The Australian Prudential Regulation Authority (APRA) has released Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230) to assist banks, insurers and superannuation funds in the implementation of Prudential Standard CPS 230 Operational Risk Management (CPS 230).

Transition timetable

CPS 230 takes effect from 1 July 2025 with a further one-year transition to July 2026 to allow entities time to review contracts with existing material service providers (MSPs). (see the timeline below)

APRA will give non-Significant Financial Institutions a 12-month extension to July 2026 on requirements relating to business continuity and scenario analysis.

SFI’s are Australian ADI’s with total assets in excess of AUD $20 billion.

Non-SFIs may transition to CPS 230 in full, ahead of this schedule. Entities that avail themselves of the extra time must comply with existing prudential standards CPS 232 Business Continuity Management and SPS 232 Business Continuity Management in the interim.

Appendix A to APRA’s response to submissions summarises the transition.

A summary of CPS 230 requirements and suggested order of implementation is provided at Appendix B of APRA’s response.

Material service providers

CPS 230 requires entities to assess their service providers to determine whether they are material for the purposes of the Standard. An entity is required to ensure all MSPs meet the requirements under CPS 230 where an arrangement with an MSP is a material arrangement.

CPS 230 requires entities to provide their MSP register to APRA on an annual basis. APRA requests that the first MSP register is submitted by 1 October 2025. In Q3 2024, APRA will provide a template for the MSP register.

An entity is also expected to:

• outline, as part of its service provider management policy, its approach to managing the risks associated with any fourth parties that MSPs rely on to deliver a critical operation (CPS 230); and
• take reasonable steps to know who the (fourth) parties are that an MSP relies on, in delivering a service necessary to support a critical operation (CPG 230).

APRA acknowledges that where a cohort of service providers may be collectively material, some service providers may not be individually material (to deliver a critical operation or otherwise mitigate a material operational risk).

Those that are not individually material do not have to be classified as an MSP. However, APRA does expect that an entity would have additional processes and controls for managing the cohort, to address risks associated with these service providers.

APRA may require entities to amend certain contracts with service providers, to make critical functions contracts ‘resolution resilient’ under CPS 900, such that critical functions are maintained in resolution. This may include services that support an entity’s critical functions, business lines, daily operations, and/or resolution capabilities.

In relation to insurance, CPS 230 requires an insurer to classify a provider of services for underwriting, claims management, insurance brokerage and reinsurance as a material service provider. APRA expects brokers would only be captured if an entity relies on the broker in delivering a critical operation or the broker introduces material operational risk to the regulated entity.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.