Jo Leaper, Head of Operational Consulting, JANA

Jo Leaper, Head of Operational Consulting, JANA

Improvements in Operational Risk and DD

Jo Leaper of JANA on CPS230

Operational due diligence has not yet reached maturity in the Australian market, but in this article JANA’s Jo Leaper argues that the AIST Guidance Note on CPS230 has helped to secure a baseline standard for Australian investors

APRA’s Operational Risk Standard CPS230 is designed to strengthen the management of operational risk, respond to business disruptions, and manage the outsourcing risks arising from service provider’s regulated by APRA.

The arrival of CPS230 brings an opportunity for APRA, and non-APRA, regulated entities to ensure consistency across operational models. While this may seem overly simplistic, consistent methodologies for assessing and managing operational risks will be beneficial for not only APRA-regulated entities, but all Australian investors.

image shows a quotation mark

Australian Ops DD, while no longer in its infancy, is certainly not mature in this market. Even globally, Ops DD does not have a consistent baseline standard as there is in audit and accounting

For example, when the Australian Institute of Superannuation Trustees (AIST) introduced the Operational Due Diligence (Ops DD) Guidance Note to help asset owners assess the level of investment manager operational risk, I was personally not a fan. Six years on, while I still believe there are challenges in the Guidance Note, I am happy to concede, that parts of my argument have been proven incorrect.

Australian Ops DD, while no longer in its infancy, is certainly not mature in this market. Even globally, Ops DD does not have a consistent baseline standard as there is in audit and accounting.

Here are my observations regarding operational due diligence both in Australia and globally.

The AIST Guidance Note has helped to secure a baseline standard for Australian investors. Without a regulated standard, the Guidance Note has provided a consistent framework for independent assessment and application that is not seen elsewhere in the world. This has led to the overall betterment of the market’s operational processes, at least in Australia. Global equivalents are more marketing and sales focussed, often completed by the manager rather than an independent third party.

Determining acceptable operational risk levels is a question for each client.  Each investor needs to determine what operational and enterprise risk it is willing to take in return for the potential alpha on offer. Simply stated, some risks may be more worthwhile and appropriate than others.

As an example, for boutique opportunities, investors may be more comfortable accepting additional risks to attain additional alpha. On the flip side, the standards of operational and enterprise risk management are expected to be more robust in larger firms, as these managers are often more heavily regulated, with higher levels of formal oversight by third parties. It may not be reasonable to expect the rigidity and expense of independent third-party oversight on a start-up manager, however, it does not excuse the absence of logical process and the continued need to improve risk approaches.  We believe that an improving risk culture leads to improving investment returns.

How is Ops DD used?  An Ops DD report is ordinarily completed by a reputable third party, skilled in considering whether the manager is meeting the requirement of the Guidance Note. The more proficient third-party reviewers can offer constructive and peer-relative feedback to managers for enhancement, enabling operational improvements. This interaction stands as a sincere incentive for managers to undertake the Guidance Note review. Rather than managers viewing this as a sunk cost, this recognises a process that is beneficial to the manager and investor alike.

Inherent conflict remains if the manager is paying for the review. Investors cannot rely on the reviews funded by the manager as they would with a self-funded review or an audit report, given the potential for the manager’s influence on the findings, as disclaimers further discourage reliance.  However, there’s been a mindset shift in the industry, and we are fortunate to have a range of Ops DD reviewers who can complete the review with a view to manager improvement, rather than audit oriented.  This is an improvement from when the Guidance Note was first introduced, particularly as managers are increasingly receptive of those reviewers who provide genuine operational improvement feedback.

Global manager adoption has been slow. This was expected when the Guidance Note was first released.  In more recent years, Australian investors, as well as JANA, have been encouraging managers to complete these reviews, and to use the review for self-improvement, with some global managers recognising the benefit of the review, the information it brings, as well as the subsequent discussions with clients and prospects. Unfortunately, managers are, and will continue to, complete both Guidance Note reviews and independent client reviews.

The transition from SPS230 to CPS230 (effective 1 July 2025) will incentivise investors to make effective use of this information, as operational risk outcomes now routinely go to Boards, Investment Committees and Risk Committees. There will always be room for improvement in how information can be used, which can be facilitated by CPS230.

The cost-to-benefit analysis remains fundamental to ensuring the value for money from the Ops DD process. Whether investing for superannuation, insurance, family office, charities, schools or hospitals, we need to remain conscious, as an industry, to deliver genuine improvement to beneficiaries. We continue to advocate within the industry for sensible outcomes for operational risk, including the use of information and outcomes for investors from the Guidance Note. All managers are not equal, and not all operational due diligence reviews are either.

There is most definitely a need for client-directed, independent operational due diligence. With investors pursuing more sophisticated and complex investment strategies, manager-paid reviews may not be sufficient as each investor has a different risk appetite. Independent Ops DD requires the reviewer to interpret information received to assess the operational and enterprise risks of that manager, with a view specific to the investor and will always lead to more appropriate, investor-specific outputs.

Lastly, while I might not have been on board with the Guidance Note when it was first introduced, the path forward hinges on the ongoing commitment to rigorous Ops DD practices where the benefits of the process and output are both risk and cost-appropriate for each investor and its risk appetite. Success will be dependent on the collaborative efforts of regulators, consultants, managers and investors.

My journey from initial scepticism to recognition of the Guidance Note’s contributions underscores the fluid nature of progress, while the transition to CPS230 allows a new chapter to unfold. This encourages transparency, empowers decision-makers and upholds the collective responsibility to maximise the value of Ops DD. By embracing the transformative potential of independent assessments and integrating them seamlessly into decision-making processes, the industry will pave the way for sensible risk management and operational excellence genuinely aligned to investor needs.

Jo Leaper is Head of Operational Consulting at JANA.


[i3] Insights is the official educational bulletin of the Investment Innovation Institute [i3]. It covers major trends and innovations in institutional investing, providing independent and thought-provoking content about pension funds, insurance companies and sovereign wealth funds across the globe.