On 17 July 2023, APRA released the final new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230) and a draft of Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230). APRA-regulated entities must comply with CPS 230 from 1 July 2025.

This new standard will require APRA-regulated entities to make substantial adjustments in operational risk management, business continuity, material service provider arrangements, and governance practices. CPS 230 obligations will require significant effort from regulated organisations across the entire change-lifecycle, including preparation, implementation, and ongoing management.

By taking proactive steps such as clarifying responsibilities, assessing and revising internal controls, determining critical processes, assessing risk profiles and reviewing policies, APRA-regulated entities can ensure a smooth and efficient transition to CPS 230.

Who will CPS 230 impact?

All APRA-regulated entities will need to comply. This includes general insurers, private health insurers, life insurers, authorised deposit-taking institutions (ADIs), RSE licensees (superannuation funds) and authorised/registered non-operating holding companies. Where an APRA-regulated entity is the head of a group, it must ensure the requirements are applied correctly within the group. Organisations that provide services (directly or indirectly) to APRA-regulated entities may also be impacted.

What is CPS 230?

CPS 230 requires regulated APRA-regulated entities to prepare for service disruptions by understanding the impacts of such events to customers and the wider financial system, take action to prevent these and enhance its operational resilience.

The standard has three overarching objectives:

• 'Strengthen operational risk management through new requirements to address identified weaknesses in existing controls';
• improve business continuity planning to ensure they are positioned to respond to severe disruptions; and
• enhance third-party risk management by ensuring risks from material service providers are appropriately managed'.

APRA aims to focus the attention of boards on operational resilience by enforcing the setting of tolerance levels for disruptions to critical operations.

While APRA acknowledges some level of disruption is inevitable, it makes it clear that regulated entities should:

• have the resilience to resume critical operations without causing financial harm;
• work within a pre-defined tolerance level that is appropriate for their risk appetite; and
• assess the appropriateness of the tolerances by conducting extensive scenario testing of extreme but plausible events.

What is CPS 230 replacing?

CPS 230 will replace the following standards:

• Prudential Standard CPS 231 Outsourcing (CPS 231);
• Prudential Standard CPS 232 Business Continuity Management (CPS 232);
• Prudential Standard SPS 231 Outsourcing (SPS 231);
• Prudential Standard SPS 232 Business Continuity Management (SPS 232); and
• Prudential Standard HPS 231 Outsourcing (HPS 231).

See our outline of the purpose and scope of CPS 230 for more information. 

Implementation of CPS 230

The implementation of CPS 230 will require substantial alterations in operational risk management, business continuity, key service provider agreements, and governance procedures. This new standard, while demanding considerable effort for its design, execution, and ongoing management, will enhance entities' resilience and operational risk management capabilities. An entity that successfully implements CPS 230 will be able to demonstrate the following to APRA:

Draft CPS 230 guidance

Leading up to the commencement of CPS 230 in 2025, APRA has released draft guidance to aid compliance by:

• explaining all CPS 230 requirements apply to all APRA-regulated entities, however, APRA intends the requirements to be applied proportionately - meaning 'an entity’s approach to operational risk to be proportionate to its size, business mix and complexity';
• providing guidance in response to key issues/concerns raised in the CPS 230 consultation regarding the implementation of requirements around operational risk management, business continuity and service provider management;
• providing clarity on the responsibilities of the board and senior management;
• offering guidance on the extent of monitoring of operational risk management expected and clarity on the assessment of the entity's operational risk profile e.g. for new products;
• providing information about identifying critical operations, setting tolerance levels and business continuing planning including APRA's expectations around systematic testing;
• outlining what would be addressed by an entity's service provider management policy; and
• providing guidance on the type of information a regulated entity would 'typically' be expected to provide and how the information can be provided to APRA.

The final guidance to CPS 230 is due to be released in the first half of 2024.

CPS 230 – A roadmap toward compliance

APRA expects all entities to adopt a 'proactive' approach in preparing for the new requirements, flagging that the regulators expect to engage with entities during the implementation period to 'assess progress'. 

APRA-regulated entities must begin to assess their existing practices against the updated regulatory requirements and plan a roadmap to compliance. In addition to other steps, an APRA-regulated entity should assess, map out and consider their:

• business line processes, reporting lines and existing controls to limit operational risks;
• framework approach to critical operations (including the setting or reassessment of, tolerance levels) and the credibility and robustness of their business continuity plan (BCP); and
• whether third parties used by the business now constitute ‘material service providers’ and have ‘material arrangements’ for the purpose of the standard.

