Request a Demo

Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.
Request a Demo

Meet Noggin

An integrated resilience workspace that seamlessly integrates 10 core solutions into one, easy-to-use software platform.

Business Continuity
Business Continuity
Operational Resilience
Operational Resilience
Crisis Communications
Crisis Communications
operational risk management
Operational Risk Management
Crisis & Incident Management
Crisis & Incident Management
Third-Party Risk Management
Third-Party Risk Management
Emergency Management
Emergency Management
WHS-hard hat
Safety Management
Investigations and Case Management
Investigations & Case Management
Security - padlock
Security Management

The Noggin Platform

The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.

Learn More

Industries

Explore Noggin's integrated resilience software, purpose-built for any industry.

Aviation
Aviation & Airports
Construction
Construction
Counter Terrorism
Counter-Terrorism
Care Services
Care Services
Education
Education
Financial Services
Financial Services
Healthcare
Healthcare & Hospitals
Manufacturing
Manufacturing
Mining Oil & Gas
Mining, Oil & Gas
Government
Public Safety & Government
Retail & Hospitality
Retail & Hospitality
Technology
Technology
Transportation
Transportation
Utilities
Utilities
Venues & Entertainment
Venues & Entertainment
Resilience Management Buyers Guide - Thumbnail
A Resilience Management Software Buyer's Guide
Access the Guide

Who We Are

The world’s leading platform for integrated safety & security management.

Learn More
Guide

Guide to APRA CPS 230: Operational Risk Management

Noggin

Resilience Management

Updated April 24, 2024

Table of Contents
Understanding APRA and its role

Understanding APRA and its role

Why is APRA interested in operational risk management

About Prudential Standard CPS 230 Operational Risk Management

Developing and maintaining an appropriate risk management framework

Roles and responsibilities

Further requirements for operational risk management

Requirements for business continuity management

Requirements for the management of service provider arrangements

Role of digital technology in APRA compliance

Understanding APRA and its role

An independent statutory authority, the Australian Prudential Regulation Authority (APRA) supervises financial and related institutions across the banking, insurance, and superannuation sectors.

APRA, accountable to the Australian Parliament, has been tasked with the duty to maintain the safety and soundness of the financial industry and is, therefore, responsible for protecting the interests of depositors, policyholders, and superannuation fund members.

To promote the stability of the financial system, APRA works in tandem with other regulatory bodies, including the Australian Treasury, the Reserve Bank of Australia, and the Australian Securities and Investments Commission.

Entities APRA oversees 

  • Authorised deposit-taking institutions (such as banks, building societies, and credit unions)
  • General insurers
  • Life insurers
  • Friendly societies
  • Private health insurers
  • Reinsurance companies
  • Superannuation funds (other than self-managed funds)

Why is APRA interested in operational risk management

The failure of just one regulated institution can undermine the stability of the financial system. For that reason, APRA is obliged to maintain a low incidence of failure among the entities it regulates.

Of course, APRA can only do so much. Instead, it must compel the management and directors of those entities to ensure that their own institutions remain sound.

APRA primarily does so through the imposition of prudential standards. These standards largely focus on enterprise risk management.

The reason they are put into place is to increase resilience to business disruptions that could arise from internal and external events, by complying entities are better able to reduce any impacts on business operations, reputation, profitability, depositors, policyholders, and other stakeholders.

To this end, key standards have been imposed to address capital adequacy, liquidity, and governance to ensure that systemic risks (i.e., risks that would endanger the system as a whole) are properly managed. 

For long, operational risk management had not been directly tackled, only indirectly through the imposition of standards dealing with risk management and business continuity management.

That has changed.

On 28 July 2022, APRA released for consultation a new prudential standard designed to strengthen the management of operational risk in the banking, insurance, and superannuation industries.

Since then, the standard has gone into force, set to officially commence 1 July 2025, expect for where an APRA-regulated entity has pre-existing contractual arrangements in place with a service provider. In that case, requirements will apply in relation to those arrangements from the earlier of the next renewal date of the contract with the service provider or 1 July 2026.

As a result, APRA will now be setting out minimum standards for managing operational risk, including updated requirements for business continuity and service provider management.

About Prudential Standard CPS 230 Operational Risk Management

Prudential Standard CPS 230 derives its statutory authority from subsections in existing banking, insurance, and life insurance legislation. However, the standard is tailored to operational risk.

Its purpose is to ensure that regulated entities remain resilient to operational risks and disruptions, to maintain critical operations through disruptions, and manage risks arising from service providers.

Relevant threats, here, include the full range of operational risks, including but not limited to legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk, reputational risk, and change management risk.

