If you haven’t started the climb to CPS 230 compliance: Prepare now
APRA have stated that they expect all Australian FSIs to be well on their journey to CPS 230 compliance, even though CPS 230 won’t come into effect until July 2025. They will be reviewing progress towards compliance with CPS 230 from early 2024.
These are the seven critical areas that FSIs will need to focus on and uplift to be ready for CPS 230:
It takes less than 5 minutes and you get your results instantly
A new standard, extending upon existing regulatory requirements
CPS 230 and its related guidance is one of the keystone elements for FSI operations and will sit alongside standards and guidance for Information Security, Data Management, Risk Management and Pandemic Planning.
1. Critical Operations
FSIs will need to define the processes that are critical to business operations, including IT, data, service providers & other resources
Uplift Required for CPS 230:
A step change in the level of rigour and detail than required under CPS 231 and CPS 232. This will necessitate clarity of end-to-end business processes and the underlying supporting resources (including technology, service providers and data). Getting this right is foundational to meeting other CPS 230 requirements.
2. Business Continuity Management
Plans and associated testing for achieving verified business continuity capability
Uplift Required for CPS 230:
Significant uplift in the extent and credibility of business continuity planning. Entities will need to be much more rigorous in planning and testing for a range of severe but plausible disruption scenarios. A major uplift in Board education and engagement is also required.
3. Management of Service Provider Arrangements
The approach to define & manage material service providers and associated risks
Uplift Required for CPS 230:
APRA’s focus expands from material outsourcing to all material service providers arrangements. Ensuring the completeness, accuracy and currency of an entity’s service provider register will be key. Uplift in policy frameworks, approaches to managing fourth party risk exposures, and Board and senior management reporting mechanisms will also be required.
4. Operational Risk Management
The approach to identifying, assessing and managing operational risks
Uplift Required for CPS 230:
Building on CPS 220, CPS 230 has been more prescriptive in the area of operational risk. This will require a review and uplift of key areas such as: risk management frameworks; risk information systems; risk profiling; control testing and remediation; and approaches to incidents and near misses.
5. Governance Including Senior Management
Expectations of senior management and governance more broadly
Uplift Required for CPS 230:
CPS 230 clearly places responsibility on senior management for the ownership and management of operational risk. Senior management will need to increase focus on having an end-to-end view of critical business processes to fully meet the requirements of CPS 230. A review and uplift of existing oversight mechanisms is also warranted, especially in areas such as control testing and service provider monitoring.
6. Boards
Accountability of Boards for oversight of operational risk management
Uplift Required for CPS 230:
APRA has reinforced that the Board is ultimately accountable for oversight of an entity’s operational risk management (including business continuity and the management of service provider arrangements). CPS 230 has made explicit expectations of Boards which will necessitate a review and uplift of Board oversight mechanisms.
7. APRA Reporting
Submissions and notifications to APRA
Uplift Required for CPS 230:
Revised requirements, with a focus on operational risk incidents, disruptions to critical operations and material service provider arrangements.2. Business Continuity Management
Plans and associated testing for achieving verified business continuity capability
Uplift Required for CPS 230:
Significant uplift in the extent and credibility of business continuity planning. Entities will need to be much more rigorous in planning and testing for a range of severe but plausible disruption scenarios. A major uplift in Board education and engagement is also required.4. Operational Risk Management
The approach to identifying, assessing and managing operational risks
Uplift Required for CPS 230:
Building on CPS 220, CPS 230 has been more prescriptive in the area of operational risk. This will require a review and uplift of key areas such as: risk management frameworks; risk information systems; risk profiling; control testing and remediation; and approaches to incidents and near misses.6. Boards
Accountability of Boards for oversight of operational risk management
Uplift Required for CPS 230:
APRA has reinforced that the Board is ultimately accountable for oversight of an entity’s operational risk management (including business continuity and the management of service provider arrangements). CPS 230 has made explicit expectations of Boards which will necessitate a review and uplift of Board oversight mechanisms.
CPS 230 Readiness review, Gap Analysis & Report
Toolkit of APRA-ready artefacts, processes, frameworks and templates
