Spotlight on APRA’s cross-industry Prudential Standard CPS 230 Operational Risk Management
The Australian Prudential Regulation Authority (APRA) has released the final new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230), and is set to go live on 1st July 2025 following industry consultation that commenced in July 2022.
Disruptions in the financial sector can have a significant impact on supply chains. Several recent operational risk control failures and well publicised bank failures outside of Australia have cemented the need for better regulation. The Australian Financial Services (FS) market continues to be well isolated due to the fallout from the failure of Silicon Valley Bank (SVB) and the woes of Credit Suisse, but a number high profile cyber incidents continue to keep resilience front of mind. CPS 230 aims to ensure regulated financial entities can better withstand disruption, both from cyber and non-cyber related risk.
Wayne Scott, Regulatory Compliance Solutions lead, NCC Group Software Resilience takes us through the key points of the proposals:
What is APRA’s plan?
The new standard is designed to strengthen the management of operational risk. It will ensure each regulated entity in the banking, insurance, and superannuation industries, can maintain critical operations through severe disruptions. It will allow each to manage the risks associated with the use of all service providers.
Who is included in the regulations?
APRA’s CPS 230 regulations have an expansive reach that includes 4th party providers – the vendor’s own vendors - in its scope. The new regulations apply to material suppliers and services and does not differentiate between on premise software or cloud services. This provides the regulations with an all-encompassing range, making it applicable to a wide array of entities but more importantly future proofs the regulations to include innovation.
The end of July brings the final regulations, and organisations work to complete a list of material service providers and critical operations. By the end of 2024, each regulated entity will be positioned to set its tolerance levels, and by July 2025, CPS 230 will commence. The transition period for existing service contracts will come to an end in July 2026. The APRA also retains the right to add to the list of material services and suppliers of an entity, assumingly once overall concentration risk to the market has been considered.
What should organisations be aware of?
Under the new guidance, APRA-regulated entities must set out to:
- Effectively manage operational risks and set and maintain appropriate standards for conduct and compliance
- Maintain critical operations within tolerance levels through severe disruptions (see below for more information on determining tolerance levels)
- Manage the risks associated with the use of service providers
Responsibility now lies with board members of organisations to effectively mitigate against potential operational risk. The guidance will ensure each organisation regulated by the APRA can become resilient to operational risks and disruptions.
There are several changes businesses should be aware of, which must be enforced to abide by the new regulations. These include the renewal and renegotiations of license agreements to add relevant clauses to ensure resilience, as businesses now build “Service Provider Management Policies”, and any future material services must have these plans in place before entering any arrangements.
What happens next?
With the introduction of the new regulations, Australia has a unique opportunity to learn from the banking turmoil in the first quarter of the year, and the shortcomings it highlighted in the UK FS industry’s slow reaction to their new regulations on risk management for Financial Institutions.
Escrow allows regulators to place supplier failure, service deterioration, and concentration risk at the forefront of planning, ensuring risk management receives adequate attention.
The inclusion of service provider management policies and the outlined mandatory services for consideration are a huge step forward when it comes to enforcing effective risk management.
Regulators across the globe are taking leaps to manage operational risk, and the next few years promise to be an exciting time for organisations working to ensure resilience.
Download our spotlight guide to learn more about the APRA CPS 230 Regulations