To avoid such risks, APRA mandates regulated entities to maintain appropriate and sound information and information-technology infrastructure to meet current and projected business requirements and support critical operations and risk management.

How will APRA compel entities?
APRA’s requirements include:

  • Identify, assess, and manage its operational risks, with effective internal controls, monitoring and remediation
  • Be able to continue to deliver its critical operations within tolerance levels through severe disruptions, with a credible business continuity plan (BCP)
  • Effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements, and robust monitoring

Developing and maintaining an appropriate risk management framework

APRA also mandates entities develop and maintain a risk management framework.

Per APRA, this framework will only be deemed appropriate, though, if it’s suitable to the size, business mix, and complexity of the regulated entity.

Essential components of such a framework include:

  • Governance arrangements for the oversight of operational risk
  • An assessment of its operational risk profile, with a defined risk appetite supported by indicators, limits, and tolerance levels 
  • Internal controls that are designed and operating effectively for the management of operational risks
  • Appropriate monitoring, analysis, and reporting of operational risks and escalation processes for operational incidents and events
  • Business continuity plan(s) (BCPs) that set out how the entity would identify, manage, and respond to a disruption within tolerance levels and are regularly tested with severe but plausible scenarios
  • Processes for the management of service provider arrangements. 

What happens if the framework and related risk management processes are considered inadequate? Here, APRA is alerting entities that it reserves the right
to intervene.

Interventions run the gamut. They might include a request for an independent review of the entity’s operational risk management. Regulated entities might also be required to develop a remediation program or hold additional capital, as relevant.

Interventions would also be imposed on condition of the entity’s license. What’s more, APRA is signalling that it reserves the right to take further action in supervising compliance with the standard. 

Roles and responsibilities

Who, then, is tasked with ensuring compliance? That would be the entity’s Board. For purposes of compliance, the Board will be considered accountable for the oversight of operational risk management, as well as business continuity, and the management of service provider arrangements.

And the Board has its work cut out. Per the Standard, the Board will have to ensure that the entity sets clear roles and responsibilities for senior managers as it relates to operational risk management.

Those senior managers, in turn, will be responsible for operational risk management on a day-to-day basis, across end-to-end processes for all business operations. Nevertheless, senior managers will have to provide information to the Board on the expected impacts on the entity’s critical operations when the Board must make decisions affecting the resilience of said operations.

Further Board responsibilities include:

  • Oversee operational risk management and the effectiveness of key internal controls in maintaining the entity’s operational risk profile within risk appetite. The Board must be provided with regular updates on the APRA-regulated entity’s operational risk profile and ensure senior management takes action as required to address any areas of concern 
  • Approve the BCP and tolerance levels for disruptions to critical operations, review the results of testing and oversee the execution of any findings
  • Approve the service provider management policy, and review risk and performance reporting on material service providers. 

Further requirements for operational risk management

Of course, that only scratches the surface of entity requirements.
 
Besides managing the full range of operational risks, entities are likely to be required to comply with the following operational risk management provisions:
Operational risk profile and assessment
  • Assess the impact of its business and strategic decisions on its operational risk profile and operational resilience, as part of its business and strategic planning processes. This must include an assessment of the impact of new products, services, geographies, and technologies on its operational risk profile.
  • Maintain a comprehensive assessment of its operational risk profile. As part of this, an APRA regulated entity must:
    – Maintain appropriate and effective information systems to monitor operational risk, compile and analyse operational risk data and facilitate reporting to the Board and senior management
    – Identify and document the processes and resources needed to deliver critical operations, including people, technology, information, facilities and service providers, the interdependencies across them, and the associated risks, obligations, key data and controls
    – Undertake scenario analysis to identify and assess the potential impact of severe operational risk events, test its operational resilience and identify the need for new or amended controls
    and other mitigation strategies.
  • Conduct a comprehensive risk assessment before providing a material service to another
    party to ensure that it is able to continue to meet its prudential obligations after entering into the arrangement. APRA may require an APRA-regulated entity to review and strengthen internal controls or processes where APRA considers there to be heightened prudential risks in such circumstances.
Operational risk controls
  • Design, implement, and embed internal controls to mitigate its operational risks in line with its risk appetite and meet its compliance obligations
  • Regularly monitor, review and test controls for design and operating effectiveness, the frequency of which must be commensurate with the materiality of the risks being controlled. The results of testing must be reported to senior management and any gaps or deficiencies in the control environment must be rectified in a timely manner
  • Remediate material weaknesses in its operational risk management, including control gaps,
    weaknesses and failures. This remediation must be supported by clear accountabilities and
    assurance and address the root causes of weaknesses in a timely manner. An APRA-regulated
    entity must include identified control gaps, weaknesses and failures in its operational risk profile until such matters are remediated
Operational risk incidents
  • Ensure that operational risk incidents and near misses are identified, escalated, recorded and
    addressed in a timely manner. An APRA-regulated entity must take incidents and near misses into account in its assessment of its operational risk profile and control effectiveness in a
    timely manner
  • Notify APRA as soon as possible, and not later than 72 hours, after becoming aware of an
    operational risk incident that it determines to be likely to have a material financial impact or a
    material impact on the ability of the entity to maintain its critical operations

