ARTICLE
21 April 2025

APRA's CPS 230: Strengthening operational risk management – are you ready?

K
KordaMentha

Contributor

KordaMentha logo
KordaMentha, an independent firm in Asia-Pacific, specializes in cybersecurity, financial crime, forensic, performance improvement, real estate, and restructuring services. With a diverse team of almost 400 specialists, they provide customised solutions to help clients grow, protect from financial loss, and recover value. Trusted since 2002, they deliver bold, impactful solutions for clients.
Explore Firm Details
This new standard aims to enhance the resilience of APRA-regulated entities.
Australia Corporate/Commercial Law
Ian Simpson
Your Author LinkedIn Connections

Financial institutions, insurers and superannuatuion entities have faced increasing operational risks due to technological advancements, cyber threats, and complex supply chains. As a result, the Australian Prudential Regulation Authority (APRA) has introduced Prudential Standard CPS 230 – Operational Risk Management.

This new standard aims to enhance the resilience of APRA-regulated entities by setting clear requirements for managing operational risks, ensuring the continuity of critical operations during disruptions, and overseeing risks associated with service providers.

CPS 230 comes into effect on 1 July 2025, applying to all APRA-regulated entities regardless of their size. As part of this transition, existing standards such as CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management) will be revoked, streamlining the regulatory framework into a more comprehensive standard.

By addressing the increasing operational risks posed by technological advancements, cyber threats, and complex supply chains, CPS 230 seeks to strengthen the financial sector's ability to maintain critical operations even in the face of severe disruptions.


What are the key requirements of CPS 230?

Under CPS 230, regulated entities must:

  • Manage operational risks: Identify, assess, and mitigate operational risks including technology and data risks, through strong internal controls, continuous monitoring, and timely remediation measures. Risk incidents that have been deemed to have a material financial or operational impact need to be reported to APRA within 72 hours.
  • Ensure business continuity: Maintain the ability to sustain critical operations such as settlements and clearing (for an authorised deposit-taking institution) or fund administration (for a superannuation fund) within acceptable tolerance levels during major disruptions through a robust, credible and tested business continuity plan (BCP). Disruptions to cricial operations that are outside of defined tolerances must be reported to APRA within 24 hours.
  • Oversee service provider risks: Implement a comprehensive service provider management policy, establish legally binding agreements, and ensure rigorous oversight of third-party service providers. Regulated entities are required to maintain a register of material service providers, and submit the register to APRA annually. Regulated entities must also undertake supplier due diligence before entering into or materially modifying a material service arrangement. Importantly, material agreements must include provisions that allows APRA to review relevant documentation and conduct an on-site visit to the service provider.

Preparing for the 1 July deadline

Your organisation may already be well-positioned for CPS 230 thanks to existing APRA standards such as CPS 220 (Risk Management) and the soon to be revoked CPS 231 and CPS 232. However, a proactive approach to understanding and addressing the compliance obligations under CPS230 is essential to meet the regulator's expectations.

Organisations should:

1. Review CPS 230 and leverage its associated guidance document (CPG 230) to understand the compliance obligations including vendor due diligence and business impact assessments.
2. Conduct a current-state assessment to identify control gaps in their existing operational risk, business continuity, and third-party risk management practices. This may include a business impact assessment to identify critical operations and tolerances, and a review of existing material supplier agreements and due diligence.
3. Implement remediation actions to address identified gaps before the deadline where possible. With respect to existing supplier agreements, the requirements of the standard apply to those arrangements at the earlier of the next renewal date or 1 July 2026.
4. Document and manage ongoing non-compliance. If certain compliance measures cannot be fully implemented before 1 July, record the non-compliance and establish a plan to address it within a timeframe that is determined by risk appetite.


Identifying and addressing compliance obligations, particularly those that are designed to strengthen the control environment and assure ongoing critical service continuity, should be viewed positively.

Use the 1 July 2025 deadline as a call to action; identify and remediate control deficiencies and enhance operational procedures in the process.

Contact one of our KordaMentha experts for a comprehensive assessment and tailored action plan and start preparing now to safeguard your operations and maintain regulatory compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Ian Simpson
Ian Simpson
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More