Strengthening Operational Risk Management: A Closer Look at CPS230
Operational risk is a critical concern for the Banking, Insurance, and Superannuation industries. The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry findings have underscored the importance of robust oversight of non-financial risks within these sectors. To address these challenges, the Australian Prudential Regulation Authority (APRA) introduced Prudential Standard CPS 230 (Operational Risk Management) and the corresponding draft Prudential Practice Guide CPG 230. These regulations replace CPS231, SPS 231 and HPS 231 (outsourcing) and CPS 232 and SPS 232 (Business Continuity Management).
CPS 230 (Operational Risk Management) aims to strengthen operational risk management, enhance business continuity planning, and improve third-party risk management. It should be used in conjunction with CPS 220 and SPS 220 (Risk Management); CPS 234 (Information Security) and APS222 (Associations with related entities).
As a senior Manager, Board member or Executive, what do I need to know?
Current controls may need uplifting, and there are new obligations now in place. Boards are responsible for the oversight of risk management and have heightened obligations with CPS 230 above their existing requirements. This includes approving the setting of tolerance levels, as well as Business Continuity arrangements, and Service Provider Management Policies. They also need to be across the uplift of current controls, the testing of BCP, as well as third-party risk and performance reporting. In this article, we outline the changes and take a look at how organisations can begin to assess their compliance.
Go to > What’s changing?
CPS 230 was created with several key objectives in mind:
- Strengthening Operational Risk Management: APRA aims to bolster operational risk management within APRA-regulated entities. This includes requirements for testing internal controls to ensure they effectively manage operational risk.
- Improving Business Continuity Planning: Entities are expected to enhance their business continuity planning. Clear maximum levels of disruption for critical processes must be established to ensure these entities can continue to operate even in the face of disruptions.
- Enhancing Third-Party Risk Management: CPS 230 expands the scope of third-party risk management to include all material service providers that entities rely upon for critical processes, not just those that have been outsourced.
IMPORTANT MESSAGE: Australian Prudential Regulation Authority has put the finance industry on notice about non-compliance with information security standard CPS 234.
Are your third-party controls effective?
Do you have systematic security control testing in place?
Are you regularly testing incident response plans?
If you answered no to any of these questions, Avocado can help NOW. Contact us for a free 15-minute consultation.
All APRA regulated entities must comply with CPS 230 including Authorised deposit-taking Institutions (ADI’s), general insurers, life insurers, private health insurers, RSE Licenses (super funds) ad Authorised or registered non-operating holding companies. It also applies to non-regulated entities within a group. If your organisation provides services to APRA-regulated organisations, you may also be indirectly impacted by these changes.
CPS 230 takes effect from 1 July 2025 for pre-existing contractual arrangements at the next renewal date, and officially applies from 1 July 2026 of existing service providers. It’s important to note that while CPS 230 sets enforceable standards, APRA CPG 230 is a set of good practice expectations, not enforceable regulations.
Entities subject to CPS 230 must ensure compliance with several key aspects related to service provider oversight. At a minimum, this entails:
- A Third-Party Risk Management Policy: A comprehensive policy aligning with CPS 230 and CPG 230 requirements must be in place.
- Effective Processes: Entities should have processes to direct, manage, and evaluate their third-party risk management policy, while also managing the interdependencies between people, technology, data, facilities, and service providers.
- GRC Platform: The implementation and automation of these processes often require a robust Governance, Risk, and Compliance (GRC) platform, such as HyperGRC™.
While some existing requirements remain, such as setting a risk appetite, managing risks, designing and implementing controls and monitoring, reviewing and testing controls, there are new requirements. These include but are not limited to:
- Setting a risk tolerance for disruptions above the risk appetite
- Maintaining and monitoring the age and health of information asset
- Remediation of material weaknesses
- communication processes
- notifying of operational risks to APRA within 72 hours and
- incorporating operational risks and near misses into assessments of control effectiveness and operational risk profile.
Entities that have already adopted comprehensive control frameworks like the NIST Cyber Security Framework (NIST CSF) and risk management frameworks like ISO 31000 may find the implementation of CPS 230 relatively straightforward. These existing frameworks can align well with the new requirements, as highlighted in the below graphic.
Significantly, key areas that organisations should be looking at include
While CPG 230 is not enforceable, it is good practice. It’s highly recommended for organisations to strengthen their resiliency in the face of dynamic change. These clauses highlight the importance of documenting ownership, control assurance, site visits, monitoring 4th parties, and assessing in-house versus outsourced services.
CPS 230 and CPG 230 represent significant steps forward in strengthening operational risk management within the financial services sector. Organisations can rely on Avocado’s expertise and services to navigate the complexities of these regulations, ensuring compliance while also enhancing overall operational resilience.
Given the complexity of these changes, organisations should be taking steps now to ensure they are compliant. To get you started, Avocado have created a downloadable checklist for Boards and Executives with questions under each clause which we can help support.
Be inspired by our related content:
Reinventing and securing the omni-channel customer experience
Avocado partnered with an ASX listed leading global retail industry player to manage all third-party risk and security assessments as they transformed from bricks and mortar to a full multi-channel strategy with deep customer experience tooling.
Avocado is here to help you navigate the complexities of these regulations. Our suite of services is designed to streamline compliance efforts and enhance your organisation’s operational resilience. Contact our team today.