澳大利亚审慎监管局《CPS 230 操作风险管理》中文简译
写在前面 :越来越多的人们开始关注运营韧性。事实上,虽然该领域还在快速的发展中,但已经凝聚了一些共识。金融行业是最为关注运营韧性的行业之一,近几年来,多个发达国家/地区的金融监管机构和巴塞尔银行监管委员会陆续发布/修订了运营韧性(Operational Resilience)和业务连续性管理方面的正式文件。为让更多的专业人员和爱好者了解国际运营韧性领域的进展,学习并实践运营韧性的良好实践,在过去两年,我组织了两期公益翻译活动,翻译了巴塞尔银行监管委员会和英国金融监管机构的运营韧性相关资料,包括: 《运营韧性原则》中文简译 (巴塞尔银行监管委员会)(2021年11月23日) 《操作风险稳健管理原则修订》中文简译 (巴塞尔银行监管委员会)(2021年11月29日) 《运营韧性:重要业务服务的影响容忍度》中文简译 (英格兰银行、英国审慎监管局(PRA)和英国金融行为监管局(FCA)联合说明文件)(2022年11月26日) 《政策声明|PS6/21 – 运营韧性:重要业务服务的影响容忍度》中文简译 (英国审慎监管局(PRA)运营韧性政策声明)(2022年11月27日) 《PRA规则手册:CRR机构,Solvency II机构:运营韧性文书2021》中文简译 (英国审慎监管局(PRA)运营韧性政策声明附件1 — PRA规则手册运营韧性部分)(2022年11月28日) 《PRA监管声明|SS1/21 “运营韧性:重要业务服务的影响容忍度”》中文简译 (英国审慎监管局(PRA)运营韧性政策声明附件2 — PRA监管声明SS1/21)(2022年12月1日) 《PRA“运营韧性”政策说明》中文简译 (英国审慎监管局(PRA)运营韧性政策声明附件3 — 运营韧性政策说明)(2022年12月2日)
今年3月,我再次组织了一个公益翻译小组,对美国、爱尔兰、澳大利亚、新加坡和香港等地金融监管机构的运营韧性相关资料进行翻译。7月份前后,翻译小组成员陆续将翻译文稿发送给我,近期我会将这些资料审校完成,陆续在公众号发布。
以下是参与第三期运营韧性资料公益翻译小组的成员 (排名不分前后,按姓氏拼音排序): 高洋(ICBC,william.yang.gao@gmail.com) 江磊(深圳龙华,2014595@qq.com) 刘琪岳(北京) 刘宇(深圳,13316880733@189.cn) 刘元锋(北京农商银行总行,liuyf@bjrcb.com) 林喆(广州,674441632@qq.com) 马骏(埃森哲/大连,patrick.ma2018@outlook.com) 孙宁莉(深圳市韧安咨询服务有限公司,115947186@qq.com) 王舵(大连童安应急管理科技有限公司,prekids@163.com) 徐文静(DNV,wen.jing.xu@dnv.com) 薛春娟(浙江省舟山市,793571689@qq.com) 张锋(北京,zhangfeng76@wo.cn) 周可政(上海,wikikivv@gmail.com) 王曙(新常安科技,kevinwang@vip.sina.com)
感谢公益翻译小组的各位专业人员抽出个人时间进行翻译工作。以下译文由我负责最终统一审校定稿,如译文中有任何不准确或理解错误的地方,都是由于我的原因造成,与诸位翻译人员无关。如对译文有意见或修改建议,请给我留言。
王曙(kevinwang) 2023.10.26
这份文件由澳大利亚审慎管理局(APRA)于2023年7月17日发布,旨在确保银行、保险公司和养老金受托人可以更好地管理操作风险并应对业务扰断,原文见: https://www.apra.gov.au/sites/default/files/2023-07/Prudential%20Standard%20CPS%20230%20Operational%20Risk%20Management%20-%20clean.pdf 。
新的审慎标准《CPS 230 操作风险管理》(2023版)为APRA监管实体提供了以下基础: (1)通过新要求加强操作风险管理,解决现有控制中发现的缺陷; (2)改进业务连续性计划,确保它们能够应对严重的扰断;和 (3)通过对重要服务提供商风险的适当管理来增强第三方风险管理。
新审慎标准CPS 230 操作风险管理将于2025年7月1日生效。
操作风险管理 Operational Risk Management
本审慎标准的目标和主要要求 Objectives and key requirements of this Prudential Standard
本审慎标准的目的是确保ARPA监管实体韧性应对操作风险和扰断。APRA监管实体必须有效管理其操作风险,在经历扰断时保持其关键运营,并管理服务提供商带来的风险。 The aim of this Prudential Standard is to ensure that an APRA-regulated entity is resilient to operational risks and disruptions. An APRA-regulated entity must effectively manage its operational risks, maintain its critical operations through disruptions, and manage the risks arising from service providers.
APRA监管实体应对操作风险的方法必须与其规模、业务组合和复杂程度相称。本审慎标准的主要要求是,APRA监管实体必须: • 识别、评估和管理其操作风险,并实施有效的内部控制、监督和补救; • 通过可靠的业务连续性计划 (BCP),能够在经历严重扰断时继续在容忍度水平内交付其关键业务;和 • 通过全面的服务提供商管理政策、正式协议和稳健的监督,有效管理与服务提供商相关的风险。 An APRA-regulated entity’s approach to operational risk must be appropriate to its size, business mix and complexity. The key requirements of this Prudential Standard are that an APRA-regulated entity must: • identify, assess and manage its operational risks, with effective internal controls, monitoring and remediation; • be able to continue to deliver its critical operations within tolerance levels through severe disruptions, with a credible business continuity plan (BCP); and • effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements and robust monitoring.
