Strengthening your operational risk and resilience practices

The Australian Prudential Regulation Authority (APRA) release of cross-industry Prudential Standard CPS 230 Operational Risk Management has been designed to strengthen operational risk management and resilience across APRA-regulated entities across financial services which includes banking, insurance, superannuation fund organisations.

The standard underpins CPS 220 Risk Management and replaces several existing standards including CPS/SPS 232 Business Continuity management and CPS/SPS/HPS 231 Outsourcing.

Final guidance for APRA's Prudential Practice Guide CPG 230

On 13 June 2024, APRA formally released its final Prudential Practice Guide CPG 230 Operational Risk Management.

In response to consultation feedback received from 16 entities and industry bodies, APRA recognised the requirement for greater clarity to avoid the creation of unintentional practical difficulties during implementation. The guidance has been simplified to be shorter, sharper and focused on effective baseline compliance. Whilst maintaining strong expectations around achieving resilience, APRA has effectively given regulated entities more flexibility around how they achieve stronger resilience outcomes by applying more of a risk-based lens to their approaches. Key changes include:

  • Day One checklist – Entities should consider the summary of requirements and suggested order of implementation in their plans.
  • Non-Significant Financial Institutions have an additional 12 months to comply with certain requirements in CPS 230 relating to business continuity and scenario analysis.
  • A 3-year forward plan has been provided on APRA’s intended approach to supervising CPS 230 to assist industry with implementation and planning.

CPS 230 timeline

April 2023

APRA announces revised implementation timetable

June 2024

Release of final CPG 230


Material service providers / critical operations identified*

End of 2024

Entities positioned to set tolerance levels*

1 July 2025

CPS 230 commences*

July 2025

Extra transition for non-SFI's for some requirements*

1 July 2026

CPS 230 all requirements in effect for all entities

* Proactive transition period, regulated entities prepare for new requirements

Key considerations for CPS 230

In consideration of the timeframe for implementation, APRA regulated entities should have a robust implementation plan, identifying the uplifts required to be compliant with the standard. The standard and accompanying Prudential Practice Guide reflect many aspects of better practice across Operational Risk Management and Resilience globally.

APRA has introduced a proactive transition period where they would see entities have identified Material service providers and critical operations by mid-2024, with entities setting tolerance levels by the end of 2024. This supports the heightened expectations on maturity before the July 2025 effective date.

Key themes of CPS 230 to consider include:

  • Be prepared for risk events – Entities must ensure effective process to support the management and response to risk events, effectively reducing their impact.
  • Know your customer and market impacting Critical Operations – Entities must have an end-to-end understanding of critical operations and the associated resources which are critical to the operation to ensure appropriate mitigating controls are in place to prevent disruption and manage risk within appetite.
  • Be resilient – Entities must be able to continue to operate through the ever-increasing breadth of disruption, providing critical services to their customers and the market.
  • Protect the entity and the community – Business Continuity Planning and exercising will be critical to ensure that the impact of disruptions is minimised to an acceptable/tolerable level.
  • Effectively manage service provider risk – Entities must ensure they have processes in place to identify, assess, manage, and govern service providers that are critical to service delivery or pose a material risk.

CPS 230 areas of focus

  • Ensure you have a future fit target operating model with clear roles and responsibilities.
  • Define the methodology and approach to identify your critical operations.
  • Enhance your frameworks, identification and risk management relating to material service providers.
  • Utilise existing business continuity and IT disaster recover capabilities to support the recovery of critical operations.
  • Implement an effective incident management approach to ensure escalation and notification to APRA within time-frame.
  • Develop a robust controls management approach to ensure the controls mitigating your critical operations are tested frequently, weaknesses identified and plans in place to remediate.

CPS 230 guidance

Understanding the impact of APRA's Prudential Standard CPS 230 is complex. Learn more about APRA's guidance and implementation timeline through KPMG's summaries.

CPS 230 operational risk management implementation

KPMG’s experienced risk and resilience teams support Global Financial Services clients throughout Australia, Europe, the United Kingdom and APAC to respond to evolving regulation and framework changes and implementation of operational risk management and resilience practices.

KPMG recommends that the Board and Executive Teams prioritise what their organisation can and should have in place by 1 July 2025 for CPS 230.

It is expected that implementing CPS 230 will be a multi-year program of work that will have a lengthy duration period but the outcome will help businesses achieve a strong position of operational resilience which will benefit your customers and your stakeholders.

KPMG's Operational Risk Management team

To understand the impact of Prudential Standard CPS 230 on your business, contact KPMG’s operational risk specialists for an individual briefing.

Prudential Standard CPS 230 FAQs

Which organisations are impacted by CPS 230 Operational Risk Management?

The standard applies to all APRA-regulated entities which includes:

  • Banking – Authorised deposit-taking institutions (ADIs), including Foreign ADIs, and non-operating holding companies (NOHCs)
  • General Insurance – Including Category C insurers, NOHCs and parent entities of Level 2 insurance groups
  • Life Insurance – Including friendly societies, eligible foreign insurance companies (EFLICs) and NOHCs
  • Private Health Insurance – Registered under the PHIPS Act
  • Superannuation – Registerable superannuation entity licensees (RSE licensees)

The standard is relevant for the Australian branch operations for foreign ADI, Category C insurer and EFLIC entities. Where the entity is the Head of a Group, it must comply with CPS 230.

What does APRA CPS 230 Operational Risk Management replace?

As part of APRA's plan to modernise the architecture of prudential standards and guidance for banks, insurers and superannuation funds, CPS 230 Operational Risk Management is a combination of five existing APRA standards, these being:

  • CPS 231 Outsourcing
  • CPS 232 Business Continuity Management
  • SPS 231 Outsourcing (Superannuation)
  • SPS 232 Business Continuity Management (Superannuation)
  • HPS 231 Outsourcing (Private Health Insurance)

What is the purpose of CPS 230 Operational Risk Management?

This standard aims to ensure banks, insurers and superannuation funds better manage operational risk, the ability to respond to business disruption and manage the risks from the use of service providers.