Skip to main content
Status: Pending
April 2024

Operational risk management

This page sets out details of APRA’s proposals in relation to Operational Risk Management for all APRA-regulated entities, it includes a discussion paper and proposed new prudential standard.

October 2024
 

On 17 October, APRA released a material service provider register template as announced in the Response to submissions – CPG Operational Risk Management publication in June 2024.

The use of the template is APRA’s preferred method for regulated entities to submit their registers to APRA for meeting the requirement of paragraph 51 of Prudential Standard CPS 230 Operational Risk Management (CPS 230). A completed material service provider register is to be submitted back to APRA by authorised deposit-taking institutions (ADIs), superannuation trustees, and insurers by 1 October 2025.

Material Service Provider Register Template


June 2024

 

On 13 June, APRA released the final cross-industry Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230).

CPG 230 provides guidance to assist entities with the implementation of, and compliance with, Prudential Standard CPS 230 Operational Risk Management.

A Response to submissions on the consultation on draft CPG 230, the final version of CPG 230 and non-confidential submissions are available below:

Media release:  APRA finalises cross-industry guidance on operational resilience

 

Response to submissions

Response to submissions - CPG 230 Operational Risk Management

 

Prudential standard


 

Non-confidential submissions


July 2023

 

On 17 July, APRA released the final new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230).

The new standard is designed to strengthen the management of operational risk, respond to business disruptions and manage the risks from the use of service providers for all APRA-regulated entities.

APRA has also released for consultation a draft of Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230) to accompany the new standard. APRA will consult on this draft until 13 October 2023.    

A response to consultation on CPS 230, the clean and marked up versions of CPS 230, the draft CPG 230 and non-confidential submissions are available below:

Media release: APRA finalises new prudential standard on operational risk.

 

Response paper

Response paper - Operational Risk Management 

 

Prudential standard

Prudential practice guide


Non-confidential submissions


April 2023

 

On 13 April, APRA released an updated timeline for the implementation of new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230).

APRA received a range of feedback from regulated entities and other stakeholders during consultation, including a request for more time for preparation before the requirements come into effect. Accordingly, APRA intends to:

  • move the effective date for the new standard to 1 July 2025; and
  • provide transitional arrangements for pre-existing contractual arrangements with service providers, with the requirements in the standard applying from the earlier of the next contract renewal date or 1 July 2026.

APRA plans to release a final version of the standard, together with draft supporting guidance, in mid-2023.

July 2022

 

On 28 July, APRA released for consultation a new prudential standard designed to strengthen the management of operational risk in the banking, insurance and superannuation industries. 

APRA proposes to introduce a new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230) which will set out minimum standards for managing operational risk, including updated requirements for business continuity and service provider management.

Written submissions are requested by 21 October 2022.

The discussion paper and draft CPS 230 are available below:

Media release: APRA consults on new prudential standard to strengthen operational resilience.

 

Discussion paper:

Discussion paper - Strengthening operational risk management 

 

Prudential standard

Note on submissions

It is APRA's policy to publish all submissions on the APRA website unless the respondent specifically tells APRA in writing that all or part of the submission is to remain confidential. An automatically generated confidentiality statement in an email does not satisfy this purpose. If you would like only part of your submission to be confidential, you should provide this information marked as 'confidential' in a separate attachment.

Submissions may be the subject of a request for access made under the Freedom of Information Act 1982 (FOIA). APRA will determine such requests, if any, in accordance with the provisions of the FOIA. Information in the submission about any APRA-regulated entity that is not in the public domain and that is identified as confidential will be protected by section 56 of the Australian Prudential Regulation Authority Act 1998 and will therefore be exempt from production under the FOIA.