APRA Releases New Prudential Standard CPS 230 for Operational Risk Management: What You Need to Know

On 17th July 2023, the Australian Prudential Regulation Authority (APRA) unveiled the final version of Prudential Standard CPS 230 Operational Risk Management (CPS 230), which establishes minimum standards for managing operational risk across industries. This new standard replaces Prudential Standard SPS 231 Outsourcing and SPS 232 Business Continuity Management for RSE licensees. In this article, we will explore the key changes in CPS 230 compared to the draft version, discuss its implications for APRA-regulated entities, and provide guidance on preparing for its implementation.

What does this mean for me?

The new APRA standard CPS 230 addresses operational risk with specific consideration to business continuity planning (BCP) and service provider management. This standard dovetails with APRA standard CPS 234 Information Security, which is no surprise given the recent Medibank and Latitude Financial breaches.

Here are some high-level takeaways in relation to BCP requirements of an APRA-regulated entity:

1. An organisation must have a BCP that outlines how they will continue to operate in the event of a disruption – this should include steps for restoring operations and minimising the impact of the disruption.
2. The BCP should cover all aspects of the organisation’s operations, including its IT systems, physical infrastructure, and people.
3. Agreements with service providers (of “material arrangement”) must be structured in a way that ensures the organisation can execute its BCP if needed.
4. An organisation must test and exercise their BCP on a regular basis.
5. The BCP should be regularly reviewed and updated to reflect changes in the organisation’s operations and risks.

Timeline for Implementation:

CPS 230 will be effective from 1st July 2025. Pre-existing contractual arrangements will fall under CPS 230 from the earlier of the next renewal date or 1st July 2026. It is crucial to review existing contracts and ensure compliance with the new requirements.

Key Changes from the Draft Version:

The final version of CPS 230 features minimal changes from the draft version, primarily involving revisions to terminology and the addition of a paragraph regarding pre-existing contractual arrangements. Notably, the term “material arrangement” has been introduced, replacing references to “an arrangement with a material service provider.” However, it is essential to understand that a material arrangement is not defined solely as an arrangement with a material service provider.

Differences Compared to Existing Superannuation Prudential Standards:

CPS 230 introduces several key differences in obligations for RSE licensees compared to the existing standards (SPS 231 and SPS 232). Here are the notable variances:

• Scope of Application: CPS 230 shifts focus from “material business activity” (SPS 231) to “material arrangement.” It encompasses arrangements critical to an APRA-regulated entity’s operations or exposing it to material operational risk, broadening the scope beyond traditional outsourcing.
• Minimum Content of Agreement: CPS 230 provides flexibility in determining the specific provisions of material agreements, allowing RSE licensees to outline services, associated service levels, rights, responsibilities, expectations, ownership of assets and data, dispute resolution, audit access, liability, indemnity, legal and compliance obligations.
• APRA Access Provisions: CPS 230 expands APRA’s access to documentation, data, and other information related to the provision of services. Agreements must include provisions ensuring service providers do not impede APRA in fulfilling its duties.

Preparing for CPS 230 Implementation:

To effectively implement CPS 230, APRA-regulated entities should take the following steps:

• Review Existing Contracts: Identify contracts subject to CPS 230 but not covered by previous standards, as these will likely require significant changes for compliance.
• Assess Compliance with Content Requirements: Review contracts currently subject to SPS 231 or other prudential standards to ensure they align with CPS 230’s content requirements. Initiate necessary amendments with service providers before the deadline.

Find the full APRA CPS 230 standard here.

Conclusion:

APRA’s new Prudential Standard CPS 230 introduces updated requirements for managing operational risk, business continuity, and service provider management. With the timeline for implementation set for July 2025, APRA-regulated entities should proactively review their contracts and ensure they comply with the new standards. By preparing in advance, organisations can mitigate operational risks and demonstrate their commitment to meeting APRA’s regulatory requirements.

Synergy Compliance is well-equipped with the knowledge and expertise necessary to provide comprehensive guidance on meeting legal obligations outlined in CPS 230 and CPS 234. Our team are experts in risk management, business continuity planning, cyber security, data privacy, and implementation of information security management systems. If you are interested in learning more about how we can assist your organisation, contact us through our contact form.