Skip to main content

      Strengthening your operational risk and resilience practices

      The Australian Prudential Regulation Authority (APRA) release of cross-industry Prudential Standard CPS 230 Operational Risk Management has been designed to strengthen operational risk management and resilience across APRA-regulated entities.

      CPS 230 applies to entities in financial services including banking, insurance and superannuation fund organisations.

      The standard underpins CPS 220 Risk Management and replaces several existing standards including CPS/SPS 232 Business Continuity management and CPS/SPS/HPS 231 Outsourcing.

      If you need help to comply with CPS 230 by 1 July 2025, contact us

      Final guidance for APRA's Prudential Practice Guide CPG 230

      On 13 June 2024, APRA formally released its final Prudential Practice Guide CPG 230 Operational Risk Management.

      In response to consultation feedback received from 16 entities and industry bodies, APRA recognised the requirement for greater clarity to avoid the creation of unintentional practical difficulties during implementation.

      The guidance has been simplified to be shorter, sharper and focused on effective baseline compliance. Whilst maintaining strong expectations around achieving resilience, APRA has effectively given regulated entities more flexibility around how they achieve stronger resilience outcomes by applying more of a risk-based lens to their approaches.

      Key changes include:

      • Day One checklist

        Entities should consider the summary of requirements and suggested order of implementation in their plans.

      • Additional time for Non-Significant Financial Institutions

        Non-Significant Financial Institutions have an additional 12 months to comply with certain requirements in CPS 230 relating to business continuity and scenario analysis.

      • APRA 3-year plan

        A 3-year forward plan has been provided on APRA’s intended approach to supervising CPS 230 to assist industry with implementation and planning.

      CPS 230 timeline

      • April 2023

        APRA announces revised implementation table

      • June 2024

        Release of final CPG 230

      • Mid-2024

        Material service providers / critical operations identified*

      • End of 2024

        Entities positioned to set tolerance levels*

      • 1 July 2025

        CPS 230 commences*

      • 1 July 2026

        CPS 230 all requirements in effect for all entities

       

      * Proactive transition period, regulated entitites prepare for new requirements

      Key considerations for CPS 230

      In consideration of the timeframe for implementation, APRA regulated entities should have a robust implementation plan, identifying the uplifts required to be compliant with the standard. The standard and accompanying Prudential Practice Guide reflect many aspects of better practice across Operational Risk Management and Resilience globally.

      APRA has introduced a proactive transition period where they would see entities have identified Material service providers and critical operations by mid-2024, with entities setting tolerance levels by the end of 2024. This supports the heightened expectations on maturity before the July 2025 effective date.

      Key themes of CPS 230 to consider include:

      • Be prepared for risk events – Entities must ensure effective process to support the management and response to risk events, effectively reducing their impact.
      • Know your customer and market impacting Critical Operations – Entities must have an end-to-end understanding of critical operations and the associated resources which are critical to the operation to ensure appropriate mitigating controls are in place to prevent disruption and manage risk within appetite.
      • Be resilient – Entities must be able to continue to operate through the ever-increasing breadth of disruption, providing critical services to their customers and the market.
      • Protect the entity and the community – Business Continuity Planning and exercising will be critical to ensure that the impact of disruptions is minimised to an acceptable/tolerable level.
      • Effectively manage service provider risk – Entities must ensure they have processes in place to identify, assess, manage, and govern service providers that are critical to service delivery or pose a material risk.

      CPS 230 compliance: Areas of focus

      • Operating model

        Ensure you have a future fit target operating model with clear roles and responsibilities.

      • Critical operations identification

        Define the methodology and approach to identify your critical operations.

      • Service providers

        Enhance your frameworks, identification and risk management relating to material service providers.

      • Recovery of critical operations

        Utilise existing business continuity and IT disaster recover capabilities to support the recovery of critical operations.

      • Incident escalation

        Implement an effective incident management approach to ensure escalation and notification to APRA within time-frame.

      • Controls management

        Develop a robust controls management approach to ensure the controls mitigating your critical operations are tested frequently, weaknesses identified and plans in place to remediate.

      Guidance for CPS 230 compliance

      Understanding the impact of APRA's Prudential Standard CPS 230 is complex. Learn more about APRA's guidance and implementation timeline through KPMG's summaries.

      Download

      CPG 230 Operational Risk Management

      Guidance on APRA's release of final Prudential Practice Guide CPG 230 Operational Risk Management.
      Download

      Download

      CPS 230 Operational Risk Management – July 2023

      Final Rule released
      Download
      Download

      CPS 230 Operational Risk Update – May 2023

      A change of date, and change of approach
      Download
      Download

      Key elements of draft prudential standard CPS 230

      Draft CPS 230 Operational Risk Management
      Download
      Download

      Aligning CPS 230 to existing regulatory architecture

      CPS 230 Operational Risk Management
      Download
      Download

      Considerations for a periodic assurance review

      CPS 230 Operational Risk Management
      Download
      Download

      CPS 230 – Considerations for the Chief Operating Officer

      CPS 230 Operational Risk Management
      Download

      CPS 230 operational risk management implementaton

      KPMG’s experienced risk and resilience teams support Global Financial Services clients throughout Australia, Europe, the United Kingdom and APAC to respond to evolving regulation and framework changes and implementation of operational risk management and resilience practices.

      KPMG recommends that the Board and Executive Teams prioritise what their organisation can and should have in place by 1 July 2025 for CPS 230.

      It is expected that implementing CPS 230 will be a multi-year program of work that will have a lengthy duration period but the outcome will help businesses achieve a strong position of operational resilience which will benefit your customers and your stakeholders.

      Related services

      Helping you assess, transform and manage third-party risk – boosting resilience, ensuring compliance and building confidence at every step.
      Third-Party Risk

      We work with our financial services clients to help them thrive in a rapidly transforming industry.
      Financial Services

      KPMG's Operational Risk Management team

      To understand the impact of Prudential Standard CPS 230 on your business, contact KPMG’s operational risk specialists for an individual briefing.

      Gavin Rosettenstein
      Gavin Rosettenstein

      Partner, Third Party Risk Management

      KPMG Australia

      Matt Tottenham
      Matt Tottenham

      Partner, Risk Strategy & Technology

      KPMG Australia

      Related insights

      Something went wrong

      Oops!! Something went wrong, please try again

      Prudential Standard CPS 230 FAQs

      The standard applies to all APRA-regulated entities which includes:

      • Banking – Authorised deposit-taking institutions (ADIs), including Foreign ADIs, and non-operating holding companies (NOHCs)
      • General Insurance – Including Category C insurers, NOHCs and parent entities of Level 2 insurance groups
      • Life Insurance – Including friendly societies, eligible foreign insurance companies (EFLICs) and NOHCs
      • Private Health Insurance – Registered under the PHIPS Act
      • Superannuation – Registerable superannuation entity licensees (RSE licensees)

      The standard is relevant for the Australian branch operations for foreign ADI, Category C insurer and EFLIC entities. Where the entity is the Head of a Group, it must comply with CPS 230.

      As part of APRA's plan to modernise the architecture of prudential standards and guidance for banks, insurers and superannuation funds, CPS 230 Operational Risk Management is a combination of five existing APRA standards, these being:

      • CPS 231 Outsourcing
      • CPS 232 Business Continuity Management
      • SPS 231 Outsourcing (Superannuation)
      • SPS 232 Business Continuity Management (Superannuation)
      • HPS 231 Outsourcing (Private Health Insurance)

      This standard aims to ensure banks, insurers and superannuation funds better manage operational risk, the ability to respond to business disruption and manage the risks from the use of service providers.