Part 1: Value chain mapping for risk transformation in Australia's new regulatory environment Download The big picture: New regulations in Australia have created new priorities around governance, executive accountability, and operational resilience.New sense of urgency for business: The new rules raise pressure on firms to transform in multiple ways, including through value chain analysis.To achieve business transformation: It starts with mapping out processes to identify areas for improvement.Go deeper: In the first of a two-part series on achieving business and risk transformation, leaders from our Australia practice provide a guide to mapping product value chains. Download Australia’s financial services industry continues to face evolving community expectations, regulatory change and scrutiny. A trio of new regulations has created a need to demonstrate better governance, clearer senior executive accountability across end-to-end processes and risks, and operational resilience:The Australian Securities & Investment Commission (ASIC)’s Design and Distribution Obligations from October 2021;The Financial Accountability Regime from ASIC and the Australian Prudential Regulation Authority (APRA), which strengthens responsibility and accountability for authorised deposit-taking institutions from March 2024 and insurance and superannuation trustees from March 2025; andAPRA’s new prudential standard on operational risk CPS 230, which starts 1 July 2025.Considered together, the new rules create a sense of urgency for businesses to transform in multiple ways. Understandably, most of Australia’s financial industry is taking on the new requirements through a piecemeal approach, implementing individual rules and regulations as the compliance dates approach. To adapt to evolving market and regulatory needs, financial services firms should capitalise on transforming their businesses and risk management practices by leveraging findings from value chain analyses, evaluating benefits realisation and implementing methods for continuous improvement to ensure longer-term sustainability. This paper is the first of a two-part series on achieving business and risk transformation. The subsequent discussion naturally extends into the intersection of risk and business transformation, where the synergies between the two become more apparent.Getting started: How to engage in business transformationOne strategy for adopting a more holistic approach to business transformation is to map out end-to-end value chain processes to have clarity around business processes and identify areas for improvement. Value chains can be drawn up from varying perspectives, including from an enterprise, business, function or product viewpoint. Improvement areas could centre around process optimisation, revised operating model, technology and enterprise architectural enhancements, uplifted governance, culture and conduct frameworks, as well as revised change management practices, to name a few.Figure 1 below illustrates a high-level generic product value chain of a bank deposit product. It was adapted from Dr. Eric Lamarque’s study, “Key Activities in the Banking Industry; Analysis by the Value Chain,” with the various business processes added for illustrative purposes. Our experts have incorporated processes that are more commonly seen in the Australian banking industry, noting that some of these processes may not be completely linear as they may continue throughout the value chain. Each product could be mapped out in the end-to-end product value chain and within a hierarchical structure based on standards supplied by the American Productivity & Quality Centre (APQC) Process Classification Framework (PCF), and notations format based on Business Process Model & Notation (BPMN). Each level below dives into a more granular detail of the process, with Level 5 being the most granular. Practical tipsWe acknowledge that due to time or resource constraints, organisations may not be able to map out all the processes to the granularity of a Level 5. Instead, drawing up a Level 1 and 2 value chain map that covers critical operations and processes is a viable option to start. The purpose is to ensure there is sufficient visibility of important parts of the business that would have material impacts to the organisation if not operating as intended.Areas where processes can be streamlined or simplified can be documented, with anticipated benefits quantified, e.g. amount of time saved to complete a process, number of processes automated, number of customer complaints reduced. Ideally, these processes would be worked out with process owners and key stakeholders to capture all the relevant subprocesses at an agreed level of granularity. Further attributes such as material service providers, data/systems, risks, and obligations can also be mapped to processes, particularly if this is part of APRA’s CPS 230 Operational Risk Management requirements.Through design thinking workshops and further assessment, areas can be identified for adaptation within the core and/or supporting processes. Observations and change areas can be grouped into clusters or themes, and underlying recommendations can be mapped into a priority matrix and implementation roadmap.Benefits realisation: After transformation, what happens next?Business transformations are significant undertakings, and reaping the rewards requires a plan that extends beyond project completion.We explore the concept of benefits realisation, a crucial aspect of ensuring a transformation’s long-term success. Process optimisation is just one example of how organisations develop a more holistic approach to business transformation. We see undergoing business transformation as also having the ability to enhance organisational resilience, improve decision-making, reduce costs, boost stakeholder confidence, improve employee satisfaction, provide a competitive edge, and support longer-term sustainability. These advantages extend beyond regulatory compliance and are relevant for any organisation seeking to thrive in today’s dynamic business environment. Case studyProtiviti supported a members-based organisation design a critical business operations process modelling approach and ensure future-proofing against CPS 230 requirements. 