Draft CPS 230 guidance
Leading up to the commencement of CPS 230 in 2025, APRA has released draft guidance to aid compliance by:
- explaining all CPS 230 requirements apply to all APRA-regulated entities, however, APRA intends the requirements to be applied proportionately - meaning 'an entity’s approach to operational risk to be proportionate to its size, business mix and complexity';
- providing guidance in response to key issues/concerns raised in the CPS 230 consultation regarding the implementation of requirements around operational risk management, business continuity and service provider management;
- providing clarity on the responsibilities of the board and senior management;
- offering guidance on the extent of monitoring of operational risk management expected and clarity on the assessment of the entity's operational risk profile e.g. for new products;
- providing information about identifying critical operations, setting tolerance levels and business continuing planning including APRA's expectations around systematic testing;
- outlining what would be addressed by an entity's service provider management policy; and
- providing guidance on the type of information a regulated entity would 'typically' be expected to provide and how the information can be provided to APRA.
The final guidance to CPS 230 is due to be released in the first half of 2024.
CPS 230 – A roadmap toward compliance
APRA expects all entities to adopt a 'proactive' approach in preparing for the new requirements, flagging that the regulators expect to engage with entities during the implementation period to 'assess progress'.
APRA-regulated entities must begin to assess their existing practices against the updated regulatory requirements and plan a roadmap to compliance. In addition to other steps, an APRA-regulated entity should assess, map out and consider their:
- business line processes, reporting lines and existing controls to limit operational risks;
- framework approach to critical operations (including the setting or reassessment of, tolerance levels) and the credibility and robustness of their business continuity plan (BCP); and
- whether third parties used by the business now constitute ‘material service providers’ and have ‘material arrangements’ for the purpose of the standard.
Actions that APRA-regulated entities can begin
While the new standard does not come into force until 2025, entities should begin the process sooner rather than later. Actions that can be started now include:
1. CPS 230 operational risk management
Assess operational risk management duties and required updates for the board and managers.
Generally, CPS 230 transfers responsibility away from roles to individuals who are more directly involved in the business risk management.
The board will be responsible for overseeing operational risk management, including key internal controls, setting clear roles and responsibilities for senior managers, approving the service provider management policy, approving the business continuity plan (BCP) and tolerance levels for disruptions to critical operations.
Senior management will be responsible for management of operational risk across the end-to-end process for all business operations. It must also receive reporting on the results of controls testing and material arrangements with material service providers and supply certain reports to the Board. Draft guidance for CPS 230 encourages business line management to then embed practices and own operational risk. APRA-regulated entities can plan for any changes to policy and practice that these responsibilities necessitate. Measures could include additional management of affected personnel, communication strategies, training and support.
Assess the current operational risk profile.
APRA-regulated entities will need to maintain a comprehensive assessment of their operational risk profile. They should consider existing assessments of their risk and related measures they have in place, and look for opportunities to provide a more complete picture of their operational risk profile. CPS 230 requires appropriate information systems to monitor operational risk, the identification and documentation of processes and resources for critical operations (including interdependencies), scenario analysis and operational resiliency testing.
Assess existing assessments of their risk and related measures they have in place, and look for opportunities to provide a more complete picture of their operational risk profile. CPS 230 requires appropriate information systems to monitor operational risk, the identification and documentation of processes and resources for critical operations (including interdependencies), scenario analysis and operational resiliency testing.
Assess existing controls to mitigate operational risks.
Entities will be required to design, implement and embed internal controls to mitigate risk in line with their risk appetite, and meet compliance obligations. As a precursor to related obligations such as testing, monitoring and remediation of the same, APRA-regulated entities should first identify and assess existing internal controls across end-to-end operations.
Under CPS 230, APRA-regulated entities will be required to report operational risk incidents that it regards likely to have a material financial impact or a material impact on its ability to maintain critical operations no later than 72 hours after becoming aware. If it enters into or materially changes an agreement for the provision of a service that is required to undertake a critical operation, the entity must notify APRA within 20 business days.
2. Business Continuity
Establish a framework approach to critical operations and tolerance levels
APRA-regulated entities will need to keep a register of their critical operations (some are specified in CPS 230, unless an APRA-regulated entity can justify otherwise). The Board must approve tolerance levels for each critical operation: maximum disruption time; maximum acceptable level of data loss; and maximum business interruption service levels. APRA expects these tasks to have been addressed by the end of 2024.
Ensure the business continuity plan (BCP) remains fit for purpose
Entities should begin reviewing their BCP to ensure it meets the CPS 230 requirements. It must include the register of critical operations, how the organisation will maintain them within tolerance levels through disruptions and matters such as triggers to identify disruptions. APRA-regulated entities must be able to execute their BCP (through access to people, resources and technology).
Under CPS 230, APRA must be notified within 24 hours if the entity's BCP is activated following a disruption to a critical operation that falls outside acceptable tolerance levels.
3. Service Provider Management
Consider material service providers
Entities will need to maintain a register of material service providers and manage the associated risks. Under the new standard, the entity must submit this register to APRA each year. The material service provider concept differs from existing standards such as CPS 231, which apply to the ‘outsourcing’ of ‘material business activities’ (that is, the use of a third party to conduct relevant business activities an entity could do in-house), to a broader concept where APRA-regulated entities must assess vendors for fit against the relevant definition (which extends to services that may have previously been excluded because they could not be done in-house). Furthermore, CPS 230 defines certain service providers as ‘material services providers’ unless an APRA-regulated entity can justify otherwise. Given CPS 230’s extended reach, APRA-regulated entities will need to consider and adjust their treatment of vendors that will now qualify as a material service provider with material arrangements (and therefore subject to tighter regulation). Find out more about supply chain cyber risk in relation to CPS 230 compliance in our overview.
Review outsourcing policies and requirements
CPS 230 updates the requirements for policies, due diligence, agreements and reporting that apply with respect to service providers under existing prudential standards such as CPS 231. CPS 230 represents a shift away from a focus on ‘outsourcing’, to whether material service providers and material arrangements exist. Entities should review their current outsourcing policies and requirements and determine whether and to what extent standard practices (e.g. template contracts) will need to be reviewed to ensure they extend to the right entities and impose the right obligations. Under the new standard, entities must notify APRA before entering into any material offshoring arrangement, or when a major change is proposed.
Read more about practical steps towards compliance in our CPS 230 Practical Playbook.