授权 Authority
1.本审慎标准根据以下法规制定: (a)《1959年银行法》(《银行法》)第11AF条; (b)《1973年保险法》(《保险法》)第32条; (c)《1995年人寿保险法令》(《人寿保险法》)第230A条; (d)《2015年私人健康保险(审慎监管)法》(《PHIPS法》)第92条;和 (e)《1993年养老金行业(监管)法》第34C条。
- This Prudential Standard is made under: (a) section 11AF of the Banking Act 1959 (Banking Act); (b) section 32 of the Insurance Act 1973 (Insurance Act); (c) section 230A of the Life Insurance Act 1995 (Life Insurance Act); (d) section 92 of the Private Health Insurance (Prudential Supervision) Act 2015 (PHIPS Act); and (e) section 34C of the Superannuation Industry (Supervision) Act 1993 (SIS Act).
适用范围和生效时间 Application and commencement
2.本审慎标准适用于如下定义的所有APRA监管实体: (a) 授权存款机构(ADI) ,包括 外国ADI 和根据《银行法》授权的 非运营控股公司 (授权银行NOHC); (b) 一般保险公司 ,包括 C类保险公司 、根据《保险法》授权的非运营控股公司(授权保险公司NOHC)和2级保险集团的母公司; (c) 人寿保险公司 ,包括 经助会 、 符合条件的外国人寿保险公司 (EFLIC)和根据《人寿保险法》注册的非运营控股公司(注册人寿保险NOHC); (d)根据《PHIPS法案》注册的 私人健康保险公司 ;和 (e)根据《SIS法案》,就其业务运营而言,注册养老金实体持牌人( RSE持牌人 )。 [1] 2. This Prudential Standard applies to all APRA-regulated entities defined as: (a) authorised deposit-taking institutions ( ADIs ), including foreign ADIs , and non-operating holding companies authorised under the Banking Act (authorised banking NOHCs); (b) general insurers , including Category C insurers , non-operating holding companies authorised under the Insurance Act (authorised insurance NOHCs) and parent entities of Level 2 insurance groups ; (c) life companies , including friendly societies , eligible foreign life insurance companies (EFLICs) and non-operating holding companies registered under the Life Insurance Act (registered life NOHCs); (d) private health insurers registered under the PHIPS Act; and (e) registrable superannuation entity licensees ( RSE licensees ) under the SIS Act in respect of their business operations. 1
3.本审慎标准对外国ADI、C类保险公司和EFLIC施加的义务,或与之相关的义务,仅适用于该实体的澳大利亚分支运营部分。 3. The obligations imposed by this Prudential Standard on, or in relation to, a foreign ADI, a Category C insurer and an EFLIC apply only in relation to the Australian branch operations of that entity.
4.如果APRA监管实体是集团的牵头方, [2] 则必须遵守本审慎标准的以下要求: (a)以其能力作为APRA监管实体; (b)通过确保该要求在整个集团适当应用, [3] 包括相关的非APRA监管实体;和 (c)以集团为基础。 4. Where an APRA-regulated entity is the Head of a group, 2 it must comply with a requirement of this Prudential Standard: (a) in its capacity as an APRA-regulated entity; (b) by ensuring that the requirement is applied appropriately throughout the group, 3 including in relation to entities that are not APRA-regulated; and (c) on a group basis.
5.在以集团为基础应用本审慎标准的要求时,提及APRA监管实体应被理解为“集团牵头方”,提及实体则被理解为“集团”。 5. In applying the requirements of this Prudential Standard on a group basis, references to an APRA-regulated entity are to be read as ‘Head of a group’ and references to entity are to be read as ‘group’.
6.本审慎标准于2025年7月1日起生效。 6. This Prudential Standard commences on 1 July 2025.
7.如果APRA监管实体与服务提供商有预先存在的合同安排,则本审慎标准中的要求将从与服务提供商的下一次续约日期或2026年7月1日(以较早者为准)起适用于这些安排。 7. Where an APRA-regulated entity has pre-existing contractual arrangements in place with a service provider, the requirements in this Prudential Standard will apply in relation to those arrangements from the earlier of the next renewal date of the contract with the service provider or 1 July 2026.
解释 Interpretation
8 在 审慎标准APS 001定义 、 审慎标准GPS 001定义 、 审慎标准LPS 001定义 、 审慎标准HPS 001定义 或 审慎标准的3PS 001 定义中定义的术语在本审慎标准中第一次出现时,以粗体显示。 8. Terms that are defined in Prudential Standard APS 001 Definitions , Prudential Standard GPS 001 Definitions , Prudential Standard LPS 001 Definitions , Prudential Standard HPS 001 Definitions or Prudential Standard 3PS 001 Definitions appear in bold the first time they are used in this Prudential Standard.
9.在本审慎标准中,除非出现相反的意图,否则对法案、法规或审慎标准的引用,是指对不时生效的法案、法规或审慎标准的引用。 9. In this Prudential Standard, unless the contrary intention appears, a reference to an Act, Regulation or Prudential Standard is a reference to the Act, Regulation or Prudential Standard as in force from time to time.
10.在本审慎标准为APRA提供权力或自由裁量权时,权力或自由裁量权应以书面形式行使。 10. Where this Prudential Standard provides for APRA to exercise a power or discretion, the power or discretion is to be exercised in writing.
调整和排除 Adjustments and exclusions
11.APRA可以调整或排除本审慎标准中与APRA监管实体相关的特定审慎要求。 [4] 11. APRA may adjust or exclude a specific prudential requirement in this Prudential Standard in relation to an APRA-regulated entity. 4
主要原则 Key principles
12.APRA监管实体必须: (a)有效管理其操作风险,并制定和保持护适行为和合规的适当标准; (b)在经历严重扰断时,将其关键运营保持在容忍度水平内;和 (c)管理与服务提供商使用相关的风险。 12. An APRA-regulated entity must: (a) effectively manage its operational risks, and set and maintain appropriate standards for conduct and compliance; (b) maintain its critical operations within tolerance levels through severe disruptions; and (c) manage the risks associated with the use of service providers.
