APRA's new operational risk standard finalised

6 minute read  18.07.2023 Kate Hilder, Siobhan Doherty, Martin Wright

The Australian Prudential Regulation Authority (APRA) has released its long-awaited new cross industry prudential standard - CPS 230 Operational Risk Management (CPS 230) – to 'strengthen the management of operational risk across APRA’s regulated population'.  APRA has also opened consultation on draft guidance to support implementation.  Here's what you need to know.

Key takeouts

  • Following consultation, APRA has released a new prudential standard - Prudential Standard CPS 230 Operational Risk Management (CPS 230) – to replace five existing outsourcing and business continuity standards and apply to all APRA-regulated entities.  
  • Commencement deferred:  
    • CPS 230 will apply from 1 July 2025  (rather than from 1 January 2024 as originally proposed).  
    • Transition arrangements (to enable entities to make changes to existing contractual arrangements with service providers): APRA-regulated entities will have until the earlier of 1 July 2026 or the next renewal date of an existing agreement to ensure the agreement complies with CPS 230.  
  • All regulated entities are expected to 'be proactive in preparing for the new requirements in 2023-2024'. For example, 'APRA expects that senior management would have identified their critical operations and material service providers by mid-2024 and be well positioned to set tolerance levels by the end of 2024'.  APRA has flagged that supervisors will 'engage with entities during the implementation period to assess progress'.
  • APRA has also released draft Prudential Practice Guide CPG 230 Operational Risk Management (draft CPG 230) to support entities in implementation of CPS 230.  The due date for submissions on the draft guidance is 13 October 2023. Following this, APRA expects to finalise the guidance later this year.

What is CPS 230?

The new standard has been developed as part of APRA’s multi-year project to modernise the prudential architecture. The new standard - Prudential Standard CPS 230 Operational Risk Management (CPS 230) – will apply to all APRA-regulated entities and will replace the following five existing standards:

  • Prudential Standard CPS 231 Outsourcing (CPS 231);
  • Prudential Standard CPS 232 Business Continuity Management (CPS 232);
  • Prudential Standard SPS 231 Outsourcing (SPS 231);
  • Prudential Standard SPS 232 Business Continuity Management (SPS 232); and
  • Prudential Standard HPS 231 Outsourcing (HPS 231).

Broadly, the standard has three key aims.

  • 'Strengthen operational risk management through new requirements to address identified weaknesses in existing controls';
  • improve business continuity planning to ensure they are positioned to respond to severe disruptions; and
  • enhance third-party risk management by ensuring risks from material service providers are appropriately' managed'.

How does the final standard differ from the consultation draft?

The final standard is broadly similar to the consultation draft. For a detailed overview and analysis of the consultation draft see: CPS 230 | Consultation on strengthening operational risk management begins. We've highlighted some key differences below.

Deferred commencement

As flagged, the commencement date has been deferred to 1 July 2025 in line with industry feedback, and transition arrangements have also been included for existing service provider arrangements.

Under the final standard, APRA-regulated entities will have until the earlier of 1 July 2026 or the next renewal date of an existing agreement to ensure the agreement complies with CPS 230. However, APRA's underlines that

'contracts with material service providers should be updated as soon as possible given their importance to critical operations and operational risk'.

Less rigid approach on prescribed critical operations and service providers

'Critical operations' are defined in the final guidance as:

'processes undertaken by an APRA-regulated entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on its depositors, policyholders, beneficiaries or other customers, or its role in the financial system'.

These include (but are not necessarily limited to):

  • 'for an ADI: payments, deposit-taking and management, custody, settlements and clearing;
  • for an insurer (general, life, private health): claims processing
  • for an RSE licensee: investment management and fund administration; and
  • for all APRA-regulated entities: customer enquiries and the systems and infrastructure needed to support critical operations'.

The draft guidance (on which APRA is currently consulting) states that:

'APRA expects "critical functions" defined for resolution planning would be classified as critical operations'.

In response to industry feedback, the final CPS 230 introduces a measure of flexibility for entities not to classify operations as critical, provided that they 'can provide satisfactory justification for the decision' (though APRA may override the decision if it disagrees with an entity's assessment).

The draft guidance provides further guidance around what APRA considers to be 'better practice' in this context. The draft guidance states that:

'APRA expects that any justification by an entity that a business operation prescribed in paragraph 36 of CPS 230 is not a critical operation would be documented, approved by an Accountable Person or the equivalent at a senior management level and reviewed on at least an annual basis'.

APRA underlines that it expects instances like this to be 'exceptional'.

Similarly, Draft CPS 230 prescribed certain services as being material. The final standard retains a list of prescribed material service providers, but introduces scope for entities not to do so, provided they can justify their decision (again APRA expects cases like this to be exception rather than the rule.).

The draft guidance provides further guidance around what APRA considers to be 'better practice' in this context. The draft guidance states that:

'APRA expects that any justification by an entity not to classify a service provider prescribed by APRA as material would be documented, approved by an Accountable Person or the equivalent at a senior management level, and reviewed on at least an annual basis'.

