Skip to content
Spotlight on APRA’s cross-industry Prudential Standard CPS 230 Operational Risk Management

News -

Spotlight on APRA’s cross-industry Prudential Standard CPS 230 Operational Risk Management

The Australian Prudential Regulation Authority (APRA) has released the final new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230), and is set to go live on 1st July 2025 following industry consultation that commenced in July 2022.

Disruptions in the financial sector can have a significant impact on supply chains. Several recent operational risk control failures and well publicised bank failures outside of Australia have cemented the need for better regulation. The Australian Financial Services (FS) market continues to be well isolated due to the fallout from the failure of Silicon Valley Bank (SVB) and the woes of Credit Suisse, but a number high profile cyber incidents continue to keep resilience front of mind. CPS 230 aims to ensure regulated financial entities can better withstand disruption, both from cyber and non-cyber related risk.

Wayne Scott, Regulatory Compliance Solutions lead, NCC Group Software Resilience takes us through the key points of the proposals:

What is APRA’s plan?

The new standard is designed to strengthen the management of operational risk. It will ensure each regulated entity in the banking, insurance, and superannuation industries, can maintain critical operations through severe disruptions. It will allow each to manage the risks associated with the use of all service providers.

Who is included in the regulations?

APRA’s CPS 230 regulations have an expansive reach that includes 4th party providers – the vendor’s own vendors - in its scope. The new regulations apply to material suppliers and services and does not differentiate between on premise software or cloud services. This provides the regulations with an all-encompassing range, making it applicable to a wide array of entities but more importantly future proofs the regulations to include innovation.

The end of July brings the final regulations, and organisations work to complete a list of material service providers and critical operations. By the end of 2024, each regulated entity will be positioned to set its tolerance levels, and by July 2025, CPS 230 will commence. The transition period for existing service contracts will come to an end in July 2026. The APRA also retains the right to add to the list of material services and suppliers of an entity, assumingly once overall concentration risk to the market has been considered.

What should organisations be aware of?

Under the new guidance, APRA-regulated entities must set out to:

  • Effectively manage operational risks and set and maintain appropriate standards for conduct and compliance
  • Maintain critical operations within tolerance levels through severe disruptions (see below for more information on determining tolerance levels)
  • Manage the risks associated with the use of service providers

Responsibility now lies with board members of organisations to effectively mitigate against potential operational risk. The guidance will ensure each organisation regulated by the APRA can become resilient to operational risks and disruptions.

There are several changes businesses should be aware of, which must be enforced to abide by the new regulations. These include the renewal and renegotiations of license agreements to add relevant clauses to ensure resilience, as businesses now build “Service Provider Management Policies”, and any future material services must have these plans in place before entering any arrangements.

What happens next?

With the introduction of the new regulations, Australia has a unique opportunity to learn from the banking turmoil in the first quarter of the year, and the shortcomings it highlighted in the UK FS industry’s slow reaction to their new regulations on risk management for Financial Institutions.

Escrow allows regulators to place supplier failure, service deterioration, and concentration risk at the forefront of planning, ensuring risk management receives adequate attention.

The inclusion of service provider management policies and the outlined mandatory services for consideration are a huge step forward when it comes to enforcing effective risk management.

Regulators across the globe are taking leaps to manage operational risk, and the next few years promise to be an exciting time for organisations working to ensure resilience.

Download our spotlight guide to learn more about the APRA CPS 230 Regulations




NCC Group Press Office

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7721577574
NCC Group - Financial Media Enquiries

NCC Group - Financial Media Enquiries

Press contact Maitland AMO Financial Results Media Enquiries +44 (0)20 7379 5151
Regional Press Office - North America

Regional Press Office - North America

Press contact +1 408 776 1400
Regional Press Office - Europe

Regional Press Office - Europe

Press contact +31 20 794 4737

NCC Group exists to make the world safer and more secure

In today’s threat landscape understanding the risks organisations and customers are exposed to is more important than ever.

Understanding the impact and how to be more resilient is key to protecting brand, reputation and sensitive customer information. Building a cyber-resilient organization can be a complex process but it’s not impossible.

With our knowledge, experience and global footprint, we help assess, develop and manage cyber resilience posture.

NCC Group Newsroom
XYZ Building, 2 Hardman Boulevard, Spinningfield
M3 3AQ Manchester
United Kingdom