On July 17, 2023, the Australian Prudential Regulation Authority (APRA) announced the finalization of Prudential Standard CPS 230 Operational Risk Management (CPS 230). According to APRA, CPS 230 is aimed at enhancing the ability of APRA-regulated entities to manage operational risks and address business disruptions. 

Scope  

The CPS 230 applies to all APRA-regulated entities defined as:  

• authorized deposit-taking institutions; 
• general insurers; 
• life companies;  
• private health insurers registered under the Private Health Insurance (Prudential Supervision) Act 2015; and  
• registrable superannuation entity licensees under the Superannuation Industry (Supervision) Act in respect of their business operations. 

Key measures in the new standard 

The APRA noted that CPS 230 would strengthen the ability of APRA-regulated entities to: 

• build on operational risks by implementing new requirements to rectify identified weaknesses in current controls; 
• bolster business continuity planning in response to disruptions; and 
• enhance third-party risk from material service providers, by ensuring risks are appropriately managed.

APRA further explained that CPS 230 will take effect from July 1, 2025, and that a transition phase for existing contracts with material service providers will be provided for entities requiring flexibility. 

Additional guidance 

Simultaneously, APRA released the draft Prudential Practice Guide CPG 230 Operational Risk Management and has invited public comments on the same. The draft guide aims to aid regulated entities in effectively complying with the new CPS 230 standard.  

Comments on the draft guide can be submitted to [email protected] until October 13, 2023. 

You can read the press release here, the standard here, and the draft guide here.