Requirements for business continuity management

And when it comes to business continuity management, regulated entities are likely to have to define, identify, and maintain a register of their critical operations.

From there, entities will have to take reasonable steps to minimise the likelihood and impact of disruptions to critical operations. They will also have to maintain a credible business continuity plan, setting out how precisely they will maintain critical operations within tolerance levels through disruptions. This plan should include disaster recovery provisions for critical information assets.

On the critical event response end, entities are likely to be obligated to activate the BCP in the event of disruption as well as return to normal operations promptly after the disruption is over.

Further requirements include:

Critical operations and tolerance levels 
  • Critical operations are processes undertaken by an APRA-regulated entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on its depositors, policyholders, beneficiaries or other customers, or its role in the financial system 
  • Critical operations include, but are not limited to: payments, deposit-taking and management, custody, settlements, clearing, claims processing, investment management, fund administration, customer enquiries and the systems and infrastructure needed to support these operations.
  • APRA may require an APRA-regulated entity, or a class of APRA-regulated entities, to classify a business operation as a critical operation.
  • For each critical operation, an APRA-regulated entity must establish tolerance levels for:
    – the maximum period of time the entity would tolerate a disruption to the operation;
    – the maximum extent of data loss the entity would accept as a result of a disruption
    – minimum service levels the entity would maintain while operating under alternative arrangements during a disruption. 
  • APRA may require an APRA-regulated entity to review and change its tolerance levels for a critical operation. APRA may set tolerance levels for an APRA regulated entity, or a class of APRA-regulated entities, where it identifies a heightened risk or material weakness.
Business continuity plan
  • An APRA-regulated entity’s BCP must include:
    – the register of critical operations and associated tolerance levels
    – triggers to identify a disruption and prompt activation of the plan, and arrangements to
    direct resources in the event of activation
    – actions it would take to maintain its critical operations within tolerance levels through disruptions
    – an assessment of the execution risks, required resources, preparatory measures, including key internal and external dependencies needed to support the effective implementation of the BCP actions
    – a communications strategy to support execution of the plan
  • An APRA-regulated entity must maintain the capabilities required to execute the BCP, including access to people, resources, and technology. 
  • An APRA-regulated entity must monitor compliance with its tolerance levels and report any failure to meet tolerance levels, together with a remediation plan, to the Board.
  • An APRA-regulated entity must notify APRA as soon as possible, and not later than 24 hours after, if it has suffered a disruption to a critical operation outside tolerance. The notification must cover the nature of the disruption, the action taken, the likely impact on the entity’s business operations and the timeframe for returning to normal operations.
Testing and review
  • An APRA-regulated entity must have a systematic testing program for its BCP that covers all critical operations and includes an annual business continuity exercise. The program must test the effectiveness of the entity’s BCP and its ability to meet tolerance levels in a range of severe but plausible scenarios
  • The testing program must be tailored to the material risks of the APRA-regulated entity and include a range of severe but plausible scenarios, including disruptions to services provided by material service providers and scenarios where contingency arrangements are required. APRA may require the inclusion of an APRA-determined scenario in a business continuity exercise for an APRA-regulated entity, or a class of APRA-regulated entities 
  • An APRA-regulated entity must update, as necessary, its BCP on an annual basis to reflect any changes in legal or organisational structure, business mix, strategy or risk profile or for shortcomings identified as a result of the review and testing of the BCP
  • An APRA-regulated entity’s internal audit function must periodically review the entity’s BCP and provide assurance to the Board that the BCP sets out a credible plan for how the entity would maintain its critical operations within tolerance levels through severe disruptions and that testing procedures are adequate and have been conducted satisfactorily 

 

 

Requirements for the management of service provider arrangements

Regulated entities are likely to have to maintain a comprehensive service provider management policy, as well.