13.APRA监管实体必须识别、评估和管理可能因内部流程或系统不足或故障、人员作为或不作为或外部驱动因素和事件造成的操作风险。操作风险是所有产品、活动、流程和系统所固有的。 13. An APRA-regulated entity must identify, assess and manage operational risks that may result from inadequate or failed internal processes or systems, the actions or inactions of people or external drivers and events. Operational risk is inherent in all products, activities, processes and systems.
14.APRA监管实体必须在可行的范围内防止关键运营扰断,在发生扰断时调整流程和系统以在容忍度水平内继续运营,并在扰断结束后立即返回正常运营。 14. An APRA-regulated entity must, to the extent practicable, prevent disruption to critical operations, adapt processes and systems to continue to operate within tolerance levels in the event of a disruption and return to normal operations promptly once a disruption is over.
15.APRA监管实体不得依赖服务提供商,除非它确保这样做它能够全面持续履行其全面的审慎义务,并有效地管理相关风险。 15. An APRA-regulated entity must not rely on a service provider unless it can ensure that in doing so it can continue to meet its prudential obligations in full and effectively manage the associated risks.
风险管理框架 Risk management framework
16.作为 审慎标准CPS 220风险管理 (CPS 220)和 审慎标准SPS 220风险管理 (SPS 220)要求的风险管理框架的一部分,APRA监管实体必须制定和保持: (a)监督操作风险的治理安排; (b)评估其操作风险状况,确定风险偏好,并附以指标、限额和容忍度; (c)为管理操作风险而设计并有效运作的内部控制; (d)适当监测、分析和报告操作风险,以及运营事故和事件的升级过程; (e)业务连续性计划(BCP),其中规定了实体如何识别、管理和在容忍度水平内应对扰断,并定期在严重但可能发生的情景下进行测试;和 (f)服务提供商安排的管理流程。 16. As part of its risk management framework required under Prudential Standard CPS 220 Risk Management (CPS 220) and P rudential Standard SPS 220 Risk Management (SPS 220), an APRA-regulated entity must develop and maintain: (a) governance arrangements for the oversight of operational risk; (b) an assessment of its operational risk profile, with a defined risk appetite supported by indicators, limits and tolerance levels; (c) internal controls that are designed and operating effectively for the management of operational risks; (d) appropriate monitoring, analysis and reporting of operational risks and escalation processes for operational incidents and events; (e) business continuity plan(s) (BCPs) that set out how the entity would identify, manage and respond to a disruption within tolerance levels and are regularly tested with severe but plausible scenarios; and (f) processes for the management of service provider arrangements.
17.作为CPS 220和SPS 220规定的风险管理框架审查的一部分,APRA监管实体必须审查其操作风险管理。 [5] 审查必须涵盖第16段中所载的操作风险管理的各个方面。 17. As part of the required reviews of the risk management framework under CPS 220 and SPS 220, an APRA-regulated entity must review its operational risk management. 5 The reviews must cover those aspects of operational risk management set out in paragraph 16.
18.操作风险管理必须整合进APRA监管实体的整体风险管理框架和流程。业务连续性规划必须与APRA监管实体的恢复和退出规划一致,而不是冲突或破坏。 [6] 18. Operational risk management must be integrated into an APRA-regulated entity’s overall risk management framework and processes. Business continuity planning must be consistent with, and not conflict or undermine, an APRA-regulated entity’s recovery and exit planning. 6
19.当APRA认为APRA监管实体的操作风险管理存在重大缺陷,APRA可以: (a)要求对实体的操作风险管理进行独立审查; (b)要求实体制定补救计划; (c)要求实体持有额外资本(视情况); [7] (d)对实体的牌照施加条件;和 (e)采取本审慎标准监管所需的其它行动。 19. Where APRA considers that an APRA-regulated entity’s operational risk management has material weaknesses, APRA may: (a) require an independent review of the entity’s operational risk management; (b) require the entity to develop a remediation program; (c) require the entity to hold additional capital, as relevant; 7 (d) impose conditions on the entity’s licence; and (e) take other actions required in the supervision of this Prudential Standard.
角色和职责 Roles and responsibilities
20.APRA监管实体的 董事会 [8] 对监督实体操作风险管理负最终责任。这包括业务连续性和服务提供商安排管理。 20. The Board 8 of an APRA-regulated entity is ultimately accountable for oversight of an entity’s operational risk management. This includes business continuity and the management of service provider arrangements.
21.董事会必须确保APRA监管实体在操作风险管理方面为 高级管理人员 [9] 设定了明确的角色和职责,包括业务连续性和服务提供商安排管理。 21. The Board must ensure that the APRA-regulated entity sets clear roles and responsibilities for senior managers 9 for operational risk management, including business continuity and the management of service provider arrangements.
22.董事会必须: (a)监督操作风险管理和关键内部控制的有效性,以将实体的操作风险状况保持在风险偏好范围内。必须定期向董事会提供APRA监管实体操作风险状况的最新信息,并确保高级管理层采取必要行动,解决任何值得关注的领域; (b)批准BCP和关键运营的扰断容忍度水平,审查测试结果,并监督任何结论的执行;和 (c)批准服务供应商管理政策,并审查重要服务供应商的风险和绩效报告。 22. The Board must: (a) oversee operational risk management and the effectiveness of key internal controls in maintaining the entity’s operational risk profile within risk appetite. The Board must be provided with regular updates on the APRA regulated entity’s operational risk profile and ensure senior management takes action as required to address any areas of concern; (b) approve the BCP and tolerance levels for disruptions to critical operations, review the results of testing and oversee the execution of any findings; and (c) approve the service provider management policy, and review risk and performance reporting on material service providers.
