Response to submissions - CPG 230 Operational Risk Management
Executive summary
In 2023 APRA released a new cross-industry standard, Prudential Standard CPS 230 Operational Risk Management (CPS 230), to strengthen the management of operational risk and improve business continuity planning. APRA then consulted on draft supporting guidance, Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230).
This paper summarises stakeholder feedback on the consultation draft of CPG 230 and APRA’s response. The guidance is now final and available on APRA’s website.
Aims of CPS 230 Operational Risk Management
Managing operational risk is crucial to prudential safety and business performance. It helps to protect financial health, ensures business continuity and maintains compliance with legal obligations. It also supports an entity’s reputation, decision-making, efficiency and innovation.
Disruptions to financial services can have a major impact on people who rely on them to save, spend, recover from financial loss and/or support themselves in retirement. Some disruptions can affect broader confidence in, and function of, the financial system. The indirect customer impacts are hard to quantify, but if direct financial impacts on financial services are any indication the costs can be considerable. According to the ORX global banking database, there were more than 65,000 loss events between 2016 and 2021, with losses totalling close to $600 billion over six years.1
In Australia, there have been several recent high-profile operational failures, including material cyber breaches, which further underline the need for a pivot in operational resilience practices. At its heart, CPS 230 requires APRA-regulated entities to safeguard the resilience of their critical operations, by strengthening operational risk management; improving business continuity planning; and enhancing third party service provider management.
Consultation feedback on CPG 230 Operational Risk Management
APRA received 16 submissions from entities and industry bodies across all regulated industries during consultation on draft CPG 230. The submissions highlighted areas requiring greater clarity or where the draft guidance could unintentionally create practical difficulties in implementation. Several common themes emerged, including concerns that:
- some entities and cohorts may not be ready to comply with the Standard by 1 July 2025;
- there was insufficient guidance on how proportionality would apply, particularly for small and mid-sized entities;
- it takes time and resource effort to assess the materiality of service providers and update key arrangements;
- in respect of assurance from fourth parties, the steps in the draft guidance would be commercially difficult to achieve and expensive to maintain; and
- in providing ‘better practice’ examples and advice, the guidance inadvertently created confusion in terms of what was needed to meet enforceable requirements (e.g. for documenting processes, scenario testing).
Key changes
APRA has acknowledged this feedback and sought to address concerns where possible, while ensuring that the intent of the Standard – that entities improve operational resilience where needed – is still delivered. In summary, APRA has given smaller entities more time to comply with some components; simplified the guidance to align more closely with the Standard; and provided information about what to expect from APRA supervision.
Delayed start date for parts of CPS 230 for non-SFIs
CPS 230 will still come into effect on 1 July 2025 for all APRA-regulated entities.
APRA will, however, give non-SFIs a 12-month extension on requirements relating to business continuity and scenario analysis. These elements are typically completed toward the end of the implementation journey. In offering more time, APRA is looking to give smaller entities a bit more space to get the foundations right.
Non-SFIs may transition to CPS 230 in full, ahead of this schedule. Entities that avail themselves of the extra time must comply with existing prudential standards CPS 232 Business Continuity Management and SPS 232 Business Continuity Management in the interim. See Appendix A for more detail.
Shorter, sharper guidance – focused on effective ‘baseline’ compliance
APRA has revised draft CPG 230. The final version is shorter and more focused. It provides guidance on how to comply with the Standard but refrains from outlining what may be considered ‘better practice’. This means that the draft guidance on matters that caused the most consternation has been recalibrated or removed altogether.
What to expect from APRA
Given the scale and importance of CPS 230, APRA has set out its supervision programme (below) to support implementation. In so doing, APRA is looking to be more transparent about our approach and to help entities to plan. APRA recognises that for some entities, it will be a significant transition. Where concerns exist about compliance on ‘day one’, entities should let their supervisor know.
Implementation
Advice for transition (2024-2026)
APRA already requires regulated entities to manage operational risk. In preparing to comply with CPS 230, regulated entities are not starting from scratch.
APRA expects regulated entities to be proactive in their implementation. Every entity should now be actively working on transition to CPS 230. Those that are more advanced, and especially those that have embarked on pilots, are reporting that it is generating insights and improving the way they manage risk.
Figure 1: Implementation timeline
It has become evident that some entities have adopted a ‘bottom-up’ approach to CPS 230. While there is merit in this approach, it is often slower than the alternative. Entities that adopt a ‘top-down’ approach report greater insight into resilience of critical operations, and progress on implementation. In practice, this means starting by identifying critical operations, then the material service providers that support them.
