The Australian Prudential Regulation Authority (APRA) will undergo a strategic review of its business processes and IT systems across its five business divisions.
The review is being done as part of a the organisation’s strategic plan set out in 2008 and will look at the integration across APRA’s risk rating, activities and issues management, and periphery systems.
APRA documents state the systems have been built in order to satisfy independent requirements but are not well integrated.
“Rather than put individual systems under the microscope, APRA is looking to perform a holistic review aimed at firstly sharpening and streamlining our supervision processes and subsequently ensuring that these business processes are well-supported by efficient and user-friendly systems and tools,” the documents read.
The review will be conducted in three stages with the first two addressing resource and information management.
“APRA needs to make strategic decisions on whether current computer systems adequately support business processes in relation to prudential supervision and resource management,” the documents read. “As part of stage 3 of the review, APRA will need to consider various options including whether to continue with existing systems, improve the integration and alignment of those systems, replace or consolidate those systems or move to a fully integrated solution.”
The review is expected to commence mid-2010.
In February, APRA moved to address issues around information and IT risk in the institutions it supervises with the release of a new prudential practice guide.
The guide, Management of security risk in information and information technology, targets weaknesses identified by the financial regulator as part of its ongoing supervisory, activities according to APRA.
These areas of weakness include user awareness, access control, IT asset lifecycle management controls, monitoring and incident management, IT security reporting and metrics, and IT security assurance.
The guide also provides recommendations around change management, resilience and recovery, service provider management, secure software, development, customer protection and cryptographic techniques.
Detailing the need for the guide, APRA said that in its view, IT security risk was intimately tied to business risk, and that any IT security risk would ultimately result in a business risk exposure.