23.APRA监管实体的高级管理层在董事会做出可能影响关键运营的韧性的决策时,必须向董事会提供对实体关键运营预期影响的明确和全面的信息。 23. Senior management of an APRA-regulated entity must provide clear and comprehensive information to the Board on the expected impacts on the entity’s critical operations when the Board is making decisions that could affect the resilience of critical operations.
操作风险管理 Operational risk management
24.APRA监管实体必须管理其全方位的操作风险,包括但不限于法律风险、监管风险、合规风险、行为风险、技术风险、数据风险和变更管理风险。高级管理层负责所有业务运营端到端流程的操作风险管理。 24. An APRA-regulated entity must manage its full range of operational risks, including but not limited to legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. Senior management are responsible for operational risk management across the end-to-end process for all business operations.
25.APRA监管实体必须保持适当和健全的信息和信息技术(IT)能力,以满足其当前和预测的业务需求,并支持其关键运营和风险管理。在管理技术风险时,APRA监管实体必须监控其信息资产的年龄和健康状况,并满足 审慎标准CPS 234信息安全 (CPS 234)中的信息安全要求。 25. An APRA-regulated entity must maintain appropriate and sound information and information technology (IT) capability to meet its current and projected business requirements and to support its critical operations and risk management. In managing technology risks, an APRA-regulated entity must monitor the age and health of its information assets and meet the requirements for information security in Prudential Standard CPS 234 Information Security (CPS 234).
操作风险状况和评估 Operational risk profile and assessment
26.APRA监管实体必须评估其业务和战略决策对其操作风险状况和运营韧性的影响,作为其业务和战略规划流程的一部分。 [10] 这必须包括对新产品、服务、地理位置和技术对其操作风险状况的影响的评估。 26. An APRA-regulated entity must assess the impact of its business and strategic decisions on its operational risk profile and operational resilience, as part of its business and strategic planning processes. 10 This must include an assessment of the impact of new products, services, geographies and technologies on its operational risk profile.
27.APRA监管实体必须保持对其操作风险状况进行全面评估。作为其中的一部分,APRA监管实体必须: (a)维护适当和有效的信息系统,以监测操作风险,汇编和分析操作风险数据,并协助向董事会和高级管理层报告; (b)识别并记录交付关键运营所需的流程和资源,包括人员、技术、信息、设施和服务提供商、它们之间的相互依赖关系以及相关的风险、义务、关键数据和控制;和 (c)进行情景分析,以识别和评估严重操作风险事件的潜在影响,测试其运营韧性,并确定是否需要新的或修订控制和其他缓解策略。 27. An APRA-regulated entity must maintain a comprehensive assessment of its operational risk profile. As part of this, an APRA-regulated entity must: (a) maintain appropriate and effective information systems to monitor operational risk, compile and analyse operational risk data and facilitate reporting to the Board and senior management; (b) identify and document the processes and resources needed to deliver critical operations, including people, technology, information, facilities and service providers, the interdependencies across them, and the associated risks, obligations, key data and controls; and (c) undertake scenario analysis to identify and assess the potential impact of severe operational risk events, test its operational resilience and identify the need for new or amended controls and other mitigation strategies.
28.APRA监管实体在向另一方提供重要服务之前必须进行全面的风险评估,以确保APRA监管实体在签订协议后能够继续履行其审慎义务。APRA可能要求APRA监管实体审查和加强内部控制或流程,如果APRA认为在这种情况下存在更高的审慎风险。 28. An APRA-regulated entity must conduct a comprehensive risk assessment before providing a material service to another party, to ensure that the APRA-regulated entity is able to continue to meet its prudential obligations after entering into the arrangement. APRA may require an APRA-regulated entity to review and strengthen internal controls or processes where APRA considers there to be heightened prudential risks in such circumstances.
操作风险控制 Operational risk controls
29.APRA监管实体必须设计、实施和融入内部控制,以根据其风险偏好降低其操作风险,并履行其合规义务。 29. An APRA-regulated entity must design, implement and embed internal controls to mitigate its operational risks in line with its risk appetite and meet its compliance obligations.
30.APRA监管实体必须定期监测、审查和测试控制的设计和运作有效性,其频率必须与所控制风险的重要性相称。测试结果必须报告给高级管理层,并且必须及时纠正控制环境中的任何漏洞或缺陷。 30. An APRA-regulated entity must regularly monitor, review and test controls for design and operating effectiveness, the frequency of which must be commensurate with the materiality of the risks being controlled. The results of testing must be reported to senior management and any gaps or deficiencies in the control environment must be rectified in a timely manner.
31.APRA监管实体必须弥补其操作风险管理中的重大薄弱环节,包括控制漏洞、缺陷和失败。这种补救措施必须辅以明确的问责和保证,并及时解决薄弱环节的根本原因。APRA监管实体必须在其操作风险状况中纳入已发现的控制漏洞、缺陷和失败,直到这些问题得到补救。 31. An APRA-regulated entity must remediate material weaknesses in its operational risk management, including control gaps, weaknesses and failures. This remediation must be supported by clear accountabilities and assurance and address the root causes of weaknesses in a timely manner. An APRA-regulated entity must include identified control gaps, weaknesses and failures in its operational risk profile until such matters are remediated.
操作风险事件 Operational risk incidents
32.APRA监管实体必须确保及时发现、升级、记录和处理操作风险事件和未遂事件。APRA监管实体在评估其操作风险状况和控制有效性时,必须及时将事件和未遂事件考虑在内。 32. An APRA-regulated entity must ensure that operational risk incidents and near misses are identified, escalated, recorded and addressed in a timely manner. An APRA-regulated entity must take incidents and near misses into account in its assessment of its operational risk profile and control effectiveness in a timely manner.
