Strengthening your operational risk and resilience practices
KPMG is pleased to share information on The Australian Prudential Regulation Authority (APRA) release of cross-industry Prudential Standard CPS 230 Operational Risk Management, which has been designed to strengthen the management of operational risk by all APRA-regulated entities.
The proposed standard underpins CPS 220 Risk Management and replaces several existing standards including CPS/SPS 232 Business Continuity management and CPS/SPS 231 Outsourcing.
CPS 230 timeline
July 2022
APRA consults on draft CPS 230
April 2023
APRA announces revised implementation timetable
July 2023
APRA releases Final CPS 230*
Mid July 2024
Material service providers / critical operations identified*
End 2024
Entities positioned to set tolerance levels set*
1 July 2025
CPS 230 commences*
1 July 2026
Transition ends for existing contracts with service providers
Key considerations for CPS 230
In consideration of the proposed timeframe for implementation, APRA regulated entities should start considering the key components of the proposed standard now to ensure they are appropriately prepared.
APRA has introduced a proactive transition period where they would see entities have identified Material service providers and critical operations by mid-2024, with entities setting tolerance levels by the end of 2024. This supports the heightened expectations on maturity before the July 2025 effective date.
Key themes of CPS 230
- Be prepared for risk events – Entities must ensure effective process to support the management and response to risk events, effectively reducing their impact
- Be resilient – Entities must be able to continue to operate through the ever-increasing breadth of disruption, providing critical services to their customers.
- Protect the entity and the community – Business Continuity Planning and exercising will be critical to ensure that the impact of disruptions is minimised to an acceptable/ tolerable level
CPS 230 areas of focus
- Operating model
- Critical operations
- Material service providers
- Business continuity
- Incident management
- Controls management
Download further guidance
Strengthening your operational risk practices
The KPMG team has deep experience in supporting our Global Financial Services clients across Europe, the UK and ASPAC to respond to evolving regulation and framework changes and implement Operational Risk and Resilience practices.
Regular updates comprised of thoughts, insights and learnings about this important regulatory change will be rolled out.
It is our recommendation that the Board and Executive Teams should prioritise focus on what your organisation can and should have in place by 01 July 2025 for CPS 230, leading to a business case for funding a multi-year program of work that will have a longer duration but will achieve a deeper impact for the benefits of your customers and your stakeholders.
Please contact us for an individual briefing on what the changes will mean for you.
