A modern wooden house with a stone pathway and steps leading up to it, set against a green mountain landscape with snow-capped peaks in the background.
Modern wooden house with large window, situated in a mountainous landscape with sparse vegetation.

APRA’s CPS 230 Operational Risk - What to expect

Overview

APRA’s Prudential Standard CPS 230 Operational Risk requires APRA-regulated entities to ensure that operational risks and potential disruptions are effectively managed, and that critical operations can be maintained to accepted levels through severe business disruptions, and the management of risks arising from the use of third parties are considered. CPS230 includes a requirement to have agreements with all material service provider arrangements including service levels, along with due diligence prior to appointing or changing a material service provider. The requirement for an Internal Auditor to review and changes to material service providers currently under APRA’s CPS/SPS 231 Outsourcing continues.

The new standard combines APRA’s CPS/SPS 231 Outsourcing and CPS 232/SPS 232 Business Continuity Management, with new requirements for operational risk management.

What has changed?

Entities are required to identify critical operations (those which if disrupted would have a material impact on its policy holders, members or customers) and perform end-to-end process mapping, perform risk assessments (considering any relevant incidents, issues or control failures in determining the residual risk ratings), update BCP and BIAs, perform third party assessments - including tolerance levels measurement to assess harm caused by disruptions, assess and uplift control assurance - including testing of controls.

Ideally entities should bring this all together in their GRC systems and align approaches to their Risk Management Framework, BCP policies, service provider management policy and streamline across their 3LOD.

Examples of critical operations for a bank (ADI) would be payments or custody and for an insurer, claims handling, and for a superannuation trustee, investment management and fund administration.

In terms of Business Continuity Plans, disruption events need to be documented (e.g. power outage, telecommunications services down, cyber-attack, pandemic etc.) including risk mitigation strategies and customer engagement strategies outlining how to communicate with impacted stakeholders.

When does the standard come into effect?

1 July 2025.

(CPS 230 material service provider requirements in force 1 July 2026).

How can Howlett Consulting (HC) assist?

We can help you to implement and comply with CPS 230 Operational Risk. APRA released its prudential practice guide CPG 230 Operational Risk Management on 13 June 2024. We can help you to work through the guidance to ensure a successful compliance outcome.

We can provide consulting-based advice, resources for your project to complete discrete deliverables, or provide a gap analysis in order to provide assurance.

Contact HC to arrange a time to discuss how we can best assist, either via providing resources or completing discrete statement of work based deliverables:

steve@howlettconsulting.com.au