An independent statutory authority, the Australian Prudential Regulation Authority (APRA) supervises financial and related institutions across the banking, insurance, and superannuation sectors. As the failure of just one of its regulated institutions can undermine the stability of the financial system entirely, APRA is obliged to maintain a low incidence of failure.
That’s historically meant interventions in business continuity, information security, and outsourcing policy – but not operational risk management. In July of 2023, though, that changed.
What happened? APRA released for consultation a new prudential standard, CPS 230, designed to strengthen the management of operational risk in the banking, insurance, and superannuation industries.
Since then, the standard has gone into force. It’s now set to officially commence 1 July 2025. As a result, APRA will now be setting out minimum standards for managing operational risk, including updated requirements for business continuity and service provider management.
So, what’s happening?
Well, the purpose of the latest prudential standard is to ensure that regulated entities remain resilient to operational risks and disruptions, to maintain critical operations through disruptions, and manage risks arising from service providers.
Relevant threats, here, include the full range of operational risks, consisting of but not limited to legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk, reputational risk, and change management risk.
To avoid such risks, APRA mandates regulated entities maintain appropriate and sound information and information-technology infrastructure to meet current and projected business requirements and support critical operations and risk management.
How? APRA’s requirements include:
Who, then, is tasked with ensuring compliance? That would be the entity’s Board. For purposes of compliance, the Board will be considered accountable for the oversight of operational risk management, as well as business continuity, and the management of service provider arrangements.
As a result, the Board has its work cut out for it. Per the Standard, the Board will have to ensure that the entity sets clear roles and responsibilities for senior managers as it relates to operational risk management.
Those senior managers, in turn, will be responsible for operational risk management on a day-to-day basis, across end-to-end processes for all business operations. Nevertheless, senior managers will have to provide information to the Board on the expected impacts on the entity’s critical operations when the Board must make decisions affecting the resilience of said operations.
Further Board responsibilities include:
Of course, those only scratch the surface of entity requirements. What else should financial entities know about APRA CPS 230 to ensure they meet the 2025 compliance date, download our Introductory Guide to APRA CPS 230: Operational Risk Management.