Also, in response to feedback from the CPS 230 consultation, the list of prescribed material service providers in final CPS 230 does not include all service providers that manage information assets classified as critical or sensitive. APRA comments that despite this,

'Such providers would, however, still be captured where they meet the broad definition of material service provider set out in the final CPS 230'.

Unfortunately for the insurance industry, 'insurance brokerage' remains on the prescribed list despite industry submissions identifying concerns in relation to the appropriateness of this classification. However, in response to feedback, APRA notes its clarification that it may be open to an entity to form the view that an arrangement with a prescribed service provider is not a 'material arrangement' (see further discussion in the next section).

Clarification around 'material arrangements'

Broadly, the final version of CPS 230 has been amended to reflect that:

'Not all arrangements with a material service provider will be material to the entity. "Material arrangements" are those on which a regulated entity relies to undertake a critical operation or that expose the entity to material operational risk.'

Fourth parties remain in scope with some clarification

Despite submissions on the point, the final version of CPS 230 has retained the requirements for service provider management policies to address the APRA-regulated entity's approach to managing risks associated with fourth parties, i.e. parties that service providers rely on to deliver their own services.

However, amendments have been made since consultation draft to clarify that the requirement only applies to fourth parties that are relied upon to deliver critical operations to the APRA-regulated entity.

Draft CPG 230 also suggests that APRA does not necessarily expect entities to directly enter into an agreement with fourth parties, instead stating minimum risk management measures would typically include due diligence to identify fourth parties, contractual provisions requiring service providers to inform the entity of their involvement and assurance that the service provider can manage material fourth parties.

Removal of the requirement to assess systemic importance to Australia

The final version of CPS 230 removes the requirement for APRA-regulated entities to assess whether a material service provider is systemically important to Australia as part of its assessment before entering into an agreement with the service provider.

This is a welcome change, as submissions in response to the consultation indicated this was likely to be difficult for APRA-regulated entities.

Notification requirements: proposed timelines are unchanged

The timelines for notifying APRA of certain incidents are unchanged from the consultation. Under final CPS 230 APRA regulated entities are required to notify the regulator of:

  • an 'operational risk incident that it determines to be likely to have a material financial impact or a material impact on the ability of the entity to maintain its critical operations' within 72 hours after becoming aware of it (or earlier);
  • changes to service provider arrangements within 20 business days (or sooner) of 'entering into or materially changing an agreement for the provision of a service on which the entity relies to undertake a critical operation'.
    Entities are also 'required to notify APRA prior to entering into any offshoring agreement with a material service provider, or when there is a significant change proposed to the agreement, including in circumstances where data or personnel relevant to the service being provided will be located offshore'.
  • the activation of its business continuity plan (BCP) within 24 hours (or sooner) – though the final standard clarifies that this is only necessary 'if the activation of the entity’s BCP relates to a disruption to a critical operation outside tolerance'. The notification would need to include: 'the nature of the disruption; the action being taken; the likely impact on the entity’s business operations; and the timeframe for returning to normal operations'.

In response to feedback, APRA states that it has sought to 'simplify' the notification process with the draft guidance (draft CPG 230) providing more guidance around APRA's expectations when making notifications.

APRA has clarified that a notification of an information security incident reported under Prudential Standard CPS 234 Information Security (CPS 234) is not required to be separately reported under CPS 230.

Draft CPG 230

Broadly, the draft guidance aims to aid compliance with CPS 230 by:

  • clarifying that while all requirements of CPS 230 apply to all APRA-regulated entities, APRA intends the requirements to be applied proportionately – ie APRA's expects 'an entity’s approach to operational risk to be proportionate to its size, business mix and complexity'.
  • providing guidance in response to key issues/concerns raised in the CPS 230 consultation with respect to implementation of requirements around operational risk management, business continuity and service provider management
  • providing guidance on APRA's expectations around the responsibilities of the board and senior management in this context
  • providing guidance on the extent of monitoring of operational risk management expected and guidance on the assessment of the entity's operational risk profile eg for new products
  • providing guidance on identifying critical operations, setting tolerance levels and business continuing planning including APRA's expectations around systematic testing
  • providing guidance on what would be addressed by an entity's service provider management policy
  • providing guidance on the type of information a regulated entity would 'typically' be expected to provide and how the information can be provided to APRA.

Next steps

As flagged, the due date for submissions of the draft guidance is 13 October 2023. Following this, APRA expects to finalise the guidance later this year.

APRA's expectation is that all entities adopt a 'proactive' approach to preparing for the new requirements 'in 2023-2024', flagging that supervisors will expect to engage with entities during the implementation period to 'assess progress'.

Interested in this (and similar) topics?

Subscribe to alerts and our weekly wrap up of key financial services, risk, regulatory and ESG developments. You can access the current issue and our archive of previous issues here.