In July 2022, the Australian Prudential Regulation Authority (APRA) released a draft cross-industry Prudential Standard CPS 230 ‘Operational Risk Management’. The proposed CPS230 applies to all APRA-regulated entities including the banking, insurance and superannuation industries and becomes effective from 1 July 2025.
Key objectives of CPS230
APRA has observed three key trends in recent years including control failures, low tolerance for disruptions, and increasing reliance on service providers. Against the backdrop of these three key trends, the proposed CPS230 aims to:
- Strengthen operational risk management and consolidate existing prudential standards
- Enhance operational resilience and reduce the impact of severe business disruptions on customers and the financial system
- Ensure critical operations are maintained through severe business disruptions and risks arising from the use of service providers, including fourth parties, are considered and managed effectively.
The key changes to CPS230
Below table highlights key changes of the proposed standard.
| Draft CPS230 | Key requirements |
| Operational risk management | Strengthening oversight and management
- Senior management to provide clear and comprehensive information to the Board on operational risk and maintain appropriate and effective information systems to monitor the operational risk profile
New products and activities
- Operational risk assessment to understand and monitor their risk profile
Internal controls
- Operational risk controls must be designed, implemented and embedded and regularly tested for effectiveness
Incident management
- Operational risk incidents which must be identified, escalated, recorded and addressed in a timely manner
|
| Business continuity | Critical operations
- To clearly identify their critical operations
Tolerance levels
- To set Board-approved tolerance levels for each of their critical operations, including the maximum time and extent of data loss, minimum service levels the entity would maintain
Business continuity plan (BCP)
- To ensure its BCP is fit-for-purpose and is sufficiently comprehensive to be useful in appropriately responding to a disruption
Testing and review
- To have a systemic testing program for its BCP that covers all critical operations and includes an annual business continuity exercise
Audit requirements
- Submit its BCP to APRA on an annual basis, and notify APRA of a material disruption or if it has activated its BCP
|
| Service provider management | Material service providers
- Identification of material service providers
Managing risks associated with service providers
- Service provider agreements in place
- Policy to set out its approach to managing risks with fourth parties
Monitoring and notifications
- Submit register of material service providers to APRA on an annual basis
- Notify APRA after entering into or materially changing an agreement
- Notify APRA prior to entering into any offshoring agreement.
|
APRA aims to finalise and release the final version of CPS230 in the first half of 2023, with the new standard comes into effect from 1 July 2025.
Contact your local PKF Audit & Assurance specialist for assistance with strengthening your operational risk management framework.
