Search
Close this search box.

CPS 230: Avoiding Implementation Pitfalls

CPS230

Following an extensive industry consultation process, APRA released the final new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230) in July 2023.

The new standard introduces fresh operational risk management requirements and consolidates and improves existing requirements around third-party risk management, outsourcing, and business continuity.

CPS 230 is cross-industry prudential standard that applies to all APRA-regulated institutions, including banks, insurers (general, life, and health), and registrable superannuation entity licensees.

From 1 July 2025, it will replace 5 current prudential standards – CPS/SPS/HPS 231 Outsourcing and CPS/SPS 232 Business Continuity.

CPS230 will help strengthen and compliment other critical APRA prudential standards including CPS 220 and SPS 220 relating to Risk Management and CPS 234 relating to Information Security.

Implementing CPS 230 is a large body of work, even for the most risk mature financial institutions.  That’s because those larger entities can be more complex by their size and operating model.  Less risk mature organisations who flew under the radar in respect to operational risk and resilience, will need to step up.

The InConsult risk and resilience team take a close look at CPS 230 from a different perspective.  We look at the different roles and responsibilities impacted and the impact on the risk management function. We draft a base line CPS 230 implementation road map to help guide financial institutions to successful implementation and avoid the pitfalls.

Why is CPS 230 Important?

Operational risk is the broadest risk category that financial institutions often grapple with.  Operational risks are that ‘bucket’ of risks that are not directly financial in nature and includes internal fraud risk, external fraud risk, people and culture risk, systems and process risk, cyber security risk, data management and quality risk, business continuity risk, third party risk, compliance risk, reputational risk etc.

APRA recognises that disruptions to financial services – even temporarily – arising from systems and process failures can have a major detrimental impact on the community, depositors, policyholders, beneficiaries or other customers.

APRA also recognises the increasing reliance of financial institutions on third parties to help deliver those services to customers.

With a growing number of risks and incidents around supply chain interruptions, cybersecurity, and geopolitical and economic instability, the concerns for APRA have increased in recent years.

CPS 230 establishes new and expanded standards to bolster operational resilience and improve how entities manage their operational risks.

CPS230
APRA CPS 230 Key Outcomes for Community

By strengthening how entities identify, manage and respond to operational risk events, APRA is aiming to enhance operational and financial resilience, and in turn financial stability.

CPS 230 Key Requirements

At the heart of the new standard are core requirements for APRA-regulated entities to:

  • identify, assess and manage their operational risks, with effective internal controls, monitoring and remediation;
  • be able to continue to deliver their critical operations within tolerance levels through severe disruptions, with a credible business continuity plan (BCP); and
  • effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements and robust monitoring.

Therefore CPS 230 requires financial institutions  to strengthen these 4 pillars:

  • Operational risk management.
  • Business continuity management.
  • Service provider management.
  • Accountability.

What’s all the fuss about? Most financial institutions already have a risk management framework that covers operational risks, a business continuity plan and an outsourcing policy.

The answer is simple! The quality of the business continuity management plans and processes and outsourcing arrangements are often lacking and there is probably too much inconsistency between financial institutions.

To successfully implement CPS 230, financial institutions must invest significant effort in reviewing their existing capabilities, resources, documentation, and governance arrangements. This is necessary to redesign and enhance these aspects in order to meet the new requirements, ultimately improving the resilience and operational risk management posture of the entities.

CPS 230 strives to address gaps and establish a more uniform approach, akin to the successful outcomes facilitated by CPS 220 and CPS 234. The goal is to direct the boards’ attention towards enhancing operational resilience.

The Key Terms

Operational resilience is the outcome of prudent operational risk management: the ability to effectively manage and control operational risks and maintain critical operations through disruptions.

Critical operations are processes undertaken by a regulated entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on its depositors, policyholders, beneficiaries or other customers, or its role in the financial system.

Material service providers are those on which the entity relies to undertake a critical operation or that expose it to material operational risk.

Material arrangements are those on which the entity relies to undertake a critical operation or that expose it to material operational risk.