33.APRA监管实体必须在意识到其确定可能产生重大财务影响或对其保持其关键运营的能力产生重大影响的操作风险事件后,尽快且不得迟于72小时通知 APRA。 [11] 33. An APRA-regulated entity must notify APRA as soon as possible, and not later than 72 hours, after becoming aware of an operational risk incident that it determines to be likely to have a material financial impact or a material impact on the ability of the entity to maintain its critical operations. 11
业务连续性 Business continuity
34.APRA监管实体必须: (a)定义、确定和维护其关键运营的登记表; (b)采取合理措施,最大限度地减少关键运营扰断的可能性和影响; (c)保持一个可信的BCP,规定如何在经历扰断时将其关键业务保持在容忍度水平内,包括关键信息资产的灾难恢复规划; [12] (d)在发生中断时,如需要,启用其BCP;和 (e)扰断结束后立即返回正常运行。 34. An APRA-regulated entity must: (a) define, identify and maintain a register of its critical operations; (b) take reasonable steps to minimise the likelihood and impact of disruptions to its critical operations; (c) maintain a credible BCP that sets out how it would maintain its critical operations within tolerance levels through disruptions, including disaster recovery planning for critical information assets; 12 (d) activate its BCP if needed in the event of a disruption; and (e) return to normal operations promptly after a disruption is over.
关键运营和容忍度水平 Critical operations and tolerance levels
35.关键运营是由APRA监管实体或其服务提供商执行的流程,一旦扰断超过容忍度水平,将对其存款人、保单持有人、受益人或其他客户或其在金融体系中的作用产生重大不利影响。 35. Critical operations are processes undertaken by an APRA-regulated entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on its depositors, policyholders, beneficiaries or other customers, or its role in the financial system.
36.APRA监管实体必须至少将以下业务运营归类为关键运营,除非有其它正当理由: (a)对于ADI:支付、存款接受和管理、托管、结算和清算; (b)对于保险公司(一般、人寿、私人健康):理赔处理; (c)对于RSE持牌人:投资管理和基金管理;和 (d)对于所有APRA监管实体:客户查询以及支持关键运营所需的系统和基础设施。 36. An APRA-regulated entity must, at a minimum, classify the following business operations as critical operations, unless it can justify otherwise: (a) for an ADI: payments, deposit-taking and management, custody, settlements and clearing; (b) for an insurer (general, life, private health): claims processing; (c) for an RSE licensee: investment management and fund administration; and (d) for all APRA-regulated entities: customer enquiries and the systems and infrastructure needed to support critical operations.
37.APRA可以要求APRA监管实体或一类APRA监管实体将一个业务运营归类为关键运营。 37. APRA may require an APRA-regulated entity, or a class of APRA-regulated entities, to classify a business operation as a critical operation.
38.对于每个关键运营,APRA监管实体必须建立以下容忍度水平: (a)实体能够容忍运营扰断的最长时间段; (b)实体能接受运营扰断的最大数据损失程度;和 (c)在扰断期间,实体在后备安排下运营时将保持的最低服务水平。 38. For each critical operation, an APRA-regulated entity must establish tolerance levels for: (a) the maximum period of time the entity would tolerate a disruption to the operation; (b) the maximum extent of data loss the entity would accept as a result of a disruption; and (c) minimum service levels the entity would maintain while operating under alternative arrangements during a disruption.
39.APRA可以要求APRA监管实体审查和更改其关键运营的容忍度水平。APRA可以为APRA监管实体或一类APRA监管实体制定容忍度水平,当它发现风险增加或重大缺陷时。 39. APRA may require an APRA-regulated entity to review and change its tolerance levels for a critical operation. APRA may set tolerance levels for an APRA-regulated entity, or a class of APRA-regulated entities, where it identifies a heightened risk or material weakness.
业务连续性计划 Business continuity plan
40.APRA监管实体的BCP必须包括: (a)关键运营和相关容忍度水平的登记表; (b)确定扰断和迅速启用计划的触发点,以及在启用计划时管理资源的安排; (c)将采取的行动,以便在经历扰断时将其关键运营保持在容忍度水平内; (d)对执行风险、所需资源、准备措施的评估,包括支持有效实施BCP行动所需的关键内部和外部依赖关系;和 (e)支持计划执行的沟通策略。 40. An APRA-regulated entity’s BCP must include: (a) the register of critical operations and associated tolerance levels; (b) triggers to identify a disruption and prompt activation of the plan, and arrangements to direct resources in the event of activation; (c) actions it would take to maintain its critical operations within tolerance levels through disruptions; (d) an assessment of the execution risks, required resources, preparatory measures, including key internal and external dependencies needed to support the effective implementation of the BCP actions; and (e) a communications strategy to support execution of the plan.
41.APRA监管实体必须保持执行BCP所需的能力,包括获得人员、资源和技术。 [13] APRA监管实体必须监控其容忍度水平的遵守情况,并向董事会报告任何未能达到容忍度水平的情况,以及补救计划。 41. An APRA-regulated entity must maintain the capabilities required to execute the BCP, including access to people, resources and technology. 13 An APRA-regulated entity must monitor compliance with its tolerance levels and report any failure to meet tolerance levels, together with a remediation plan, to the Board.
42.APRA监管实体必须尽快并不得迟于24小时通知APRA,如果它遭受了超出容忍度的关键运营扰断。通知必须涵盖扰断的性质、采取的行动、对实体业务运营的可能影响以及返回正常运营的时间范围。 42. An APRA-regulated entity must notify APRA as soon as possible, and not later than 24 hours after, if it has suffered a disruption to a critical operation outside tolerance. The notification must cover the nature of the disruption, the action taken, the likely impact on the entity’s business operations and the timeframe for returning to normal operations.
测试和审查 Testing and review
43.APRA监管实体必须为其BCP制定系统的测试计划,涵盖所有关键运营,并纳入年度业务连续性演练。该计划必须测试实体BCP的有效性及其在一系列严重但可能发生的情景下满足容忍度水平的能力。 43. An APRA-regulated entity must have a systematic testing program for its BCP that covers all critical operations and includes an annual business continuity exercise. The program must test the effectiveness of the entity’s BCP and its ability to meet tolerance levels in a range of severe but plausible scenarios.
