The Australian Prudential Regulation Authority (APRA) has finalized its Prudential Standard CPS 230 aimed at ensuring banks, insurers, and superannuation trustees can better manage operational risks, build operational resilience, and respond to business disruptions. The standard replaces several existing standards, including CPS/SPS 232 Business Continuity Management and CPS/SPS 231 Outsourcing.
The key requirements of CPS 230 are:
Strengthen operational risk management through new requirements to address identified weaknesses in existing controls.
Improve business continuity planning to ensure organizations are positioned to respond to severe disruptions.
Enhance third-party risk management by ensuring risks from material service providers are appropriately managed.
An APRA-regulated entity’s approach to operational risk must be appropriate to its size, business mix, and complexity.
APRA has released an updated timeline for the implementation of CPS 230. In response to feedback received during the consultation period, APRA intends to:
Move the effective date for the new standard to 1 July 2025
Provide transitional arrangements for pre-existing contractual arrangements with service providers, with the requirements in the standard applying from the earlier of the next contract renewal date or 1 July 2026.
How Archer Can Help
Archer can play an important part in helping organizations manage their compliance with CPS 230. For example:
Archer Enterprise and Operational Risk Management enables organizations to:
Define risk appetite supported by indicators, limits, and tolerance levels.
Assess the organization’s risk profile, including identifying and documenting processes and resources.
Ensure internal controls are designed and operating effectively.
Provide reporting that enables operational risk oversight at every level of the organization.
Archer Resilience Management enables organizations to:
Identify and document its processes and resources for critical operations.
Document a business continuity plan (BCP) that sets out how the entity would identify, manage, and respond to a disruption within tolerance levels and can be regularly tested against severe but plausible scenarios.
Monitor, analyze, and report on operational risks and escalation of incidents and events.
Archer Third Party Governance enables organizations to:
Manage service provider arrangements.
Archer facilitates reporting and notifications to APRA and other stakeholders, including the board, which oversees the entity’s operational risk management, BCP, and management of service providers.
For more information or to speak to an Archer expert, you can contact us here.