From 1 July 2025, all APRA regulated entities will be expected to comply with Prudential Standard CPS 230: Operational Risk Management (CPS 230) which will replace existing standards on outsourcing and business continuity management.
Overview of CPS 230
CPS 230 will require APRA-regulated entities to:
- appropriately manage operational risk, including establish and maintain suitable standards for conduct and compliance;
- maintain a credible Business Continuity Plan (BCP) that facilitates the continuance of critical operations within tolerance levels through severe disruptions; and
- adequately manage third party risks arising from engagements with service providers.
APRA expects regulated entities not to delay implementation, albeit CPS 230 being subject to a generous transition period.
Key changes
Some of the key changes arising from CPS 230, include:
- Robust operational risk management including enhanced governance measures: The Board will be ultimately accountable for oversight of operational risk management and must oversee the effectiveness of controls in maintaining the operational risk profile within risk appetite. Clear roles and responsibility for operational risk management will need to be set by the Board for senior managers. The Board will also be responsible for ensuring senior management take the action required to address any areas of concern.
The process for managing operational risk will become more involved with a comprehensive assessment of the operational risk profile to be maintained. This will include identifying and documenting the processes and resources required to deliver critical operations as well as undertaking a scenario analysis to test operational resilience, identify mitigation strategies and assess the potential impact of severe operational risk events.
Operational risk incidents determined to be likely to have a material financial impact or a material impact on the ability to maintain critical operations will need to be reported to APRA as soon as possible but in any event no more than 72 hours after becoming aware of the incident.
- Broader application to service arrangements: ‘Material service providers’ will include providers relied upon to undertake a critical operation (such as credit assessment, funding and liquidity management and mortgage brokerage, for an ADI) or that expose an APRA regulated entity to a material operational risk. This is likely to make a greater number of service providers in scope of CPS 230 on the basis that it shifts the focus to a provider’s impact on operations instead of the individual service outsourced.
The Board will be required to approve the service provider management policy and review risk and performance reporting on material service providers.
- Register of critical operations and tolerance levels for each critical operation: The BCP will need to include a register of critical operations and associated tolerance levels which must be approved by the Board. The Board’s responsibility for technological adequacy and BCP will need to be considered when implementing Financial Accountability Regime measures. For example, it is expected that any failure in BCP and technological adequacy, in addition to operational risk incidents more generally would have an impact on incentives under any REM policy. If you would like further information on the Financial Accountability Regime, please see our article ‘FAR is here!‘.
CPS 230 characterises critical operations as the processes undertaken by an entity which if disrupted beyond tolerance levels would have a material impact on their customers or their role in the financial system.
Tolerance levels to be addressed include the maximum time period a disruption would be tolerated, the maximum extent of data loss acceptable as a result of a disruption, and the minimum service levels to apply when relying upon an alternative arrangement during a disruption.
APRA may specify what is to be considered a critical operation at an entity or class level and may set tolerance levels for heightened risks or material weaknesses it identifies.
Implementation by APRA-regulated entities
Before 1 July 2025, some of the implementation activities APRA-regulated entities will need to undertake include:
- amending the existing risk management framework and processes to address enhanced operational risk management requirements;
- establishing clear roles and responsibilities for senior managers regarding operational risk management including business continuity and management of service provider engagements;
- uplifting governance arrangements to facilitate appropriate oversight of operational risk and flow of information to the board;
- reviewing and uplifting the existing BCP to conform with CPS 230, having regard to its critical operations and tolerance levels;
- identifying material service providers and uplifting contracts with such providers to comply with the content requirements of CPS 230; and
- formally documenting any internal service provider arrangements if not already documented.
If you have questions, or require assistance, in relation to how CPS 230 may impact your business, please contact the Financial Services & Advisory team at HWL Ebsworth.