That policy must cover how the entity will identify material service providers and manage service provider arrangements, including the management of material risks associated with the arrangements

The relevant policy must include:

  • The entity’s approach to entering into, monitoring, substituting and exiting agreements with material service providers
  • The entity’s approach to managing the risks associated with material service providers
  • The entity’s approach to managing the risks associated with any fourth parties that material service providers rely on to deliver a critical operation to the APRA regulated entity

Further requirements include:

Material service providers
  • Must identify and maintain a register of its material service providers and manage the material
    risks associated with using these providers. 
  • Material service providers are those on which the entity relies to undertake a critical operation or that expose it to material operational risks.
  • Material arrangements are those on which the entity relies to undertake a critical operation or  that expose it to material operational risk.
  • Must, at a minimum, classify a provider of the following services as a material service provider
    – Credit assessment, funding and liquidity management, and mortgage brokerage
    – Underwriting, claims management, insurance brokerage, and reinsurance
    – Fund administration, custodial services, investment management and arrangements with promoters and financial planners
    – Risk management, core technology services and internal audit.
  • Submit its register of material service providers to APRA on an annual basis. 
  • APRA may require an APRA-regulated entity, or a class of APRA-regulated entities, to classify a service provider, or type of service provider, as material.
Service provider agreements 

Before entering into or materially modifying a material arrangement, an APRA-regulated entity must:

  • Undertake appropriate due diligence, including an appropriate selection process and an assessment of the ability of the service provider to provide the service on an ongoing basis
  • Assess the financial and non-financial risks from reliance on the service provider, including risks associated with geographic location or concentration of the service provider(s) or parties the service provider relies on in providing the service 
Monitoring notifications and review
  • Monitor and report to senior management on material service provider arrangements commensurate with the nature and usage of the service
  • Notify APRA:
    – As soon as possible and not more than 20 business days after entering into or materially
    changing an agreement for the provision of a service on which the entity relies to undertake a critical operation
    – Prior to entering into any offshoring agreement with a material service provider, or when there is a significant change proposed to the agreement, including in circumstances where data or personnel relevant to the service being provided will be located offshore.
  • Review any proposed outsourcing arrangement with a material service provider for a critical operation, and regularly report to the Board or Board Audit Committee on compliance with the entity’s service provider management policy for such arrangements

 

Role of digital technology in APRA compliance

For APRA-regulated entities, the standard might seem like a lot. However, adhering to best practices in risk management and business continuity is beneficial in and of itself.

Furthermore, digital technology can help. Platforms, like Noggin Continuity, enable APRA-regulated entities to automate the key business continuity management functions that support compliance with most CPS 230 and CPS 232 Business Continuity Management requirements.

Relevant functions to help ensure compliance include:

  • Define domains, critical business activities, assets, and sites, as well as record inter-dependencies
  • Assess the risk and impact of outages across activities, assets, and sites, and implement risk treatment plans and actions to mitigate risks, and reduce the likelihood or impact of incidents
  • Assign and track business impact assessment and risk management activities for organisational unit owners
  • Set recovery targets for business activities and report on progress against those targets as incidents occur
  • Visualise and report on the risk profile of business and the impact on critical services
  • Digitise business continuity, crisis, and incident response plans, including strategies and considerations, roles and responsibilities, and pre-assigned checklists ready to deploy when incidents occur
  • Activate crisis and incident management teams including structures, roles, capabilities required, and on-call resources
  • Record and manage incidents and response tasks, log and share updates, decisions, facts, and assumptions, and produce situation reports and briefings
  • Initiate and track investigations, capture evidence and related actions
  • Conduct exercises, post-incident reviews, and lessons learned
  • Visualise locations of incidents, risks, people, and assets using the fully integrated mapping features
  • Communicate alerts, notifications and updates via email, SMS, voice, or the Noggin app
  • Manage key details of staff, contractors, customers, suppliers, regulators, and external parties
  • Display key information where it is needed using flexible dashboards, analytics, and reporting that caters for all stakeholders
  • Automate and lead people through procedures, with fully-configurable workflows

Finally, as laid out, APRA has officially released its new cross-industry Prudential Standard CPS 230 Operational Risk Management, setting out minimum standards for managing operational risk, with which entities have until 2025 to comply. It also plans to update requirements for business continuity.

Get ahead of the 2025 compliance date while enhancing your resilience bona fides. 

Not sure how? Noggin’s business continuity software and resilience management software can help. Not only will they help you comply with whatever standard comes down the pike, but they will let you run every aspect of operational risk management (including business continuity) seamlessly, making it easier for everyone at the firm to engage and contribute. 

Request a demonstration to see Noggin in action for yourself.
New call-to-action
close (3)

Download your copy