Skip to main content
search

Strengthening Operational Risk Management: A Closer Look at CPS230 

Operational risk is a critical concern for the Banking, Insurance, and Superannuation industries. The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry  findings have underscored the importance of robust oversight of non-financial risks within these sectors. To address these challenges, the Australian Prudential Regulation Authority (APRA) introduced Prudential Standard CPS 230 (Operational Risk Management) and the corresponding draft Prudential Practice Guide CPG 230. These regulations replace CPS231, SPS 231 and HPS 231 (outsourcing) and CPS 232 and SPS 232 (Business Continuity Management).  

CPS 230 (Operational Risk Management) aims to strengthen operational risk management, enhance business continuity planning, and improve third-party risk management. It should be used in conjunction with CPS 220 and SPS 220 (Risk Management); CPS 234 (Information Security) and APS222 (Associations with related entities). 

As a senior Manager, Board member or Executive, what do I need to know? 

Current controls may need uplifting, and there are new obligations now in place. Boards are responsible for the oversight of risk management and have heightened obligations with CPS 230 above their existing requirements. This includes approving the setting of tolerance levels, as well as Business Continuity arrangements, and Service Provider Management Policies. They also need to be across the uplift of current controls, the testing of BCP, as well as third-party risk and performance reporting.  In this article, we outline the changes and take a look at how organisations can begin to assess their compliance.

Contents:

Go to > What’s changing? 

.

The aim of CPS 230: 

CPS 230 was created with several key objectives in mind: 

  1. Strengthening Operational Risk Management: APRA aims to bolster operational risk management within APRA-regulated entities. This includes requirements for testing internal controls to ensure they effectively manage operational risk.
  2. Improving Business Continuity Planning: Entities are expected to enhance their business continuity planning. Clear maximum levels of disruption for critical processes must be established to ensure these entities can continue to operate even in the face of disruptions.
  3. Enhancing Third-Party Risk Management: CPS 230 expands the scope of third-party risk management to include all material service providers that entities rely upon for critical processes, not just those that have been outsourced.

Next > Effective data and applicability

IMPORTANT MESSAGE: Australian Prudential Regulation Authority has put the finance industry on notice about non-compliance with information security standard CPS 234.

Are your third-party controls effective?

Do you have systematic security control testing in place?

Are you regularly testing incident response plans?

If you answered no to any of these questions, Avocado can help NOW. Contact us for a free 15-minute consultation.

Third Party Vendor Risk Management

manage your debt

Effective date and applicability 

All APRA regulated entities must comply with CPS 230 including Authorised deposit-taking Institutions (ADI’s), general insurers, life insurers, private health insurers, RSE Licenses (super funds) ad Authorised or registered non-operating holding companies. It also applies to non-regulated entities within a group. If your organisation provides services to APRA-regulated organisations, you may also be indirectly impacted by these changes. 

CPS 230 takes effect from 1 July 2025 for pre-existing contractual arrangements at the next renewal date, and officially applies from 1 July 2026 of existing service providers. It’s important to note that while CPS 230 sets enforceable standards, APRA CPG 230 is a set of good practice expectations, not enforceable regulations. 

Compliance requirements for service provider oversight

Entities subject to CPS 230 must ensure compliance with several key aspects related to service provider oversight. At a minimum, this entails: 

  • A Third-Party Risk Management Policy: A comprehensive policy aligning with CPS 230 and CPG 230 requirements must be in place. 
  • Effective Processes: Entities should have processes to direct, manage, and evaluate their third-party risk management policy, while also managing the interdependencies between people, technology, data, facilities, and service providers. 
  • GRC Platform: The implementation and automation of these processes often require a robust Governance, Risk, and Compliance (GRC) platform, such as HyperGRC™

What’s Changing?

While some existing requirements remain, such as setting a risk appetite, managing risks, designing and implementing controls and monitoring, reviewing and testing controls, there are new requirements. These include but are not limited to: 

  • Setting a risk tolerance for disruptions above the risk appetite 
  • Maintaining and monitoring the age and health of information asset 
  • Remediation of material weaknesses 
  • communication processes 
  • notifying of operational risks to APRA within 72 hours and  
  • incorporating operational risks and near misses into assessments of control effectiveness and operational risk profile.  

Facilitating Compliance with Existing Frameworks 

 

Entities that have already adopted comprehensive control frameworks like the NIST Cyber Security Framework (NIST CSF) and risk management frameworks like ISO 31000 may find the implementation of CPS 230 relatively straightforward. These existing frameworks can align well with the new requirements, as highlighted in the below graphic.  

Significantly, key areas that organisations should be looking at include

1

Identify Risk

These clauses Identify operational risks and critical dependencies within your supply chain.
2

Analyse and Evaluate Risk

These clauses are aimed at evaluating and assessing operational risks. This includes Recording and analysing incidents, comprehensive scenario-based assessments, risk treatment strategies.
3

Treat Risk

These clauses look at implementing controls and strategies to mitigate risks. This includes things like establishing recovery time objectives (RTO), recovery point objectives (RPO), and minimum service level agreements (SLA). This is where a Business Continuity Planning for robust risk mitigation comes into play.
4

Record Risk

These clauses are aimed at ensuring organisations are maintaining records and documentation. This includes managing service provider arrangements, maintaining a risk register, and establishing comprehensive policies.
5

Communicate Risk

These clauses are aimed at ensuring effective communication of risks. Specifically, these clauses focus on Board accountability, clear roles and responsibilities, and periodic reporting. Organisations should be revisiting their governance support, policy development, and reporting for streamlined communication.
6

Monitor Risk

These clauses look at your ongoing monitoring of risks and controls. This includes managing end-of-life technology risks, implementing GRC systems that have continuous monitoring capabilities, and conducting technology risk assessments.

CPG 230

While CPG 230 is not enforceable, it is good practice. It’s highly recommended for organisations to strengthen their resiliency in the face of dynamic change. These clauses highlight the importance of documenting ownership, control assurance, site visits, monitoring 4th parties, and assessing in-house versus outsourced services.  

CPS 230 and CPG 230 represent significant steps forward in strengthening operational risk management within the financial services sector. Organisations can rely on Avocado’s expertise and services to navigate the complexities of these regulations, ensuring compliance while also enhancing overall operational resilience. 

Given the complexity of these changes, organisations should be taking steps now to ensure they are compliant. To get you started, Avocado have created a downloadable checklist for Boards and Executives with questions under each clause which we can help support.  

Now what? Access the detailed CPS 230 Compliance Checklist  for a comprehensive guide to achieving compliance and enhancing operational resilience. 

Be inspired by our related content:

Reinventing and securing the omni-channel customer experience

Avocado partnered with an ASX listed leading global retail industry player to manage all third-party risk and security assessments as they transformed from bricks and mortar to a full multi-channel strategy with deep customer experience tooling.

Uplifting security posture with a threat, risk and control assessment

Uplifting security posture with a threat and risk assessment.

Remediating security and privacy risks in a complex and regulated environment

Translating cyber risks with a financially justifiable and comprehensive strategy to address cybersecurity gaps.

Threat and Risk Assessment for a leading health service provider

Supporting a leading health service provider understand and remediate their largest reputational and financial threats.

Contact Us

Avocado is here to help you navigate the complexities of these regulations. Our suite of services is designed to streamline compliance efforts and enhance your organisation’s operational resilience. Contact our team today. 

Close Menu