Calamities and disasters can take many forms, and while some can be planned for, others cannot. Superannuation funds must be ready for them all.

APRA’s Prudential Standard CPS230 Operational Risk Management requires super funds it regulates to be proactive in their approach and to ensure that operational risks, service disruptions, and disaster scenarios are mitigated through robust planning, testing, and management.

APRA’s standard requires a super fund to effectively manage its operational risks, and set and maintain appropriate standards for conduct and compliance; to maintain its critical operations within tolerance levels through severe disruptions; and

manage the risks associated with the use of service providers.

The regulator notes that “operational risk is inherent in all products, activities, processes and systems”. It adds that a fund “must not rely on a service provider unless it can ensure that in doing so it can continue to meet its prudential obligations in full and effectively manage the associated risks”.

APRA’s close focus on operational risk and resilience is designed to protect members and keep funds focused on business continuity in the face of the most severe of disruptions – even (or perhaps especially) those that seem most unlikely, such as in May this year when Google Cloud deleted UniSuper’s account and its backup.

General manager of market strategy and propositions for data and technology vendor Novigi, Kevin Fernandez, says UniSuper’s response was “a really great example of an impact, something that [it] needed to have operational resilience to overcome”.

“UniSuper were prepared for that, whether that was by explicit design or by happy accident,” Fernandez says.

It’s fair to say it wasn’t by explicit design: UniSuper chief executive officer Peter Chun described the event to Investment Magazine as “an implausible planning scenario”. But at the same time, it didn’t bounce back from the event by pure accident (see separate article).

Fernandez says effective operational resilience is ultimately built on planning.

“If you have a look at the APRA guidance around CPS 230, there’s a few different points there but I think everything comes back to planning,” Fernandez says.

“It’s trying to, as much as you can, foresee those situations that are going to lead to disruptions to your service to members, and have plans in place to recover from those things when they inevitably do happen.

“APRA’s guidance has featured a lot of talk about things like business continuity planning, and having that document – your business continuity plan – is key, obviously; but making sure, beyond that, you’ve actually tested your plan, been able to gauge how it responds in a simulated scenario. That’s also really important.”

Precious resources

As super funds continue on a relentless path of growth, and as individual account balances continue to swell, an event or interruption that denies members access to information or utility becomes increasingly intolerable and potentially damaging.

But funds face an additional resilience challenge compared to institutions such as banks.

“Where superannuation might be a little bit different – and this is very critical, obviously – [is] superannuation generally has a slightly lower level of technological maturity,” Fernandez says.

“I don’t think anyone argues that super funds are behind the banks. One reason is they just don’t have the resources of the banks. A profit-to-member super fund doesn’t have the same amount of money to spend on things like operational resilience that one of the big four banks is going to have.

“It’s the confluence of those two things, you’re an equally big honeypot to a bank, but you don’t have the resources and the technological maturity that a bank would have to mitigate against risks associated with that.”

So if super funds can’t spend as much, in either absolute or relative terms, “spending smart is definitely a huge part of it”, Fernandez says.

“Figuring out what parts of your operation are mission critical is hugely important,” he says.

“Not everything has to be set up that way. There are parts of your operation that, if they did go down for 24 hours or 48 hours or a week, even, it might not be ideal, but it’s not going to be catastrophic.

“I think we just have to acknowledge that super funds have, in some situations, limited resources, and so they need to be really intelligent about where they direct those.”

All funds outsource to a certain degree, whether it’s administration, investment management, or something else, Fernandez says

“Whether your administration is insourced or outsourced, that’s one thing; but all funds deal with an ecosystem of service providers,” he says.

“A thing that’s common to all of them, whether they insource or outsource administration, is that all funds have all needed to become much better at vendor management.”

Fernandez says the content of CPS230 “makes it really clear that we need to understand the role that our third parties play in operational resilience and make sure that they adhere to the same kinds of standards as funds”.

“The key difference between an in sourced and outsourced fund, in terms of administration, [is] you have a much larger component of your critical operations performed by a third party, and so the strength and the strictures around that vendor management just become even more important.

“You need to take a really active role in ensuring that your service providers are adhering to the same kinds of standards that the regular would expect of you.

Join the discussion