44.测试计划必须针对APRA监管实体的重大风险进行调整,并纳入一系列严重但可能发生的情景,包括重要服务提供商所提供服务扰断和需要应急安排的情景。APRA可以要求APRA监管实体或一类APRA监管实体的业务连续性演练中纳入APRA确定的情景。 44. The testing program must be tailored to the material risks of the APRA-regulated entity and include a range of severe but plausible scenarios, including disruptions to services provided by material service providers and scenarios where contingency arrangements are required. APRA may require the inclusion of an APRA-determined scenario in a business continuity exercise for an APRA-regulated entity, or a class of APRA-regulated entities.
45.APRA监管实体必须在必要时每年更新其BCP,以反映法律或组织结构、业务组合、战略或风险状况的任何变化,或BCP审查和测试发现的缺陷。 45. An APRA-regulated entity must update, as necessary, its BCP on an annual basis to reflect any changes in legal or organisational structure, business mix, strategy or risk profile or for shortcomings identified as a result of the review and testing of the BCP.
46.APRA监管实体的内部审计职能部门必须定期审查实体的BCP,并向董事会提供信心,BCP制定了一个可信的计划,说明实体如何在经历严重扰断时将其关键运营保持在容忍度水平内,测试程序是充分的并且得到令人满意的执行。 46. An APRA-regulated entity’s internal audit function must periodically review the entity’s BCP and provide assurance to the Board that the BCP sets out a credible plan for how the entity would maintain its critical operations within tolerance levels through severe disruptions and that testing procedures are adequate and have been conducted satisfactorily.
服务提供商安排管理 Management of service provider arrangements
47.APRA监管实体必须保持全面的服务提供商管理政策。该政策必须涵盖主体如何识别重要服务提供商和管理服务提供商安排,包括管理与这些安排相关的重大风险。 47. An APRA-regulated entity must maintain a comprehensive service provider management policy. The policy must cover how the entity will identify material service providers and manage service provider arrangements, including the management of material risks associated with the arrangements.
48.该政策必须包括: (a)实体与重要服务提供商签约、监测、替代和退出安排的方法; (b)实体管理与重要服务提供商相关风险的方法;和 (c)实体管理重要服务提供商所依赖并向APRA监管实体交付关键运营的任何第四方相关的风险的方法。14 [14] 48. The policy must include: (a) the entity’s approach to entering into, monitoring, substituting and exiting agreements with material service providers; (b) the entity’s approach to managing the risks associated with material service providers; and (c) the entity’s approach to managing the risks associated with any fourth parties that material service providers rely on to deliver a critical operation to the APRA-regulated entity. 14
重要服务提供商 Material service providers
49.APRA监管实体必须识别和维护其重要服务提供商的登记表,并管理与使用这些提供商相关的重大风险。 [15] 重要服务提供商是指实体依赖其进行关键运营或使其面临重大操作风险的服务提供商。 49. An APRA-regulated entity must identify and maintain a register of its material service providers and manage the material risks associated with using these providers. Material service providers are those on which the entity relies to undertake a critical operation or that expose it to material operational risk. 15 Material arrangements are those on which the entity relies to undertake a critical operation or that expose it to material operational risk.
50.APRA监管实体必须至少将以下服务的提供商归类为重要服务提供者,除非有其它正当理由: (a)对于ADI:信贷评估、融资和流动性管理以及抵押贷款经纪; (b)对于保险公司(一般、人寿、私人健康):承保、理赔管理、保险经纪及再保险; (c)对于RSE持牌人:基金管理、托管服务、投资管理以及与发起人和财务规划师的安排;和 (d)针对所有APRA监管实体:风险管理、核心技术服务和内部审计。 50. An APRA-regulated entity must, at a minimum, classify a provider of the following services as a material service provider, unless it can justify otherwise: (a) for an ADI: credit assessment, funding and liquidity management and mortgage brokerage; (b) for an insurer (general, life, private health): underwriting, claims management, insurance brokerage and reinsurance; (c) for an RSE licensee: fund administration, custodial services, investment management and arrangements with promoters and financial planners; and (d) for all APRA-regulated entities: risk management, core technology services and internal audit.
51.APRA监管实体必须每年向APRA提交其重要服务提供商登记表。 51. An APRA-regulated entity must submit its register of material service providers to APRA on an annual basis.
52.APRA可以要求APRA监管实体或一类APRA监管实体将一个服务提供商、一类服务提供商或服务提供商安排归类为重要。 52. APRA may require an APRA-regulated entity, or a class of APRA-regulated entities, to classify a service provider, type of service provider or service provider arrangement as material.
服务提供商安排 Service provider agreements
53.在签订或实质修改重要安排之前,APRA监管实体必须: (a)进行适当的尽职调查,包括适当的选择流程和对服务提供商持续提供服务的能力的评估;和 (b)评估依赖服务提供商的财务和非财务风险,包括与服务提供商或服务提供商在提供服务时所依赖的各方的地理位置或集中度相关的风险。 53. Before entering into or materially modifying a material arrangement, an APRA-regulated entity must: (a) undertake appropriate due diligence, including an appropriate selection process and an assessment of the ability of the service provider to provide the service on an ongoing basis; and (b) assess the financial and non-financial risks from reliance on the service provider, including risks associated with geographic location or concentration of the service provider(s) or parties the service provider relies on in providing the service.
