APRA finalises new prudential standard on operational risk
The Australian Prudential Regulation Authority (APRA) has finalised a new prudential standard aimed at ensuring banks, insurers and superannuation trustees can better manage operational risks and respond to business disruptions.
Prudential Standard CPS 230 Operational Risk Management (CPS 230) provides a foundation for APRA-regulated entities to:
- strengthen operational risk management through new requirements to address identified weaknesses in existing controls;
- improve business continuity planning to ensure they are positioned to respond to severe disruptions; and
- enhance third-party risk management by ensuring risks from material service providers are appropriately managed.
APRA finalised the standard following industry consultation that commenced in July 2022. The new standard will commence from 1 July 2025.
Chair John Lonsdale said the finalisation of CPS 230 will strengthen the management of operational risk across APRA’s regulated population.
“Disruptions to financial services can cause a major detrimental impact to the people who rely on them to pay bills, recover from financial loss or support themselves in retirement.
“The need for APRA’s new standard has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches. This new standard will ensure that regulated entities set and test controls and maintain robust business continuity plans to respond if disruptions do occur.
“We expect regulated entities to be proactive in preparing for implementation, rather than waiting until the last minute to get ready to meet the new requirements. There will be a transition phase for existing contractual arrangements with material service providers for entities that need some flexibility,” Mr Lonsdale said.
A response paper to the consultation on CPS 230, including details on draft CPG 230, and the final CPS 230 are available at the APRA website.