The Australian Prudential Regulation Authority (APRA) has released its consultation on a new cross-industry prudential standard for operational risk management, CPS 230, which proposes to introduce a range of new requirements on APRA-regulated entities for managing operational risk and enhance existing requirements for business continuity and service provider management.

Operational resilience is critical to the stability of financial institutions and has been an area of increasing focus for APRA in recent years. The Coronavirus pandemic has proven to be a real-world test of the operational resilience of APRA-regulated entities and has rapidly escalated the pace of change in the way organisations do business. At the same time, APRA-regulated entities have had to manage a broad and multi-faceted range of operational risks, ranging from disruptions to supply chains, increasing cybersecurity risks and risks arising from geopolitical and economic uncertainty. Against this backdrop, on 28 July 2022, APRA released a discussion paper and began consultation on draft prudential standard CPS 230.

Draft CPS 230 introduces new and enhanced requirements to strengthen the operational resilience of APRA-regulated entities and improve how those entities manage operational risk. It also consolidates and enhances existing standards in relation to third-party risk management, outsourcing and business continuity by replacing a number of existing prudential standards (CPS/SPS/HPS 231 and CPS/SPS 232). CPS 230 will apply to all APRA-regulated entities, including banks, insurers (general, life and health) and registrable superannuation entity licensees.

You can view our detailed insights, including a comparison against the current prudential framework, here.