54.对于所有重要安排,APRA监管实体必须维护具有法律约束力的协议(正式协议)。正式协议必须至少: (a)指定协议涵盖的服务以及相关的服务水平; (b)规定协议各方的权利、责任和期望,包括与资产所有权、数据所有权和控制权、争议解决、审计访问、责任和赔偿有关的; (c)包括确保实体有能力履行其法律和合规义务的规定; (d)要求服务提供商通知其对其他重要服务提供商的使用情况,这些服务提供商在通过分包或其他安排向APRA 监管实体提供服务时严重依赖这些重要服务提供商; (e)要求任何分包商的任何过失责任由服务提供商负责; (f)列入 不可抗力 条款,指明在发生 不可抗力 事件时将继续履行的合同部分;和 (g)终止条款,包括但不限于终止全部或部分安排的权利。对于RSE持牌人,终止条款必须包括RSE持牌人终止协议的能力,如果继续协议与RSE持牌人为受益人的最佳经济利益行事的义务不一致(请参阅《SIS 法案》第52(2)(c)小节)。 54. For all material arrangements, an APRA-regulated entity must maintain a formal legally binding agreement (formal agreement). The formal agreement must, at a minimum: (a) specify the services covered by the agreement and associated service levels; (b) set out the rights, responsibilities and expectations of each party to the agreement, including in relation to the ownership of assets, ownership and control of data, dispute resolution, audit access, liability and indemnity; (c) include provisions to ensure the ability of the entity to meet its legal and compliance obligations; (d) require notification by the service provider of its use of other material service providers that it materially relies upon in providing the service to the APRA-regulated entity through sub-contracting or other arrangements; (e) require the liability for any failure on the part of any sub-contractor to be the responsibility of the service provider; (f) include a force majeure provision indicating those parts of the contract that would continue in the case of a force majeure event; and (g) termination provisions including, but not limited to, the right to terminate both the arrangement in its entirety or parts of the arrangement. For an RSE licensee, termination provisions must include the ability for the RSE licensee to terminate the arrangement where to continue the arrangement would be inconsistent with the RSE licensee’s duty to act in the best financial interests of beneficiaries (refer to subsection 52(2)(c) of the SIS Act).
55.正式协议还必须包括以下条款: (a)允许APRA获取与服务提供有关的文件、数据和任何其他信息; (b)允许APRA有权对服务提供商进行现场访问;和 (c)确保服务提供商同意不妨碍APRA履行其作为审慎监管机构的职责。 55. The formal agreement must also include provisions that: (a) allow APRA access to documentation, data and any other information related to the provision of the service; (b) allow APRA the right to conduct an on-site visit to the service provider; and (c) ensure the service provider agrees not to impede APRA in fulfilling its duties as prudential regulator.
56.对于每一个重要安排,APRA监管实体必须: (a)识别和管理可能影响服务提供商持续提供服务的能力的风险; (b)识别和管理安排可能给APRA监管实体带来的风险,例如介入风险或传染风险; (c)确保其能够在需要时执行其BCP;和 (d)确保在需要时,它能够有序退出该安排。 56. For each material arrangement an APRA-regulated entity must: (a) identify and manage risks that could affect the ability of the service provider to provide the service on an ongoing basis; (b) identify and manage risks to the APRA-regulated entity that could result from the arrangement, such as step-in risk or contagion risk; (c) ensure it can execute its BCP if needed; and (d) ensure it can conduct an orderly exit from the arrangement if needed.
57.APRA可以要求APRA监管实体审查和更改服务提供商安排,如果它发现了高度审慎的事情。 57. APRA may require an APRA-regulated entity to review and make changes to a service provider arrangement where it identifies heightened prudential concerns.
监督、通知和审查 Monitoring, notifications and review
58.ARPA监管实体必须监督并确保高级管理层收到与服务性质和使用相称的重要安排的报告。这种监督必须包括定期评估: (a)服务协议下的绩效,参照议定的服务水平; (b)管理与使用服务提供商相关的风险的控制的有效性;和 (c)双方对服务提供商安排的遵守情况。 58. An APRA-regulated entity must monitor and ensure that senior management receive reporting on material arrangements commensurate with the nature and usage of the service. This monitoring must include a regular assessment of: (a) performance under the service agreement with reference to agreed service levels; (b) the effectiveness of controls to manage the risks associated with the use of the service provider; and (c) compliance of both parties with the service provider agreement.
59.APRA监管实体必须通知APRA: (a)尽快和在签订或实质变更实体开展关键运营所依赖的服务提供安排后不超过20个工作日; (b)在签订任何重要离岸安排 [16] 之前,或当该安排拟议实质变更时,包括与所提供服务相关的数据或人员将位于离岸的情况。 59. An APRA-regulated entity must notify APRA: (a) as soon as possible and not more than 20 business days after entering into or materially changing an agreement for the provision of a service on which the entity relies to undertake a critical operation; and (b) prior to entering into any material offshoring arrangement, 16 or when there is a significant change proposed to the arrangement, including in circumstances where data or personnel relevant to the service being provided will be located offshore.
60.APRA监管实体的内部审计职能部门必须审查任何涉及关键运营外包的拟议重要安排。内部审计职能部门必须定期向董事会或董事会审计委员会报告这些安排是否符合实体的服务提供商管理政策。 60. An APRA-regulated entity’s internal audit function must review any proposed material arrangement involving the outsourcing of a critical operation. The internal audit function must regularly report to the Board or Board Audit Committee on compliance of such arrangements with the entity’s service provider management policy.