10+ critical business operations and 55+ subprocesses were part of the scope. As part of the pilot phase, we held a structured training program for nominated representatives in the organisation and process-modelled a smaller subset of critical business operations with a focus on critical products. We also mapped attributes including risks, controls, systems and material service providers against applicable subprocesses. Risks were mapped back to existing risk taxonomies and controls back to the controls library. Outputs were then used to feed into the Financial Accountability Regime program that was happening simultaneously to have better visibility of end-to-end accountability by process and risk. The approach is currently being rolled out for all the remaining business operations and later onto essential business operations and products. At the conclusion of the pilot phase, through extensive workshopping and analysis, there were nine business process optimisation opportunities identified across facets such as technology, automation, people, risk and controls. Multiple risk gaps, 10+ control gaps and eight control uplift opportunities were also identified as part of the pilot. In addition, we took the opportunity to review the adequacy of the existing risk taxonomy and controls library and presented recommendations to the organisation. We are now working with the organisation to implement and embed transformation changes, whilst continuing to support the execution phase of the project. Sustainable benefits through accountability and monitoringA key aspect of benefits realisation is establishing an organisation-wide system for accountability and monitoring. While some benefits such as regulatory compliance may be immediate, others, such as improved customer satisfaction and reduced risk exposure, may take time to materialise. Tracking progress and holding stakeholders accountable are essential to ensure these long-term benefits are achieved.The importance of continuous tracking and evaluationTracking both the financial and non-financial return on investment (ROI) after conclusion of the project provides valuable insights that can be applied to future initiatives. Regular reviews and evaluations help validate the effectiveness of the transformation and ensure it remains aligned with the business’s evolving needs.ConclusionIn today’s dynamic business landscape, transformation is no longer a one-time event to be taken piecemeal, but rather is an ongoing journey that pulls in all parts of the organisation. It is, however, vital to find the right pace for transformation initiatives, as implementing large-scale changes too frequently can be disruptive to the business and staff well-being. While achieving long-term benefits from business transformation requires a focus on realisation, managing risk is equally crucial for success. In part two of this series, we’ll delve deeper into the concept of risk transformation and the intersection with business transformation, exploring strategies to turn challenges into opportunities and build a more resilient organisation. Find out more about our solutions: Risk Management Consulting Protiviti helps organisations around the world assess risk and develop tech-enabled solutions to manage risk in an agile manner and minimise potential losses. We bring leading insights and innovative capabilities to help you meet future challenges. Regulatory Compliance Disruptive technologies, regulatory pressures, evolving customer loyalty, and pressure to enhance economic returns are just some of the challenges organisations need to overcome by innovating and managing their compliance risks to succeed over the next decade. Financial Services Protiviti helps finance leaders address their current challenges, prepare for future challenges, and explore opportunities for continuous growth, delivering innovative solutions and supporting finance as a forward-thinking, strategic partner for the business. Leadership Ruby Chen Ruby is a director with over 12 years of experience in the financial services industry, of which about ten years worked in the Big Four banks before transitioning into consulting. She has had a broad range of experience providing advisory services and secondments across ... Learn More Mark Burgess Mark is a managing director and Protiviti’s risk and compliance solution lead. With over 17 years of risk and regulatory compliance experience in the financial services industry, he has a proven track record delivering deep insights for his clients.Mark has spent a ... Learn More Featured insights INSIGHTS PAPER Part 2: Risk transformation and the intersection with business transformation Risk maturity is a measure of an organisation’s risk management capabilities and culture. As organisations raise their risk maturity, it enhances elements across governance and framework, processes, people and organisations, methodologies, systems... WHITEPAPER CPS 230 – APRA’s new standard to improve operational risk and resilience On 17 July 2023, the Australian Prudential Regulation Authority (APRA) released the final new prudential standard CPS 230 Operational Risk Management, which is mostly aligned to requirements in other jurisdictions, including the United States, the... SURVEY Executive Perspectives on Top Risks for 2024 and 2034 The 12th annual Top Risks Survey report highlights top-of-mind issues for directors and executives around the globe over the next year - 2024 - and a decade later – 2034. BLOGS Australian banking regulatory projects need more product manager support With so many changes to contend with in what feels like a never-ending series of unforeseeable events impacting people, processes, innovation, infrastructure and industries the world over, it’s a time of heightened risk and change on so many levels.... Button Button Topics Board Matters Internal Audit and Corporate Governance IT Management, Applications and Transformation Risk Management and Regulatory Compliance Business Performance Data, Analytics and Business Intelligence Industries Insurance Banking and Capital Markets Financial Services