The Role of the Board

CPS 230 is very clear in respect to the boards responsibilities.  The board of an APRA-regulated entity is ultimately accountable for oversight of an entity’s operational risk management. Specific responsibilities include:

  • Setting clear roles and responsibilities for senior managers for operational risk management.
  • Overseeing operational risk management and the effectiveness of key internal controls.
  • Reviewing regular updates from senior management and ensuring action is taken to remediate concerns.
  • Approving the BCP
  • Approving the tolerance levels for disruptions to critical operations.
  • Reviewing the results of testing and overseeing the execution of any findings.
  • Approving the service provider management policy and any material changes.
  • Reviewing risk and performance reporting on material service providers.
  • Understanding the expected impacts on the entity’s critical operations when making strategic decisions that could affect the resilience of critical operations.

The Role of Senior Management

Whilst the board is responsible for oversight, senior management are responsible for operational risk management across the end-to-end process for all business operations. Specific responsibilities include:

  • Providing the board with regular updates on the entity’s operational risk profile.
  • Receiving reports on material arrangements commensurate with the nature and usage of the service.
  • Taking action as and when required to address any areas of concern, including remediation plans for failures to meet tolerance levels.
  • Receiving reports designed to monitor operational risk and analyse operational risk data.
  • Receiving reports on the results of testing of controls and any gaps or deficiencies in the control environment.

The Role of Internal Audit

Internal audit has an active role in CPS 230, beyond just assurance. Internal audit will be required to get closer to the outsourcing arrangements. Specific responsibilities include:

  • Periodically reviewing the entity’s BCP and providing assurance to the board.
  • Reviewing any proposed material arrangement involving the outsourcing of a critical operation.
  • Regularly reporting to the board or board audit and risk committee on compliance with outsourcing arrangements to the entity’s service provider management policy.

Impact of CPS 230 on the Risk Management Function and Line Management

The biggest impact of CPS 230 is on the risk management function. That’s because the Standard mandates integration within the “risk management framework,” a domain shaped and overseen by the risk management function.

Operational Risk Management

For operational risk management, a regulated entity must:

  • Develop and maintain governance arrangements for the oversight of operational risk.
  • Align operational risk management to other frameworks including recovery and exit planning, information technology capabilities and information security.
  • Maintain a comprehensive assessment of its operational risk profile.
  • Reassess its operational risk profile, with a defined risk appetite supported by indicators, limits and tolerance levels.
  • Maintaining appropriate information systems to monitor operational risk, compile and analyse operational risk data and facilitate reporting.
  • Take incidents and near misses into account in the assessment of the operational risk profile and control effectiveness.
  • Ensure internal controls that are designed to manage operational risks are operating effectively.
  • Design, implement and embed internal controls to mitigate its operational risks in line with its risk appetite.
  • Monitor, review and test controls for design and operating effectiveness and remediate material weaknesses in its operational risk management.
  • Ensure appropriate monitoring, analysis and reporting of operational risks and escalation processes for operational incidents and events.

Business Continuity

For business continuity management, a regulated entity must:

  • Maintain business continuity plan(s) (BCPs).
  • Have a comprehensive understanding of its critical operations and define, identify and maintain a register of its critical operations.
  • Identify and document the processes and resources needed to deliver critical operations.  This should include people, technology, information, facilities and service providers and the interdependencies across them.
  • Undertake scenario analysis to identify and assess the potential impact of severe operational risk events, test its operational resilience and identify the need improve.
  • Notify APRA as soon as possible and not later than 24 hours after an entity has suffered a disruption to a critical operation outside tolerance and the BCP is activated.

Service Provider Management

For service provider management, a regulated entity must:

  • Have a Service Provider Management Policy.
  • Maintain processes for the management of service provider arrangements.
  • Conduct a comprehensive risk assessment before providing a material service to another party.
  • Ensure the operational risks are included in the various reviews required by CPS 220.
  • Notify APRA prior to entering into any material offshoring arrangement, or when there is a significant change proposed to the
    arrangement.
  • Notify APRA as soon as possible and not more than 20 business days after entering into or materially changing an agreement for the provision of a service on which the entity relies to undertake a critical operation.
  • Submit the register of material service providers to APRA on an annual basis.

Incident Management

For incident management, a regulated entity must:

  • Identify, escalate, record and address operational risk incidents and near misses in a timely manner.
  • Notify APRA as soon as possible, and not later than 72 hours, after becoming aware of an operational risk incident that it determines to be likely to have a material financial impact or a material impact on the ability of the entity to maintain its critical operations.
  • Ensure remediation of gaps, weaknesses and incidents are supported by clear accountabilities and address the root causes of weaknesses.

