relation to operational risk and, more generally, to outline prudent practices in relation to operational risk management.
Subject to the requirements of LPS 220, life companies have the flexibility to configure their operational risk management framework in the way most suited to achieving their business objectives. Not all of the practices outlined in this prudential practice guide will be relevant for every life company and some aspects may vary depending upon the size, complexity and risk profile of the life company.
Disclaimer and copyright
This prudential practice guide is not legal advice and users are encouraged to obtain professional advice about the application of any legislation or prudential standard relevant to their particular circumstances and to exercise their own skill and care in relation to any material contained in this guide.
APRA disclaims any liability for any loss or damage arising out of any use of this prudential practice guide.
This prudential practice guide is copyright. You may use and reproduce this material in an unaltered form only for your personal non-commercial use or non-commercial use within your organisation. Apart from any use permitted under the Copyright Act 1968, all other rights are reserved. Requests for other types of use should be directed to APRA.
Australian Prudential Regulation Authority 2

Operational risk

Operational risk is defined as the risk of loss (including to policy owners) resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk but excludes strategic and reputational risk. A life company would typically apply this definition as appropriate to the size, business mix and complexity of the life company’s activities and operating environment. APRA envisages that the definition and application of operational risk would be clearly understood throughout the life company in order for the life company to effectively identify and manage this risk.
The management of operational risk would include consideration of a broad range of risks for current and legacy operations, such as those associated with:
information technology;
human resources;
internal and external fraud;
project management;
information systems;
outsourcing;
[1]
 Requirements in relation to outsourcing are set out in Prudential Standard LPS 231 Outsourcing.
business continuity;
[2]
 Requirements in relation to business continuity management are set out in Prudential Standard LPS 232 Business Continuity Management.
product administration (including processing, transactions, production of documentation, underwriting and claims);
unit pricing;
[3]
 Refer APRA and ASIC Unit Pricing — Guide to good practice.
business processes including non-outsourced third party arrangements; and
introducing new products.

Information technology

Information technology (IT) risk is the risk of failure or malfunction of the IT applications and infrastructure used to support the life company. Generally, a life company’s risk management framework would consider risks associated with IT infrastructure (hardware and software), security and application development and maintenance.
Some of the elements of IT infrastructure that may be relevant include:
network and user management;
configuration management;
system performance and capacity;
IT service request, service level management and helpdesk management;
the change request process; and
IT asset management.
When assessing the management of risk related to IT security, a life company may consider the relevant:
policies and standards;
prevention measures (such as preventing unauthorised access);
monitoring; and
testing of controls.
When considering risks associated with application development, a life company would consider whether the following are in place:
a formal methodology for application development;
governance and monitoring arrangements;
development and testing protocols;
a strategy for version control of source code;
maintenance of application documentation; and
post implementation reviews.

Human resources

Aspects of a life company’s human resources can lead to operational risks. In considering those risks the following may be relevant:
risk identification and assessment of the life company’s human resource needs, including key persons;
background verification of employees and contractors;
[4]
 Requirements in relation to fitness and propriety are set out in Prudential Standard LPS 520 Fit and Proper.
segregation of duties;
succession planning; and
monitoring and supervision of staff.

Fraud

APRA envisages that the risk management framework would address fraud risk. Fraud risk relates to the risk associated with intentional acts, undertaken with the objective of personal benefit, to tamper with or manipulate the financial or operational aspects of the business.
Fraudulent activity can arise from internal sources (e.g. product administration) or external sources (e.g. fictitious claims and cheque fraud) and exposes the life company to risk of financial loss if not managed appropriately.
In relation to fraud, the risk management framework would typically include consideration of the following elements:
segregation of duties at both an operational level and in relation to functional reporting lines;
delegation and authority limits;
financial accounting controls; and
staff training and awareness of fraud risk and policies (including a code of conduct).

Project management

A life company could consider addressing project management risk in its risk management framework. Project management risk is the risk that projects will not achieve the desired objectives or will have a negative impact on resource levels of the life company.
In relation to project management, the risk management framework could consider the management of a range of risks, including the appropriateness of the following elements:
a formal project methodology for the promulgation of project initiatives including:
setting a business case for the project;
cost/benefit analysis;
risk identification and assessment; and
stakeholder sign-offs;
clearly defined and appropriate levels of delegations of authority;
ongoing monitoring of project objectives and timeframes;
centralised oversight of compliance with project management protocols; and
post-implementation review.

Information systems

APRA envisages that controls would be in place for ensuring that data in the risk management framework’s information and reporting systems is timely, accurate and complete. Internal information and reporting systems would be secure and supported by adequate business continuity arrangements.
A properly functioning information and reporting system would typically:
produce detailed financial, operational and compliance data;
be able to incorporate external market information relating to events and conditions that are relevant to decision-making;
enable relevant, accurate and timely information to be reported;
allow the life company to identify, quantify, assess and monitor business activities, exposure to risk, financial position and performance;
allow the life company to monitor the effectiveness of, and compliance with, its internal control system, and report any exceptions that arise; and
be reviewed regularly to assess the timeliness and relevance of information generated, and the adequacy, quality and accuracy of the system’s performance over time.