Achieving Compliance to APRA’s new standard CPS 230 Operational Risk

The release of the new Prudential Standard CPS 230 – Operational Risk Management by APRA aims to strengthen the management of operational risk in the financial services industry. This standard includes updated requirements to improve business continuity planning and enhance third-party risk management.

“The need for APRA’s new standard has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches. This new standard will ensure that regulated entities set and test controls and maintain robust business continuity plans to respond if disruptions do occur.” says John Lonsdale, APRA Chair.

CPS 230 is designed to replace five existing standards and addresses three key trends observed by APRA in recent years:

The requirements of CPS 230 in summary:

Operational Risk Management:

The new standard outlines a minimum set of expectations to ensure that APRA-regulated entities effectively identify, assess, and manage operational risks. While highlighting the Board’s role, it also clearly places responsibility on senior management for the ownership and management of operational risk.

Under CPS 230, the Board is ultimately accountable for the oversight of an entity’s operational risk management (including business continuity and the management of service provider arrangements). It must ensure clear roles and responsibilities for senior managers, must oversee operational risk management and the effectiveness of key controls in maintaining the risk profile within risk appetite. This includes ensuring senior management provides clear and comprehensive information to the Board and acts to address any areas of concern. 

Senior managers are responsible for the ownership and management of operational risk across an entity’s end-to-end processes. The standard also sets specific requirements for technology risk management, such as monitoring system age, health and assessing the impact of new technologies on the operational risk profile.

CPS 230 also sets out several requirements in the areas of risk management framework, operational risk profiles and assessments, controls and incidents. Notably, where APRA considers an APRA-regulated entity’s operational risk management has material weaknesses, it may consider actions including conditions on the entity’s licence.

KEY TAKEAWAY: Identify an end-to-end view of critical processes to inform operational risks and controls and have these regularly tested, weaknesses reported and remediated.

Business Continuity:

APRA-regulated entities will be required to maintain critical operations within tolerance levels. This pertains to processes that, if disrupted beyond tolerance levels, would have a material adverse impact on customers or an entity’s role in the financial system. The register of critical operations includes those where the entity is wholly or partially reliant on service providers. APRA has also designated some specific processes as critical operations.

APRA-regulated entities will be required to set Board-approved tolerance levels for each of their critical operations. Tolerance levels should include aspects of maximum outage period, maximum extent of data loss and minimum service levels the entity would maintain while operating under alternative arrangements. APRA reserves the right to set tolerance levels.

Business continuity plans (BCP) will be required for all critical operations, with clear triggers for activation. There must be a systematic BCP testing program covering all critical operations which test the effectiveness of the BCP and the ability to meet tolerance levels for a range of severe but plausible scenarios. Periodic review by the internal audit function will also be required.

KEY TAKEAWAY: Maintain a register of critical operations and consider plausible disruption scenarios with tolerance levels that are Board approved and regularly tested.

Service Provider Management:

CPS 230 broadens previous standards from a focus on outsourcing to a wider variety of provider delivery models, and addresses risk management at all stages of a service provider arrangement. Approaches for managing risks associated with fourth parties will also be required.

APRA-regulated entities will be required to identify material service providers and manage the risks associated with the use of these providers for each material arrangement. Material service providers and material arrangements are those on which the entity relies to undertake a critical operation or that expose it to material operational risk. APRA has also designated providers of certain services as material (including core technology services). Notably, APRA may require changes to service provider arrangements where it identifies heightened prudential concerns.

Along with approving the policy associated with managing service providers, Boards will need to review risk and performance reporting on material service providers. Internal audit must review proposed material service provider arrangements and regularly report to the Board on compliance of such arrangements to policy. Senior management must maintain oversight of provider performance, effectiveness of controls and compliance with the formal agreement.

In addition to notification requirements on entering or materially changing agreements, APRA requires a register of material service providers on an annual basis. This will assist APRA in identifying and responding to potential systemic issues (including concentration risks) to inform any potential regulatory intervention to mitigate risk or respond to issues as they arise.

KEY TAKEAWAY: Maintain a register of material service providers and manage arrangements including 4th party risks with reporting, monitoring and assurance to the Board level.

 APRA has also released a draft Prudential Practice Guide (CPG 230 Operational Risk Management) to accompany the new standard.

CPS 230 Operational Risk Management will commence on 1st July 2025.