A New CPS 230 Artefact

CPS 230 introduces at least one new artefact that will be required to support implementation and some artefacts will require enhancement.  The Service Provider Management Policy must cover how the entity will identify material service providers and manage service provider arrangements, including the management of material risks associated with the arrangements. This replaces the Outsourcing Policy required under CPS 231.

As part of developing a new service provider management policy, regulated entities will need to make sure that their policies include registers of material service providers, approaches to changes of such providers, and approaches to risks associated with such providers (and any fourth parties they rely on).

Other existing artefacts covered by CPS 230 include the business continuity plan (BCP), crisis management plan, recovery and exit plan, business and strategic plans, disaster recovery plan and remediation plan for failure to meet tolerance levels,

CPS 230 Implementation Road Map

CPS 230 amins to strengthen an entities operational risk practices. All APRA-regulated entities should understand the requirements of the standard and the implications on its risk management framework, business continuity management, information security, service provider arrangements and governance. Implementation and uplift of CPS 230 will vary depending on the size and complexity of each regulated entity, but here is our guide as a starting point.

September 2023 to December 2023

  • Perform a CPS 230 gap analysis.
  • Risk management to brief senior management and board on the key shortfalls and agree the actions, timeframes and responsibilities to close out these gaps.
  • Risk management function to assess resourcing requirements and change management impacts of CPS 230.
  • Update compliance register/ obligations library and tasks to include CPS 230 requirements.
  • Update your operational risk profile.  Consider recent gaps, incidents, issues and weaknesses in operational risk controls.

January 2024 to June 2024

  • Identify material service providers/critical operations…this may already be in your Business Impact Analysis (BIA) or outsourcing provider register.
  • Refine your processes to promptly identify and remediate material weaknesses including performing root cause analysis and establishing clear accountabilities.
  • Update you BIA templates to better align with and capture any additional CPS 230 requirements not included.
  • Hold training and workshops to engage with the business and update your BIAs. The training will help ensure the business and managers understand key objectives of CPS 230 and remove uplift barriers.
  • Identify sound measures of triggers and establish monitoring and reporting processes.
  • Review board reporting processes and escalation triggers from senior management to the board.
  • Review board papers to ensure ‘risk implications’ of strategic decisions include impacts on critical operations.
  • Amend BCP and service provider management policy to include board approval.
  • Amend BCP and incident management policy to include triggers for APRA reporting.
  • Revise roles and responsibilities of senior managers and risk management function to ensure roles and responsibilities are aligned to CPS 230.
  • Consider CPS 230 changes to Board Audit & Risk Committee charters and workplans.
  • Liaise with Internal Audit to include CPS 230 requirements in workplans.
  • Review all current contracts with service providers who provide a critical operation to ensure they meet CPS 230 requirements.

July 2024 to March 2025

  • Update information assets register to include age and health and links to critical operations.
  • Update BIA list of critical functions or create a register of critical operations and the tolerance levels for each critical operation.
  • Establish the tolerance levels for each critical operation.
  • Establish monitoring mechanisms for escalation and board reporting.
  • At minimum, document/process map the processes and resources needed to deliver critical operations.
  • Update key elements of your business continuity policy and governance to include regular review, monitoring and testing.
  • Update supplier procurement, onboarding processes and ongoing management processes.

January to June 2025

  • Schedule an independent review and gap analysis of CPS 230 to identify any final gaps prior to implementation.

1 July 2025

  • CPS 230 comes into effect. CPS 231, CPS 232, SPS 231, SPS 232 and HPS 231 cease to operate.
  • All independent CPS 220 reviews need to consider CPS 230 requirements.

1 July 2026

  • Transitional period for pre-existing contractual arrangements with service providers now ends.

2028 to 2030

  • Given the current third party and resilience landscape and APRA’s zero-tolerance approach to disruption related risks ​we predict APRA will require regulated entities to perform tripartite reviews to ensure that they maintain high standards of operational risk management and effectively manage critical operations and supplier risks. Any CPS 230 Tripartite Audit will be a one-off requirement mandating that regulated entities engage an independent auditor to report on the entity’s compliance against CPS 230.

Can We Help?

Working with over 40 APRA regulated entities, the InConsult team has a deep understanding of financial services and the APRA prudential standards.  Since the implementation of the revised APRA Prudential Framework in 2001, we have helped our APRA-regulated clients navigate through the myriad of regulatory compliance requirements. We can assist in the review, redesign and uplift of internal policies, procedures, frameworks and training initiatives.

If you have any questions, or would like to know how we can help, contact us to discuss your needs.