Day one checklist for entities (2025)
For ease of reference, a summary of CPS 230 requirements and suggested order of implementation is provided at Appendix B.
There are limited requirements for notifications to APRA in CPS 230. The key obligations consist of event-based notifications and the annual submission of the Material Service Provider register (MSP register). APRA requests entities to submit their first MSP register by 1 October 2025.
APRA’s supervision programme (2025-2028)
The following is APRA’s supervision programme for the first three years of CPS 230.
2025-26 | 2026-27 | 2027-28 | |
SFIs | Prudential review with a small subset of entities. | Prudential review with another subset of entities. | BAU ongoing supervision. |
Non-SFIs | Prudential meeting with reviews on exceptions basis only. | Prudential review with a small subset of entities. | Prudential review with another subset of entities. |
All entities |
| APRA may consult on a formal reporting standard. |
1. Common issues and APRA’s response
1.1 General comments on CPG 230
Comments received
Many of the comments from submissions, and in subsequent engagement with industry, sought to clarify APRA’s expectations of entities as set out in CPG 230. This included requests for further examples; advice on how to apply expectations in a proportionate way; and clarity about whether ‘better and best practice’ insights were de facto requirements. There was also confusion about the scope of work involved, and how to efficiently sequence implementation.
APRA’s response
APRA has streamlined the guidance following consultation, to make expectations clearer. This includes removal of references to better and best practice examples to make it clear that these are not additional requirements. The updated guidance also clarifies APRA’s recommended approach to implementation. An entity may apply CPS 230 commensurate with the size, business mix and complexity of its operations.
1.2 Timeline and key milestones
CPS 230 was originally going to commence on 1 January 2024. Following consultation on the draft Standard, based on concerns raised by industry, APRA delayed commencement until 1 July 2025 and included a further one-year transition to July 2026 to allow entities time to review contracts with existing material service providers.
Comments received
Some submissions argued that the implementation timeline remains challenging. This was based on views that:
- there is a significant volume of work required, especially around the assessment to identify material service providers;
- updating contracts with existing service providers is both time and resource intensive; and
- managing operational risk implementation alongside other regulatory projects is challenging.
APRA’s response
APRA notes the challenges of implementation, and that the timeline was previously extended. Entities should already be well advanced in their planning for implementation. APRA will, however, provide extra time for entities that are non-SFIs to comply with certain requirements in CPS 230. In the interim, some existing requirements in both CPS 232 and SPS 232 will continue to apply unless the entity has elected to comply earlier (see Appendix A for details).
The final CPG 230 and responses to issues outlined here will assist entities in implementation. Key timelines (see Figure 2) are as advised in the July 2023 Response Paper but with additional transition for non-SFIs to meet certain requirements as noted above.
Figure 2: Implementation timeline
1.3 Proportionality
APRA consulted broadly on how proportionality might apply in the context of CPS 230. After consideration of submissions on the Standard, and as noted in the July 2023 Response Paper, APRA determined last year that CPS 230 will apply to all regulated entities, commensurate with the size, business mix and complexity of an individual entity’s operations.
Comments received
The issue of proportionality was raised by all key industry bodies in their submissions, consistent with broader feedback to APRA. Many submissions requested further guidance about how to take a proportionate approach, particularly in the context of business process mapping, scenario analysis and the management of third and fourth parties.
APRA’s response
Consistent with the Standard, CPG 230 does not explicitly set different expectations between SFIs and non-SFIs. However, proportionality will manifest in two distinct ways.
- CPS 230 sets ‘baseline’ expectations for all entities. APRA expects SFIs to have stronger practices commensurate with the size and complexity of their operations.
- All entities will mature their practices over time as their business operations grow and evolve, and to match the scale of their risks and role in the financial system.
With respect to specific matters like business process mapping, scenario analysis and management of service provider risks, the final guidance has been recalibrated to allow entities more discretion in their approach.
1.4 Material service providers
CPS 230 requires entities to assess their service providers to determine whether they are material for the purposes of the Standard. An entity is required to ensure all material service providers (MSPs) meet the requirements under CPS 230 where an arrangement with an MSP is a material arrangement.
Comments received
Requirements for MSPs was a key theme in submissions. This included concerns around the perceived work required to assess all service providers and to identify MSPs, and the potential number of service providers that will fall within the MSP category. Questions were also raised about when an entity’s register of MSPs is to be provided to APRA.
APRA’s response
APRA notes that starting with identification of an entity’s critical operations will assist in making this requirement more focused and should provide greater clarity around who an entity’s MSPs are for the purposes of CPS 230.
