The Australian Prudential Regulation Authority (APRA) has released its finalised Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230) to aid insurers, banks, and superannuation trustees in bolstering their operational risk management and business continuity planning.
CPG 230 is designed to assist in the implementation of Prudential Standard CPS 230 Operational Risk Management (CPS 230), set to take effect on July 1, 2025.
The guidance focuses on enhancing the resilience of critical operations and improving third-party risk management.
APRA said the guidance has been condensed and aligned more closely with the standard’s expectations.
Non-significant financial institutions (non-SFIs) have been granted an additional 12 months to comply with specific requirements related to business continuity and scenario analysis.
The regulator has also included a “day one” checklist to assist entities in the implementation process of CPS 230.
Lastly, a three-year forward plan for supervising CPS 230 has been provided to assist with industry planning and implementation.
APRA chair John Lonsdale emphasised the increasing importance of operational resilience.
“Disruptions to financial services can have a major impact on people who rely on them to save, spend, recover from financial loss, or support themselves in retirement,” he said. “CPS 230 is designed to ensure entities safeguard the resilience of their operations and are well prepared to respond to disruptions. By amending the accompanying guidance, we aim to keep industry standards high while also being mindful of the compliance burden on smaller entities so they can remain competitive.”
APRA received 16 submissions during the consultation period for draft CPG 230, with feedback highlighting areas requiring more clarity and potential implementation challenges. Common themes included concerns about readiness for compliance, the proportional application of the guidance, and the complexity of managing fourth-party risks.
In response, APRA has modified the guidance to provide smaller entities more time to meet certain components, streamline the guidance to align better with the standard, and clarify expectations for implementation. Non-SFIs now have a 12-month extension to comply with business continuity and scenario analysis requirements, providing them additional time to establish robust foundations.
The guidance has been adjusted to allow entities discretion in their approach, particularly regarding business process mapping, scenario analysis, and third-party risk management. While CPS 230 sets baseline expectations for all entities, larger and more complex entities are expected to implement stronger practices.
Entities are required to evaluate their service providers to determine whether they are material service providers (MSPs) and ensure compliance with CPS 230 for material arrangements. APRA has introduced a template for the MSP register, with the first submission due by Oct. 1, 2025.
The regulator has moderated expectations for managing fourth-party risks.
Entities must outline their approach to managing these risks as part of their service provider management policy.
For cohorts of service providers, entities are expected to have additional processes and controls to address associated risks.
APRA expects regulated entities to be proactive in transitioning to CPS 230. The guidance includes a “day one” checklist and details the supervision program for the first three years, including prudential reviews and ongoing supervision based on entity size and complexity.
Entities are encouraged to actively work on transitioning to CPS 230 and communicate with their supervisors regarding compliance readiness.
The regulator, which also recently released cybersecurity and data backup standards, will continue to engage with the industry to ensure a smooth implementation process and address any compliance concerns.