New APRA prudential standard to strengthen operational risk management

The Australian Prudential Regulation Authority (APRA) has released a draft new cross-industry Prudential Standard CPS 230 Operational Risk Management designed to strengthen the management of operational risk by all APRA-regulated entities including the banking, insurance and superannuation industries.

Operational risk is defined as the potential for financial loss or material disruption as a result of inadequate or failed internal processes or systems, the actions of people or external drivers and events, such as a pandemic, technology risks or natural disaster.

The new standard CPS 230 will incorporate updated minimum requirements for service provider management and business continuity management that are currently contained in prudential standards CPS 231 Outsourcing and CPS 232 Business Continuity Management (and the corresponding superannuation standards SPS 231 and SPS 232 and private health insurance standard HPS 231). These five standards will be replaced by the new CPS 230. CPS 234 Information Security will continue.

The aim of the standard is to:

  • strengthen operational risk management with new requirements to address weaknesses that have been identified in existing practices of APRA-regulated entities. This includes requirements to maintain and test internal controls to ensure they are effective in managing key operational risks.
  • improve business continuity planning to ensure that APRA-regulated entities are ready to respond to severe business disruptions, and maintain critical operations such as payments, settlements, fund administration and claims processing to minimise the impact of disruptions to customers. 
  • enhance third-party risk management by extending requirements to cover all material service providers that APRA-regulated entities rely upon for critical operations or that expose them to material operational risk, rather than just those that have been outsourced.

APRA expects to release the final CPS 230 in the first half of 2023, before the new standard comes into force on 1 January 2024.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.