Strengthening your operational risk and resilience practices

KPMG is pleased to share information on The Australian Prudential Regulation Authority (APRA) release of cross-industry Prudential Standard CPS 230 Operational Risk Management, which has been designed to strengthen the management of operational risk by all APRA-regulated entities.

The proposed standard underpins CPS 220 Risk Management and replaces several existing standards including CPS/SPS 232 Business Continuity management and CPS/SPS 231 Outsourcing.

CPS 230 timeline

July 2022

APRA consults on draft CPS 230

April 2023

APRA announces revised implementation timetable

July 2023

APRA releases Final CPS 230*

Mid July 2024

Material service providers / critical operations identified*

End 2024

Entities positioned to set tolerance levels set*

1 July 2025

CPS 230 commences*

1 July 2026

Transition ends for existing contracts with service providers

* Proactive transition period, regulated entities prepare for new requirements

Key considerations for CPS 230

In consideration of the proposed timeframe for implementation, APRA regulated entities should start considering the key components of the proposed standard now to ensure they are appropriately prepared.

APRA has introduced a proactive transition period where they would see entities have identified Material service providers and critical operations by mid-2024, with entities setting tolerance levels by the end of 2024. This supports the heightened expectations on maturity before the July 2025 effective date. 

Key themes of CPS 230

  • Be prepared for risk events – Entities must ensure effective process to support the management and response to risk events, effectively reducing their impact
  • Be resilient – Entities must be able to continue to operate through the ever-increasing breadth of disruption, providing critical services to their customers.
  • Protect the entity and the community – Business Continuity Planning and exercising will be critical to ensure that the impact of disruptions is minimised to an acceptable/ tolerable level

CPS 230 areas of focus

  • Operating model
  • Critical operations
  • Material service providers
  • Business continuity
  • Incident management
  • Controls management

Download further guidance

Strengthening your operational risk practices

The KPMG team has deep experience in supporting our Global Financial Services clients across Europe, the UK and ASPAC to respond to evolving regulation and framework changes and implement Operational Risk and Resilience practices.

Regular updates comprised of thoughts, insights and learnings about this important regulatory change will be rolled out.

It is our recommendation that the Board and Executive Teams should prioritise focus on what your organisation can and should have in place by 01 July 2025 for CPS 230, leading to a business case for funding a multi-year program of work that will have a longer duration but will achieve a deeper impact for the benefits of your customers and your stakeholders.

Please contact us for an individual briefing on what the changes will mean for you.

Contact our team