Actions that APRA-regulated entities can begin

While the new standard does not come into force until 2025, entities should begin the process sooner rather than later. Actions that can be started now include:

1. CPS 230 operational risk management

Assess operational risk management duties and required updates for the board and managers.

Generally, CPS 230 transfers responsibility away from roles to individuals who are more directly involved in the business risk management.

The board will be responsible for overseeing operational risk management, including key internal controls, setting clear roles and responsibilities for senior managers, approving the service provider management policy, approving the business continuity plan (BCP) and tolerance levels for disruptions to critical operations.

Senior management will be responsible for management of operational risk across the end-to-end process for all business operations. It must also receive reporting on the results of controls testing and material arrangements with material service providers and supply certain reports to the Board. Draft guidance for CPS 230 encourages business line management to then embed practices and own operational risk. APRA-regulated entities can plan for any changes to policy and practice that these responsibilities necessitate. Measures could include additional management of affected personnel, communication strategies, training and support.

Assess the current operational risk profile.

APRA-regulated entities will need to maintain a comprehensive assessment of their operational risk profile. They should consider existing assessments of their risk and related measures they have in place, and look for opportunities to provide a more complete picture of their operational risk profile. CPS 230 requires appropriate information systems to monitor operational risk, the identification and documentation of processes and resources for critical operations (including interdependencies), scenario analysis and operational resiliency testing.

Assess existing assessments of their risk and related measures they have in place, and look for opportunities to provide a more complete picture of their operational risk profile. CPS 230 requires appropriate information systems to monitor operational risk, the identification and documentation of processes and resources for critical operations (including interdependencies), scenario analysis and operational resiliency testing.

Assess existing controls to mitigate operational risks.

Entities will be required to design, implement and embed internal controls to mitigate risk in line with their risk appetite, and meet compliance obligations. As a precursor to related obligations such as testing, monitoring and remediation of the same, APRA-regulated entities should first identify and assess existing internal controls across end-to-end operations.

Under CPS 230, APRA-regulated entities will be required to report operational risk incidents that it regards likely to have a material financial impact or a material impact on its ability to maintain critical operations no later than 72 hours after becoming aware. If it enters into or materially changes an agreement for the provision of a service that is required to undertake a critical operation, the entity must notify APRA within 20 business days.

2. Business Continuity

Establish a framework approach to critical operations and tolerance levels

APRA-regulated entities will need to keep a register of their critical operations (some are specified in CPS 230, unless an APRA-regulated entity can justify otherwise). The Board must approve tolerance levels for each critical operation: maximum disruption time; maximum acceptable level of data loss; and maximum business interruption service levels. APRA expects these tasks to have been addressed by the end of 2024.

Ensure the business continuity plan (BCP) remains fit for purpose

Entities should begin reviewing their BCP to ensure it meets the CPS 230 requirements. It must include the register of critical operations, how the organisation will maintain them within tolerance levels through disruptions and matters such as triggers to identify disruptions. APRA-regulated entities must be able to execute their BCP (through access to people, resources and technology).

Under CPS 230, APRA must be notified within 24 hours if the entity's BCP is activated following a disruption to a critical operation that falls outside acceptable tolerance levels.

3. Service Provider Management

Consider material service providers

Entities will need to maintain a register of material service providers and manage the associated risks. Under the new standard, the entity must submit this register to APRA each year. The material service provider concept differs from existing standards such as CPS 231, which apply to the ‘outsourcing’ of ‘material business activities’ (that is, the use of a third party to conduct relevant business activities an entity could do in-house), to a broader concept where APRA-regulated entities must assess vendors for fit against the relevant definition (which extends to services that may have previously been excluded because they could not be done in-house). Furthermore, CPS 230 defines certain service providers as ‘material services providers’ unless an APRA-regulated entity can justify otherwise. Given CPS 230’s extended reach, APRA-regulated entities will need to consider and adjust their treatment of vendors that will now qualify as a material service provider with material arrangements (and therefore subject to tighter regulation). Find out more about supply chain cyber risk in relation to CPS 230 compliance in our overview.

Review outsourcing policies and requirements

CPS 230 updates the requirements for policies, due diligence, agreements and reporting that apply with respect to service providers under existing prudential standards such as CPS 231. CPS 230 represents a shift away from a focus on ‘outsourcing’, to whether material service providers and material arrangements exist. Entities should review their current outsourcing policies and requirements and determine whether and to what extent standard practices (e.g. template contracts) will need to be reviewed to ensure they extend to the right entities and impose the right obligations. Under the new standard, entities must notify APRA before entering into any material offshoring arrangement, or when a major change is proposed.

Read more about practical steps towards compliance in our CPS 230 Practical Playbook.