APRA finalises key risk standard, consults on adoption guide

APRA Consultation Operational Risk Management risk standards

Prudential regulator APRA has announced it has finalised new standards for banks, insurers and superannuation funds to manage operational risks and respond to business disruptions.

The new CPS 230 standard, put to stakeholders for consultation last year, provides a foundation for regulated entities to address potential weaknesses in existing risk controls, improve their ability to respond to severe disruptions and ensure business continuity, and enhance third-party risk management, APRA said.

This new operational risk standard effectively consolidates and replaces five existing standards covering outsourcing (CPS 231/SPS 231/HPS 231) and business continuity management (CPS 232/SPS 232).

CPS 230 also complements prudential standard CPS 234 Information Security, together forming APRA’s new operational resilience framework.

A key requirement of the new standard is for boards to ultimately be accountable for operational risk management and business continuity “to ensure that senior management effectively implement and maintain a regulated entity’s operational risk framework”.

The new standard is set to kick in from 1 July 2025. Initially mooted for 1 January 2024, the launch date was pushed back in response to feedback received during the consultation.

APRA chair John Lonsdale noted that additional allowances will be made to enable businesses with third-party arrangements to ensure their contractors comply with the new standard, with the regulator to provide a transition phase – until 1 July 2026 at the latest – “for entities that need some flexibility”.

He said that the introduction of the new standard would “ensure regulated entities set and test controls and maintain robust business continuity plans to respond if disruptions do occur”.

“Disruptions to financial services can cause a major detrimental impact to the people who rely on them to pay bills, recover from financial loss or support themselves in retirement.

“The need for APRA’s new standard has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches.”

Lonsdale added: “We expect regulated entities to be proactive in preparing for implementation, rather than waiting until the last minute to get ready to meet the new requirements.”

The regulator has also released for consultation a draft Prudential Practice Guide CPG 230 [pdf], designed to assist regulated entities with the implementation of CPS 230.

Submissions for the consultation close on 13 October 2023.