The Australian Prudential Regulation Authority finalises new prudential standard to strengthen operational risk management
The standard aims to equip these entities to better handle operational risks and effectively respond to business disruptions.
The Australian Prudential Regulation Authority (APRA) has finalised a new prudential standard, CPS 230 Operational Risk Management, designed to strengthen the ability of banks, insurers, and superannuation trustees to manage operational risks and respond effectively to business disruptions. The standard, finalised after a year-long consultation with industry stakeholders, will come into effect on 1 July 2025.
CPS 230 introduces a structured framework requiring APRA-regulated entities to improve three core areas: operational risk controls, business continuity planning, and third-party risk management. The new standard aims to address vulnerabilities in current systems, many of which have been exposed by recent cyber incidents and operational failures.
Under CPS 230, regulated entities will be expected to:
- Identify and address weaknesses in their existing risk controls.
- Develop and maintain robust business continuity plans to handle severe disruptions, and
- Strengthen oversight of material service providers to ensure third-party risks are managed appropriately.
APRA Chair John Lonsdale highlighted the importance of the new standard in maintaining trust and resilience in the financial system. ‘Disruptions to financial services can have serious consequences for individuals who depend on these services to meet daily needs or sustain themselves in retirement,’ Lonsdale said. ‘CPS 230 ensures entities have adequate controls in place and are well-prepared to respond to incidents when they occur.’
The implementation period gives institutions time to align their operations with the new requirements. APRA has acknowledged the need for flexibility during this transition, particularly regarding existing contracts with key service providers.
To support compliance, APRA has also released a draft Prudential Practice Guide, CPG 230, which provides practical guidance on implementing the new requirements. Public consultation on the draft guide is open until 13 October 2023.
