(Note: We recommend working with a consultancy firm or an in-house GRC team to evaluate these directives and determine exactly what compliance means for your IT/Security.)
Risk Management Framework Requirements
APRA stipulates requirements for items such as governance of operational risk oversight and what to include in an assessment of a potential SaaS solution’s operational risk profile (with a defined risk appetite). It also covers monitoring, analysis, and reporting of operational risks and escalation for incidents and events. Additionally, you’re required to create detailed business continuity plans (BCPs) that address disruptions within tolerance levels, plans for regularly testing affected SaaS platforms with “severe but plausible scenarios,” and more.
Operational Risk Profiles, Assessments, Controls, and Incidents
Your IT team is expected to meet detailed capability specifications for maintaining and supporting critical SaaS operations and risk management, along with monitoring the age and health of information assets. This scope includes comprehensive assessments of operational risk profiles; appropriate systems to monitor operational risk and reporting…