CPS 230 requires entities to provide their MSP register to APRA on an annual basis. APRA requests that the first MSP register is submitted by 1 October 2025. In Q3 2024, APRA will provide a template for the MSP register.
1.5 Fourth parties
CPS 230 requires an entity to set out its approach to the management of risks associated with fourth parties that material service providers rely on to deliver a critical operation, as part of its service provider management policy. Draft CPG 230 set out areas that would ideally be addressed by the policy, including risks associated with fourth parties and other downstream providers.
Comments received
Submissions raised concerns about APRA’s expectations of fourth party management and oversight. As well as seeking direction on APRA’s expectations of industry in managing fourth party risks, submissions noted the commercial difficulty of obtaining information about fourth parties, and costs of oversight of third and fourth parties.
APRA’s response
It is important that entities are aware of fourth parties that their service providers rely on in delivering critical operations. Without this information, entities may not have a full picture of the risks arising from this reliance.
APRA acknowledges the difficulties raised and has moderated the expectations in the guidance. On fourth parties, an entity is now expected to:
- outline, as part of its service provider management policy, its approach to managing the risks associated with any fourth parties that MSPs rely on to deliver a critical operation (CPS 230); and
- take reasonable steps to know who the (fourth) parties are that an MSP relies on, in delivering a service necessary to support a critical operation (CPG 230).
1.6 Cohorts of service providers
CPS 230 prescribes certain types of service providers as ‘material service providers’. Draft CPG 230 noted that a prudent entity would manage the operational risks associated with cohorts of service providers where the aggregate impact of those service providers is material, but each individual provider is not.
Comments received
Some submissions raised concerns as to how cohorts are to be treated where a cohort is considered material, but individual service providers are not. Submissions also asked whether APRA expects that all service providers in such a cohort would be deemed to be material service providers.
APRA’s response
APRA notes the concerns of industry on this matter. APRA recognises that while a cohort of service providers may be collectively material, some service providers may not be individually material (to deliver a critical operation or otherwise mitigate a material operational risk).
Those that are not individually material do not have to be classified as an MSP. However, APRA does expect that an entity would have additional processes and controls for managing the cohort, to address risks associated with these service providers.
1.7 Interaction between CPS 230 and CPS 900
Draft CPG 230 noted that APRA expects critical functions defined for resolution planning (under Prudential Standard CPS 900 Resolution Planning) would be classified as critical operations under CPS 230.
Comments received
Some submissions raised concerns about the relationship between CPS 230 and CPS 900, including:
- while there is considerable overlap in what is captured by ‘critical functions’ and ‘critical operations’, the approach in the draft guidance may inadvertently ‘expand the net’;
- a need for more clarity about what is expected of contractual arrangements under CPS 900; and
- challenges arising from CPS 900 and CPS 230 implementation advancing at different speeds.
APRA’s response
Draft CPG 230 sought to simplify and streamline entities’ approach to thinking about these two related categories. However, the expectation as stated inadvertently created confusion. While critical functions and critical operations significantly overlap, they are distinct concepts.
Advice on CPS 900 resolution-resilient contracts
Under CPS 900, entities must support resolution planning when notified by APRA. CPS 900 applies to all SFIs, and a subset of non-SFIs which perform functions that APRA deems to be critical to the financial system, industry, or communities. As part of this process, APRA may require entities to amend certain contracts with service providers, to make critical functions contracts ‘resolution resilient’, such that critical functions are maintained in resolution. This may include services that support an entity’s critical functions, business lines, daily operations, and/or resolution capabilities.
APRA considers that resolution-resilient contracts are those that:
- have been amended to ensure that service providers may not terminate, cancel, suspend, or vary terms solely on the grounds of APRA exercising any of its powers in connection with resolution; and
- ensure continued access, on arm’s length commercial terms, to services after APRA exercises its powers in connection with resolution. This includes continuity through any restructure or transfer that may be part of the resolution plan.
If efficient, entities may wish to amend contracts to meet CPS 900 at the same time as they make their CPS 230 updates, rather than re-open the contracts again when APRA initiates resolution planning with them. The advice above is intended to support entities in doing so, by outlining what APRA considers resolution-resilient contracts should provision for.
1.8 Insurance brokers and reinsurance
CPS 230 prescribes certain service providers as material service providers. In relation to insurance, CPS 230 requires an insurer to classify a provider of services for underwriting, claims management, insurance brokerage and reinsurance as a material service provider.
Comments received
While CPS 230 is final, several submissions made comments on this matter and sought further clarification around the specific details of how the designation of insurance brokers and reinsurers as MSPs would work in practice. There were also general concerns expressed pertaining to the capture of brokers and reinsurers as material service providers regardless of their size or the nature and scope of services being provided to an insurer.