RSE 持牌人具有 《SIS 法案》第 10(1)款赋予的含义。就本审慎标准而言,RSE持牌人的业务运营涵盖RSE持牌人的所有活动,包括其作为持牌人的每个RSE活动,以及RSE持牌人与其作为RSE持牌人的活动相关或可能影响其活动的所有其他活动。RSE licensee has the meaning given in subsection 10(1) of the SIS Act. For the purposes of this Prudential Standard, an RSE licensee’s business operations includes all activities of an RSE licensee, including the activities of each RSE of which it is the licensee, and all other activities of the RSE licensee to the extent that they are relevant to, or may impact on, its activities as an RSE licensee. ↑ 如果2级集团在3级集团内运作,应用于集团牵头人的要求则表示为应用于3级的牵头人。Where a Level 2 group operates within a Level 3 group, a requirement expressed as applying to a Head of a group is to be read as applying to the Level 3 Head. ↑ 集团是指由RSE持牌人和所有关联实体(由《SIS法案》第10(1)小节定义)以及RSE持牌人的所有相关法人团体(由 《2001年公司法》 第50条给定含义)组成的2级集团、3级集团或集团(视情况而定)。2级集团是指包括2级(针对ADI)或2级保险集团(针对一般保险公司)的实体。为避免疑义,集团包括APS 001中定义的集团,对于RSE持牌人,在RSE持牌人是企业集团的一部分时。Group means a Level 2 group, Level 3 group or a group comprising the RSE licensee and all connected entities (as defined in subsection 10(1) of the SIS Act) and all related bodies corporate (with the meaning given in section 50 of the Corporations Act 2001 ) of the RSE licensee, as relevant. Level 2 group means the entities that comprise Level 2 (for ADIs) or Level 2 insurance groups (for general insurers). For the avoidance of doubt, group includes a group as defined in APS 001 and, for an RSE licensee, where the RSE licensee is part of a corporate group. ↑ 请参阅《银行法》第11AF(2)款、《保险法》第32(3D)款、《人寿保险法》第230A(4)款、《PHIPS法》第92(4)款和《SIS法》第34C(5)款。Refer to subsection 11AF(2) of the Banking Act, subsection 32(3D) of the Insurance Act, subsection 230A(4) of the Life Insurance Act, subsection 92(4) of the PHIPS Act and subsection 34C(5) of the SIS Act. ↑ 请参阅CPS 220和SPS 220,了解对风险管理框架进行审查的要求。Refer to CPS 220 and SPS 220 for the requirement to undertake a review of the risk management framework. ↑ 请参阅 审慎标准CPS 190 恢复和退出规划 。Refer to Prudential Standard CPS 190 Recovery and Exit Planning . ↑ 对于RSE持牌人,APRA可以要求RSE持牌人满足APRA根据审慎标准SPS 114操作风险财务要求确定的ORFR目标金额。For an RSE licensee, APRA may require an RSE licensee to meet an ORFR target amount determined by APRA under Prudential Standard SPS 114 Operational Risk Financial Requirement . ↑ 对于RSE持牌人,对董事会的提及应理解为对RSE持牌人的董事会或个人受托人团体的提及(如适用)。“个人受托人团体”具有《SIS法案》第10(1)款给出的含义。在外国ADI的情况下,对董事会的提及是指澳大利亚境外的高级官员。For an RSE licensee, a reference to the Board is to be read as a reference to the Board of directors or group of individual trustees of an RSE licensee, as applicable. ‘Group of individual trustees’ has the meaning given in subsection 10(1) of the SIS Act. A reference to the Board in the case of a foreign ADI is a reference to the senior officer outside Australia. ↑ 高级管理人员对于人寿公司具有《人寿保险法》中赋予的售义,而对于RSE持牌人,具有 审慎标准SPS 520 适合和适当 赋予的含义。Senior manager in relation to life insurers has the meaning given in the Life Insurance Act, and in relation to RSE licensees has the meaning given in Prudential Standard SPS 520 Fit and Proper . ↑ 请参阅 审慎标准SPS 515 战略规划和成员成果 ,了解适用于RSE持牌人的战略目标和业务规划方面的要求。Refer to Prudential Standard SPS 515 Strategic Planning and Member Outcomes for requirements applying to an RSE licensee with respect to strategic objectives and business planning. ↑ 根据CPS 234报告的信息安全事件通知不需要根据本审慎标准的通知要求单独报告。A notification of an information security incident reported under CPS 234 does not need to be separately reported under the notification requirements of this Prudential Standard. ↑ 实体可以有多个BCP。BCP可以包括单独的危机管理计划和灾难恢复计划。An entity may have a number of BCPs. A BCP may include separate crisis management plans and disaster recovery plans. ↑ 执行BCP所需的能力可以在APRA监管实体内或通过与另一方的协议进行维护。为避免疑义,与其它方签订的此类协议必须符合本审慎标准中有关服务提供商安排管理的要求。Capabilities required to execute the BCP may be maintained within the APRA-regulated entity or via an agreement with another party. For the avoidance of doubt, such agreements with other parties must meet the requirements for management of service providers arrangements in this Prudential Standard. ↑ 第4方是服务提供商向APRA监管实体提供服务所依赖的一方。A fourth party is a party that a service provider relies on in delivering services to an APRA-regulated entity. ↑ 重要服务提供商可以是第三方、关联方或关联实体,服务提供商可能会因与APRA监管实体的单个或多项安排而被确定为重要服务提供商。A material service provider may be a third party, related party or connected entity. A service provider may be identified as material as a result of an individual arrangement or multiple arrangements with an APRA-regulated entity. ↑ 重要离岸安排是指在澳大利亚境外提供服务的重要安排。离岸包括服务提供商在澳大利亚注册成立,但所提供服务的实际位置在澳大利亚境外进行的安排。离岸不包括服务的实际地点在澳大利亚境内进行,但服务提供商未在澳大利亚注册成立的安排。Material offshoring arrangement means a material arrangement where the service provided is undertaken outside Australia. Offshoring includes arrangements where the service provider is incorporated in Australia, but the physical location of the service being provided is undertaken outside Australia. Offshoring does not include arrangements where the physical location of a service is performed within Australia, but the service provider is not incorporated in Australia. ↑
本公众号(ID:bcmplus)专注于业务连续性和运营韧性知识的普及和传播,关注业务连续性、应急和危机管理的朋友请关注本公众号。
由于公众号注册时腾讯已调整政策,未能开通留言功能,希望交流和讨论业务连续性和运营韧性问题、或获取相关资料的朋友,可长按以下二维码加入知识星球参与讨论(另,公众号每月只能发4次文章,会有一些内容直接在知识星球分享而不在公众号发布)。
原文发表于公众号”业务连续性+” | 原文链接