How 2 Steps synthetic monitoring can assist with operational compliance (CPS 230)
If APRA regulates you, then you must keep up with the rules. These rules include CPS 230, consolidating several existing Prudential Standards into one that applies to operational risk management.
The goal is to help you keep your business resilient to operational risks and disruptions in various areas. This, in turn, protects you and your customers from risk preserves your reputation and ensures that people do not experience financial hardship.
What is CPS 230?
CPS 230 is a set of regulations designed to help entities:
● Effectively manage operational risks
● Maintain critical operations through severe disruption
● Manage risk associated with using third parties.
This means that you must "identify, assess, and manage operational risks that may result from inadequate or failed internal processes or systems." You also need to implement systems and processes to, as much as possible, manage things through disruptions such as severe weather events, terrorist attacks, cyber attacks, etc. This applies to any providers you use.
It also requires you to develop a solid risk management framework to reduce operational risk as much as feasible. Obviously, operational risk can never be reduced to zero, which is why it's also important to develop systems for responding to risk.
Operational Risks from Internal Processes or Systems
This particular section is where 2 Steps plays an important role and can help.
Your internal processes can generate operational risk. This might be as small and annoying as an app crashing and forcing a customer to start a mortgage application over (which they will remember) or as severe as a significant data breach.
Establishing high-quality internal processes to handle everything from opening new accounts to accepting loan applications is a key part of this. You need to balance risk with convenience for your customers and employees.
Your customers only see the app's performance - its speed and stability. They can't see what might be going on behind the scenes and resent "security" measures that slow them down and make it harder to complete tasks. They notice right away if it goes down...even if it's in the middle of the night, you can be sure somebody will see it right away.
But where it gets worse is when you have an exploit nobody has noticed. Your customers don't see it, but an expert looking for a way into your systems absolutely will. You need to make sure that your system is reliable and secure, or at least secure enough to discourage bad actors and cause them to look elsewhere.
What is Synthetic Monitoring?
Monitoring users as they go through the application to look for problems might seem like the best way to spot them. However, it brings up privacy and compliance issues of its own. You can't do anything that might log, say, somebody's income or the details of their insurance claim because this might violate privacy regulations and increase the risk of the information ending up in a data breach.
This is where synthetic monitoring comes in. In synthetic monitoring, a "robot" performs fake transactions and reports back on any issues. It flags failures right away so they can be fixed before they affect many users.
Synthetic monitoring emulates the way actual customers or employees do things.
For example, the robot can emulate the process of making a claim on their home insurance. This will give you a snapshot of how well your systems automate collecting data from the customer, asking them for paperwork, and then scheduling time with an adjuster. No actual customer data is used, but the robot mimics natural customer behaviour as much as possible. It can even be told to do things wrong, such as not including the address, so you know if the system is flagging blank fields. This allows you to test much faster than through the alternative: having employees pretend to be customers and do the testing manually. This can be time-consuming and, of course, expensive, not to mention tedious for the people involved.
How Synthetic Monitoring Supports CPS 230 Compliance
2 Steps Synthetic Monitoring doesn't just flag what went wrong. It provides videos showing exactly what your "user" did when something failed. This doesn't just help you narrow down the cause of the failure. It also provides evidence things are working as intended that can be provided to regulators.
These video recordings can be used to demonstrate that you are using appropriately designed and resilient systems. They can also prove that when something goes wrong, the system is resilient and less likely to expose customer data.
Synthetic monitoring can also be presented as part of a risk management plan. As it allows you to find issues faster, it shortens the window during which a bad actor can potentially take advantage of a "hole" in the system. Synthetic monitoring allows you to run these tests daily, spotting problems faster.
Why Use 2 Steps Synthetic Monitoring?
2 Steps Synthetic Monitoring provides valuable, detailed reports. Our system will also create compelling videos that help you find the problem faster and support compliance efforts.
You can run synthetic monitoring before putting a new app or site live. We also support multiple platforms and offer a no-code interface that anyone in your organisation can handle. Unlike Selenium, 2 Steps is not limited to web browsers but can run synthetic monitoring of modern mobile apps. It can be deployed on-prem on a Linux server, meaning your data is not passing to and from the cloud.
If you are curious about how synthetic monitoring can help you with CPS 230 compliance and support an improved customer experience, contact 2 Steps today to book a demo and find out more.