APRA’s response
CPS 230 does not intend to capture arm’s length transactions such as the purchase of reinsurance, or the intermediation of an insurance policy to the insurer’s client facilitated by an insurance broker as meaning the provider of the service would be automatically deemed a material service provider.
Rather, it is intended to capture those arrangements where an insurer relies on a service provider to undertake a critical operation (as defined under paragraph 36 of CPS 230), or the arrangement introduces material operational risk to the regulated entity.
While brokers are a prescribed material service provider under paragraph 50, APRA is aware of the many differing capacities in which brokers operate. APRA expects brokers would only be captured if an entity relies on the broker in delivering a critical operation or the broker introduces material operational risk to the regulated entity.
1.9 Provision of services by the same legal entity
While not explicitly covered in CPG 230, the issue of the application of CPS 230 in the context of services provided by another part of the same legal entity (typically located offshore) - which could include the parent of the Australian branch operation, or another branch located in another jurisdiction - has been raised with APRA.
Comments received
Some submissions sought clarity on the issue of the provision of services by other parts of the same legal entity.
APRA’s response
As noted in footnote 15 of CPS 230, a material service provider may be a third party, related party or connected entity. Therefore, references to material service providers refer to parties that are not part of the same legal entity as the regulated entity.
Where an entity relies on another part of the same legal entity for the provision of a service in relation to a critical operation, APRA expects there would be an appropriate assessment of the risks associated with the provision of that service. There should also be service level agreements or other mechanisms such that the regulated entity is appropriately informed of issues and other matters that could impact on the provision of the service that is essential to its critical operations.
1.10 Application to non-regulated subsidiaries of a regulated entity
Several entities have sought clarification from APRA as to how CPS 230 applies to subsidiaries that are not regulated by APRA.
APRA’s response
CPS 230 does not directly apply to an entity that is a non-regulated subsidiary of a regulated entity. However, the group provision in paragraph 4 of CPS 230 applies. Essentially, paragraph 4 requires an APRA-regulated entity that is the Head of a group to ensure that the requirements in CPS 230 are applied appropriately throughout the group, including in relation to entities that are not APRA-regulated.
It is up to an entity that is the Head of a group to determine how the requirements in CPS 230 are appropriately applied to non-regulated entities of the group.
However, APRA’s expectation for a material non-regulated subsidiary (that is, one that could have a material adverse impact on the regulated entity) is that the regulated entity would apply the requirements in CPS 230 to such a subsidiary in their entirety. While it is at the regulated entity’s discretion to determine a different approach to how CPS 230 applies, it would need to be able to justify its decision to take an approach other than full application.
Appendix A: Transition details for non-SFIs
CPS 230: requirements that will now commence 1 July 2026 for non-SFIs (previously 1 July 2025) |
40. An APRA-regulated entity’s BCP must include:
|
41. An APRA-regulated entity must maintain the capabilities required to execute the BCP, including access to people, resources and technology. An APRA-regulated entity must monitor compliance with its tolerance levels and report any failure to meet tolerance levels, together with a remediation plan, to the Board. |
43. An APRA-regulated entity must have a systematic testing program for its BCP that covers all critical operations and includes an annual business continuity exercise. The program must test the effectiveness of the entity’s BCP and its ability to meet tolerance levels in a range of severe but plausible scenarios. |
44. The testing program must be tailored to the material risks of the APRA-regulated entity and include a range of severe but plausible scenarios, including disruptions to services provided by material service providers and scenarios where contingency arrangements are required. APRA may require the inclusion of an APRA-determined scenario in a business continuity exercise for an APRA-regulated entity, or a class of APRA-regulated entities. |
45. An APRA-regulated entity must update, as necessary, its BCP on an annual basis to reflect any changes in legal or organisational structure, business mix, strategy or risk profile or for shortcomings identified as a result of the review and testing of the BCP. |
46. An APRA-regulated entity’s internal audit function must periodically review the entity’s BCP and provide assurance to the Board that the BCP sets out a credible plan for how the entity would maintain its critical operations within tolerance levels through severe disruptions and that testing procedures are adequate and have been conducted satisfactorily. |
CPS 232: requirements that continue until 30 June 2026 for non-SFIs |
30. An APRA-regulated institution must maintain at all times a documented BCP for the institution that meets the objectives of the institution’s BCM policy. |
31. The BCP must document procedures and information that enable the institution to:
|
32. The BCP must reflect the specific requirements of the institution and must identify:
|
33. Where material business activities are outsourced, an APRA-regulated institution must satisfy itself as to the adequacy of the outsourced service provider’s BCP and must consider any dependencies between the two BCPs. |
34. An APRA-regulated institution must review and test the institution’s BCP at least annually, or more frequently if there are material changes to business operations, to ensure that the BCP can meet the BCM objectives. The results of the testing must be formally reported to the Board or to delegated management. |
35. The BCP must be updated if shortcomings are identified as a result of the review and testing required under paragraph 34. |
SPS 232: requirements that continue until 30 June 2026 for non-SFIs |
21. An RSE licensee must maintain at all times a documented BCP that meets the objectives of the BCM Policy |
22. An RSE licensee’s BCP must document procedures and information that enable the RSE licensee to:
|
23. An RSE licensee’s BCP must reflect the specific requirements of the RSE licensee and must identify:
|
24. Where material business activities are outsourced, an RSE licensee must satisfy itself as to the adequacy of the outsourced service provider’s BCP and must consider any dependencies between the two BCPs. |
25. An RSE licensee must review and test its BCP at least annually, or more frequently if there are material changes to its business operations, to ensure that the BCP can meet the BCM objectives. The results of the testing must be formally reported to the Board or to delegated management. |
26. The BCP must be updated if shortcomings are identified as a result of the review and testing required under paragraph 25. |
Attachment B: CPS 230 compliance checklist
Requirement | Submission to APRA | Updated or new requirement | |
1 | Critical Operations (COs) are identified. | Entities are not required to submit their list of critical operations. However, an APRA supervisor could request it. | NEW as concept of critical operations is introduced by CPS 230. |
2 | Tolerances are defined and approved by the Board for COs (time, data loss, and service level). | Entities are not required to submit tolerance lists. However, an APRA supervisor could request it, to understand how critical operations are monitored and to confirm Board approval as required by the Standard. | UPDATE as tolerances exist under CPS 232 for time and SLAs. CPS 230 applies a Critical Operations lens. |
3 | Material Service Providers (MSPs) are identified. | Entities are required to submit a register of MSPs to APRA on an annual basis. APRA requests the first submission by 1 Oct 2025. This is the key data requirement of CPS 230 along with incident notifications and supplier/offshore notifications. | NEW but building on the requirements that have been in place under CPS 231, in monitoring and oversight of suppliers. |
4 | Notifications are operational for material events, tolerance breaches and MSP changes. | Entities are required to have notifications to APRA in place per paragraphs 33 (material events), 49 (tolerance breach) and 59 (MSP arrangement/offshoring changes). | UPDATE as notification requirements do exist under CPS 231 and CPS 232 in the current architecture. |
5 | Board Governance & Oversight is in place and clear roles and responsibilities are set. | Entities are not required to submit updated senior management accountabilities or target operating model documentation. This could be requested and discussed as part of a prudential review. | UPDATE to align with the critical operations requirements in CPS 230 but builds on CPS 220 positioning. |
6 | Risk Profiles & Reporting is established and supporting oversight accountabilities. | Entities are not required to submit risk profiles or risk reporting as part of compliance with CPS 230. These could be requested and discussed as part of a prudential review. | UPDATE against critical operations and building on CPS 220, 231, 232 foundations. |
7 | Accountability for COs, MSPs, and monitoring is in place. | Entities are not required to submit updated operational accountabilities or examples of BAU monitoring, reporting or controls for compliance with CPS 230. These could be requested as part of a prudential review. | UPDATE to accountabilities, to refer to new concepts introduced under CPS 230 building on CPS 220, 231, 232 foundations. |
8 | Contract Updates have an extension of 12 months per paragraph 7 of the standard. | Entities have an additional 12 months to ensure that pre-existing service provider arrangements comply with contract requirements under CPS 230. | UPDATE to pre-existing contracts to comply with CPS 230. |
9 | Business Continuity Management (BCM) shifts to a Critical Operations focus | Entities are not required to submit their updated BCM strategy, policy, or plans. These could be requested and discussed as part of a prudential review. | UPDATE of existing BCM policy, plans, testing under CPS 232 to the CPS 230 Critical Operations focus. |
10 | Scenarios align with BCM uplift and focus on severe yet plausible scenarios for Critical Operations and Material Service Providers. | Entities are not required to submit their new scenarios or testing results as part of CPS 230 compliance. This could be requested and discussed as part of a prudential review. | UPDATE of existing scenario approach under CPS 232 to apply a CPS 230 critical operations lens. |
Footnote
1Banking operational risk loss data report 2022, ORX, June 2022