APRA launches final version of CPS 230 Operational Risk Management standard
The Australian Prudential Regulation Authority (APRA) has published a new Prudential Standard, CPS 230 Operational Risk Management, which will direct how regulated entities manage operational risks, resilience, and business continuity. CPS 230 aims to ensure that an APRA-regulated entity is resilient to operational risks and disruptions.
At the same time APRA released a consultation process for CPG 230, a Prudential Practice Guide that will assist organizations with their CPS 230 compliance activities.
CPS 230 includes amendments made as a result of a consultation process, which includes a revised deadline for the implementation of the standard. Regulated entities now have until 1 July 2025 to comply, although APRA makes it clear that it “expects regulated entities to be proactive in preparing for the new requirements in 2023-2024 … rather than waiting until 2025 to start planning.” APRA expects that senior management will have identified their critical operations and material service providers by mid-2024 and will be ‘well positioned’ to set tolerance levels by the end of that year.
The key requirements of CPS 230 are that an APRA-regulated entity must:
- Identify, assess and manage its operational risks, with effective internal controls, monitoring and remediation.
- Be able to continue to deliver its critical operations within tolerance levels through severe disruptions, with a credible business continuity plan.
- Effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements, and robust monitoring.
The standard is clear that responsibility for CPS 230 lies with a regulated organization’s board, stating that: “The Board of an APRA-regulated entity is ultimately accountable for oversight of an entity’s operational risk management. This includes business continuity and the management of service provider arrangements.”
Key roles of the board will include:
- Ensuring that the organization sets clear roles and responsibilities for senior managers for operational risk management, including business continuity and the management of service provider arrangements.
- Overseeing operational risk management and the effectiveness of key internal controls in maintaining the entity’s operational risk profile within risk appetite.
- Receiving regular updates on the operational risk profile and ensuring that senior management takes action as required to address any areas of concern.
- Approving the business continuity plan and tolerance levels for disruptions to critical operations.
- Reviewing the results of testing and overseeing the execution of any findings.
- Approving the service provider management policy and reviewing risk and performance reporting on material service providers.
CPS 230 was launched just a few days after the New Zealand Financial Markets Authority, Te Mana Tātai Hokohoko, released a consultation document focussed on new business continuity and technology systems regulations. Details of this can be found here:
CPS 230 was launched just a few days after the New Zealand Financial Markets Authority, Te Mana Tātai Hokohoko, released a consultation document focussed on new business continuity and technology systems regulations. Details of this can be found here.
APRA CPS 230 - Operational Resilience Special Interest Forum
APRA CPS 230 - Operational Resilience Special Interest Forum was established in order to collaborate and develop insights into the changes that the new prudential standard will bring. BCI Special Interest Forum's allow for collaboration and enable cross functional engagement to drive best practice understanding of regulatory requirements involved in this change.Learn more by following the link below: