Are you ready for APRA's CPS230?

In July 2022, the Australian Prudential Regulation Authority (APRA) released a draft cross-industry Prudential Standard CPS 230 ‘Operational Risk Management’. The proposed CPS230 applies to all APRA-regulated entities including the banking, insurance and superannuation industries and becomes effective from 1 July 2025.

Key objectives of CPS230

APRA has observed three key trends in recent years including control failures, low tolerance for disruptions, and increasing reliance on service providers. Against the backdrop of these three key trends, the proposed CPS230 aims to:

  • Strengthen operational risk management and consolidate existing prudential standards
  • Enhance operational resilience and reduce the impact of severe business disruptions on customers and the financial system
  • Ensure critical operations are maintained through severe business disruptions and risks arising from the use of service providers, including fourth parties, are considered and managed effectively.

The key changes to CPS230

Below table highlights key changes of the proposed standard.

Draft CPS230Key requirements
Operational risk management

Strengthening oversight and management

  • Senior management to provide clear and comprehensive information to the Board on operational risk and maintain appropriate and effective information systems to monitor the operational risk profile

New products and activities

  • Operational risk assessment to understand and monitor their risk profile

Internal controls

  • Operational risk controls must be designed, implemented and embedded and regularly tested for effectiveness

Incident management

  • Operational risk incidents which must be identified, escalated, recorded and addressed in a timely manner
Business continuity

Critical operations

  • To clearly identify their critical operations

Tolerance levels

  • To set Board-approved tolerance levels for each of their critical operations, including the maximum time and extent of data loss, minimum service levels the entity would maintain

Business continuity plan (BCP)

  • To ensure its BCP is fit-for-purpose and is sufficiently comprehensive to be useful in appropriately responding to a disruption

Testing and review

  • To have a systemic testing program for its BCP that covers all critical operations and includes an annual business continuity exercise

Audit requirements

  • Submit its BCP to APRA on an annual basis, and notify APRA of a material disruption or if it has activated its BCP
Service provider management

Material service providers

  • Identification of material service providers

Managing risks associated with service providers

  • Service provider agreements in place
  • Policy to set out its approach to managing risks with fourth parties

Monitoring and notifications

  • Submit register of material service providers to APRA on an annual basis
  • Notify APRA after entering into or materially changing an agreement
  • Notify APRA prior to entering into any offshoring agreement.

APRA aims to finalise and release the final version of CPS230 in the first half of 2023, with the new standard comes into effect from 1 July 2025.

Contact your local PKF Audit & Assurance specialist for assistance with strengthening your operational risk management framework.

Related insights

Subscribe to our newsletter


Propel your career

Learn more about Careers

Follow us

Find your closest office


Read our latest Clarity mag

View now

About the firm

Transparency reports