The Australian Prudential Regulation Authority (APRA) published a new Prudential Standard, CPS 230 Operational Risk Management, in July 2023. CPS 230 will direct how regulated entities manage operational risks, resilience, and business continuity. CPS 230 aims to ensure that an APRA-regulated entity is resilient to operational risks and disruptions.
Regulated entities have until 1 July 2025 to comply, although APRA makes it clear that it “expects regulated entities to be proactive in preparing for the new requirements in 2023-2024 … rather than waiting until 2025 to start planning.”
APRA expects that senior management will have identified their critical operations and material service providers by mid-2024 and will be ‘well positioned’ to set tolerance levels by the end of that year.
The standard is clear that responsibility for CPS 230 lies with a regulated organisation’s board, stating that: “The Board of an APRA-regulated entity is ultimately accountable for oversight of an entity’s operational risk management. This includes business continuity and the management of service provider arrangements.”
APRA is strongly encouraging its regulated entities not to wait until the last minute – and start preparing now. Having “run out of patience” with the slow uplift to CPS 234 on information security, the regulator has put the sector on notice, announcing it “…will be assessing entities’ preparedness for the new standard throughout 2024, starting in less than six months.”
APRA is unapologetic about deliberately designing “an implementation schedule to ensure entities are not still playing catch-up several years down the track”.
CPS 230 readiness is now a booming industry for consulting firms. APRA is expecting institutions to make significant progress in mapping end-to-end business processes by mid-2024, covering the crucial path to delivering critical operations. Tolerance levels covering the critical operations are to be determined by the end of 2024.