An independent statutory authority, the Australian Prudential Regulation Authority (APRA) supervises financial and related institutions across the banking, insurance, and superannuation sectors. As the failure of just one of its regulated institutions can undermine the stability of the financial system entirely, APRA is obliged to maintain a low incidence of failure.
That’s historically meant interventions in business continuity, information security, and outsourcing policy – but not operational risk management. In July of 2023, though, that changed.
APRA sets an operational risk management standard
What happened? APRA released for consultation a new prudential standard, CPS 230, designed to strengthen the management of operational risk in the banking, insurance, and superannuation industries.
Since then, the standard has gone into force. It’s now set to officially commence 1 July 2025. As a result, APRA will now be setting out minimum standards for managing operational risk, including updated requirements for business continuity and service provider management.
What you should know about APRA CPS 230
So, what’s happening?
Well, the purpose of the latest prudential standard is to ensure that regulated entities remain resilient to operational risks and disruptions, to maintain critical operations through disruptions, and manage risks arising from service providers.
Relevant threats, here, include the full range of operational risks, consisting of but not limited to legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk, reputational risk, and change management risk.
To avoid such risks, APRA mandates regulated entities maintain appropriate and sound information and information-technology infrastructure to meet current and projected business requirements and support critical operations and risk management.
How? APRA’s requirements include:
- Identify, assess, and manage operational risks, with effective internal controls, monitoring, and remediation
- Be able to continue to deliver critical operations within tolerance levels through severe disruptions, with a credible business continuity plan (BCP)
- Effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements, and robust monitoring
APRA CPS 230 roles and responsibilities
Who, then, is tasked with ensuring compliance? That would be the entity’s Board. For purposes of compliance, the Board will be considered accountable for the oversight of operational risk management, as well as business continuity, and the management of service provider arrangements.
As a result, the Board has its work cut out for it. Per the Standard, the Board will have to ensure that the entity sets clear roles and responsibilities for senior managers as it relates to operational risk management.
Those senior managers, in turn, will be responsible for operational risk management on a day-to-day basis, across end-to-end processes for all business operations. Nevertheless, senior managers will have to provide information to the Board on the expected impacts on the entity’s critical operations when the Board must make decisions affecting the resilience of said operations.
Further Board responsibilities include:
- Oversee operational risk management and the effectiveness of key internal controls in maintaining the entity’s operational risk profile within risk appetite. The Board must be provided with regular updates on the APRA-regulated entity’s operational risk profile and ensure senior management takes action as required to address any areas of concern
- Approve the BCP and tolerance levels for disruptions to critical operations, review the results of testing and oversee the execution of any findings
- Approve the service provider management policy, and review risk and performance reporting on material service providers
Of course, those only scratch the surface of entity requirements. What else should financial entities know about APRA CPS 230 to ensure they meet the 2025 compliance date, download our Introductory Guide to APRA CPS 230: Operational Risk Management.
