The Australian Prudential Regulation Authority (APRA) has finalised a new Prudential Standard CPS 230 Operational Risk Management (CPS 230) which incorporates operational risk management requirements into a single prudential standard aimed at ensuring banks, insurers and superannuation trustees can better manage operational risks and respond to business disruptions.

CPS 230 is intended to:

• strengthen operational risk management through new requirements to address identified weaknesses in existing practices;
• improve business continuity planning to ensure that regulated entities are ready to respond to severe business disruptions; and
• enhance third-party risk management by extending requirements to all material service providers that regulated entities rely upon for critical operations or that expose them to material operational risk.

Implementation will include new registers of critical operations and material service providers and notification to APRA of operational risk incidents and changes.

The new standard will commence on 1 July 2025.

APRA has also released draft Prudential Practice Guide CPG 230 Operational Risk Management to assist regulated entities with the implementation of CPS 230 and the required risk management framework.

Draft CPG 230 explains that conduct and compliance are included in CPS 230 as types of operational risk, rather than as separate material risks. It says that breaches of conduct and compliance are often indicative of underlying failings in internal controls in operational risk management.

Role of the Board

APRA says that the standard reflects that the Board is ultimately accountable for the oversight of operational risk management and is expected to ensure that senior management effectively implements and maintains a regulated entity’s operational risk framework.

Draft CPG 230 states that a prudent Board would have a clear understanding of who is accountable within the entity for which aspect of operational risk management, including business continuity and the management of service provider arrangements, and be confident that there are no gaps in accountabilities.

What are “critical operations”?

CPS 230.35- 36 state:

“35. Critical operations are processes undertaken by an APRA-regulated entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on its depositors, policyholders, beneficiaries or other customers, or its role in the financial system.
36. An APRA-regulated entity must, at a minimum, classify the following business operations as critical operations, unless it can justify otherwise:
(a) for an ADI: payments, deposit-taking and management, custody, settlements and clearing;
(b) for an insurer (general, life, private health): claims processing;
(c) for an RSE licensee: investment management and fund administration; and
(d) for all APRA-regulated entities: customer enquiries and the systems and infrastructure needed to support critical operations.”

CPG 230 includes a diagram showing the end-to end process view of critical operations.

Who are material service providers?

CPS 230.50 states:

“An APRA-regulated entity must, at a minimum, classify a provider of the following services as a material service provider, unless it can justify otherwise:
for an ADI: credit assessment, funding and liquidity management and mortgage brokerage;
for an insurer (general, life, private health): underwriting, claims management, insurance brokerage and reinsurance;
for an RSE licensee: fund administration, custodial services, investment management and arrangements with promoters and financial planners; and
for all APRA-regulated entities: risk management, core technology services and internal audit.”

CPG 230 also includes the below graphic which summarises APRA’s prudential framework, and shows where CPS 230 fits in, within the Risk management pillar.

CPS 230 replaces and supersedes five existing prudential standards: Prudential Standard CPS 231 Outsourcing (CPS 231), Prudential Standard SPS 231 Outsourcing (SPS 231), Prudential Standard HPS 231 Outsourcing (HPS 231), Prudential Standard CPS 232 Business Continuity Management (CPS 232) and Prudential Standard SPS 232 Business Continuity Management (SPS 232).

CPG 230 replaces and supersedes five existing PPGs: Prudential Practice Guide GPG 230 Operational Risk (GPG 230), Prudential Practice Guide LPG 230 Operational Risk (LPG 230), Prudential Practice Guide CPG 231 Outsourcing (CPG 231), Prudential Practice Guide SPG 231 Outsourcing (SPG 231) and Prudential Practice Guide SPG 232 Business Continuity Management (SPS 232).

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.