CPS 230 – Practical steps toward compliance
Now that APRA has released the new prudential standard CPS 230 Operation Risk Management (CPS 230), APRA-regulated entities must begin to assess how their existing practices compare to the updated regulatory requirements and start to develop a roadmap to compliance. Among other things, an APRA-regulated entity should assess, map out and consider their:
- business line processes, reporting lines and existing controls to mitigate operational risks;
- framework approach to critical operations (including the setting or reassessment of, tolerance levels) and the credibility and executability of their BCP; and
- whether third parties used by the business now constitute ‘material service providers’ and have ‘material arrangements’ for the purpose of the standard.
To recap, CPS 230:
- will apply for APRA-regulated entities from 1 July 2025, with transition arrangements that extend this to the earlier of 1 July 2026 or the next renewal date of an existing agreement to ensure that the agreement complies with CPS 230;
- is part of APRA's multi-year project to modernise the prudential architecture, and will replace five existing prudential standards: CPS 231, CPS 232, SPS 231, SPS 232 and HPS 231; and
- has been introduced by APRA with an expectation that APRA-regulated entities will be ‘proactive in preparing for the new requirements in 2023 – 2024’.
For further details on these and a look at differences between the consultation draft and final standard, read: Apra releases final cps 230 operational risk management.
This article covers the three main focus areas for CPS 230, and sets out some actions that personnel in procurement or otherwise impacted by the new standard in APRA-regulated entities (the Board, senior managers, lawyers, contract managers and others) can begin to take now in these areas to help prepare for CPS 230.
CPS 230 focus areas
The three main focus areas for CPS 230 are:
- operational risk management;
- business continuity; and
- management of service provider arrangements.
Actions that APRA-regulated entities can begin to take now
1. Operational risk management
Take stock of operational risk management responsibilities, and any updates required for the Board and managers. CPS 230 broadly shifts the onus for responsibility from risk management functions to persons more closely embedded in the business. The Board will be accountable for the oversight of operational risk management. Among other things, it must set clear roles and responsibilities for senior managers, oversee key internal controls, approve the business continuity plan (BCP) and tolerance levels for disruptions to critical operations and approve the service provider management policy.
Senior management will be responsible for management of operational risk across the end-to-end process for all business operations. Among other things, it must receive reporting on the results of controls testing and material arrangements with material service providers and provide certain reports to the Board. Draft guidance for CPS 230 encourages business line management to then embed practices and own operational risk. APRA-regulated entities can begin to plan for any changes to policy and practice that these responsibilities require. Measures could include additional management of affected personnel, communication strategies, training and support.
Assess the current operational risk profile. APRA-regulated entities will need to maintain a comprehensive assessment of their operational risk profile. They should consider what existing assessments of their risk profile and related measures they have in place, and whether and how these could be improved to provide a more complete picture of their operational risk profile. CPS 230 requires appropriate information systems to monitor operational risk, the identification and documentation of processes and resources for critical operations (including interdependencies), and the conduct of scenario analysis and operational resiliency testing.
Confirm existing controls to mitigate operational risks. APRA-regulated entities will be required to design, implement and embed internal controls to mitigate risk in line with their risk appetite, and meet their compliance obligations. To the extent that this has not already been done (and as a precursor to related obligations such as monitoring, testing and remediation of the same) they should first identify and confirm existing internal controls across end-to-end operations.
2. Business continuity
Decide a framework approach to critical operations and tolerance levels. APRA-regulated entities will be required to keep a register of their critical operations (some of which are specified in CPS 230, applying unless an APRA-regulated entity can justify otherwise). For each critical operation, the Board must approve tolerance levels mentioned earlier: for maximum disruption time; maximum acceptable level of data loss; and maximum business interruption service levels. APRA has indicated it expects senior management to be well positioned to have addressed these tasks by the end of 2024. Accordingly, APRA-regulated entities should start work to decide a framework approach to them.
Ensure the BCP remains credible, covers required matters and can be executed. APRA-regulated entities should begin review their BCP to ensure that it meets the requirements of CPS 230. It must include the register of critical operations, how the organisation will maintain them within tolerance levels through disruptions and matters such as triggers to identify disruptions. APRA-regulated entities will also need to stay capable of executing their BCP (including through access to people, resources and technology).
3. Service provider management
Consider material service providers. APRA-regulated entities will need to maintain a register of material service providers and manage risks associated with them. The material service provider concept represents a shift away from the approach taken by existing standards such as CPS 231, which apply to the ‘outsourcing’ of ‘material business activities’ (that is, the use of a third party to conduct relevant business activities that an entity could do in-house), to a broader concept where entities will be required to assess vendors for fit against the relevant definition (which extends to services that may not have been captured previously because they could not be done in-house). Furthermore, CPS 230 specifies certain service providers as being ‘material services providers’ unless an APRA-regulated entity can justify otherwise. Given CPS 230’s extended reach, APRA-regulated entities will need to consider and adjust their treatment of vendors that were not caught under earlier prudential standards but will qualify as a material service provider with material arrangements (and accordingly be subject to tighter regulation).
Review outsourcing policies and requirements. CPS 230 updates the requirements for policies, due diligence, agreements and reporting that apply with respect to service providers under existing prudential standards such as CPS 231. Similar to the previous point, CPS 230 marks a shift away from a focus on ‘outsourcing’, to whether a material service providers and material arrangements exist instead. To prepare for this, APRA-regulated entities should review their current outsourcing policies and requirements and determine whether and to what extent standard practices (e.g. template contracts) will need to be updated to ensure they extend to the right entities and impose the right obligations.
APRA-regulated entities should promptly initiate preparations to comply with the newly introduced CPS 230. These forthcoming changes necessitate a strategic and disciplined approach, with a firm focus on operational risk management, business continuity, and service provider arrangements. By taking proactive steps such as clarifying responsibilities, assessing risk profiles, confirming and revising internal controls, determining critical operation frameworks, and reviewing outsourcing policies, entities can ensure a smooth and efficient transition to CPS 230.
To discuss the implications of these changes, contact us.