Operational Resilience

Is your business ready for the change?

APRA released the final Prudential Standard CPS 230 Operational Risk Management (CPS 230) in July 2023. CPS 230 will take effect from 1 July 2025, with transition agreements for existing service provider arrangements until 1 July 2026.

The objective of CPS 230 is to strengthen the management of operational risk in the banking, insurance, and superannuation industries, improve operational resilience and minimise the impact of disruption to members and the financial system, through:

  • Effectively managing the full range of operational risks;
  • Maintaining critical operations through severe business disruptions; and
  • Managing risks arising from the use of service providers.

CPS 230 will replace five existing APRA Standards: Prudential Standard CPS 231 Outsourcing, Prudential Standard CPS 232 Business Continuity Management and the equivalent superannuation and health insurance Standards (SPS and HPS).

What will the new regulation cover?

There are three key focus areas in the Standard:

1. Operational Risk Management:

The Board is ultimately accountable for an organisation’s operational risk management and must oversee senior management’s implementation and maintenance of CPS 230. CPS 230 requires regulated entities to consider operational risk from a critical operations lens, therefore, all risk management practices, including the overall risk profile, will need to be revised and align to the new critical operations view.

2. Business Continuity Management: 

To support a comprehensive operational risk profile and business continuity plan (BCP), CPS 230 requires entities to:

  • Understand their end-to-end critical operations, along with their supporting resources,
  • Set tolerance levels that are customer and outcome focused,
  • Minimise the likelihood and impact of disruptions as part of their business continuity planning practices, 
  • Conduct regular scenario testing to validate continuity plans and tolerance levels. This includes ensuring that the capabilities needed to support critical operations can adapt in the event of a disruption.

3. Service Provider Management:

Requirements have been enhanced to cover all material service providers that APRA-regulated entities rely upon for critical operations, or that expose them to material operational risk. Entities are required to understand and manage the risks associated with the use of these material service providers, along with their downstream providers (i.e. fourth or nth parties), with a comprehensive outsourcing management policy, formal agreements, and robust governance / monitoring.

Key additions related to the key focus areas:

New operational risk management requirements

Entities must manage their full range of operational risks by maintaining a comprehensive operational risk profile. Internal controls to mitigate these risks within appetite should be embedded and regularly tested. Entities must also maintain strong data and IT infrastructure to meet business requirements and support critical operations.

Identify critical operations

To effectively manage business continuity, entities must ensure that they define criticality criteria and identify critical operations taking into consideration those identified by APRA’s CPS 230, unless justified otherwise. Once identified, entities must understand and manage risk associated with its critical operations to continue to deliver critical operations within tolerance levels through severe disruptions.

Set tolerances and perform scenario testing

Entities must set clear tolerances for the maximum level of disruption they are willing to accept, including tolerances on maximum time to be disrupted, data loss, and minimum service levels. Tolerance levels need to be customer and outcomes focused. Entities are expected to maintain critical operations within tolerance levels and conduct regular scenario testing to calibrate tolerances.

Determine Material Service Providers (MSPs)

Entities must understand and manage the risks associated with the use of service providers that support their critical operations, or expose them to material operational risk, including downstream providers (fourth or nth parties). A register of MSPs and associated risks must be reported to APRA annually, as well as changes to MSP agreements.

Whilst CPS 230 will take effect 1 July 2025, APRA expects demonstration of proactive preparation and progress from organisations throughout 2024 and 2025. 

The below timeline outlines key milestones and recommended approaches for the Prudential Standard’s commencement:

 

CPS 230 commences APRAannounces revised implementation timeline APRA releases Final CPS 230 APRA consults on draft CPS 230 Transition ends for existing contracts with service providers Material service providers/critical operations identified Entities positioned to set tolerance levels July2022 July2023 April2023 Mid-July 2024 End of 2024 July2025 July2026 Demonstration of meaningful steps and staged progress

How can PwC help your business to ensure you are ready?

At PwC, we have service offerings built to help you set up and run a fit for purpose and digitally enabled operational resilience capability, which will also enable you to meet your CPS 230 obligations. With our global connectivity and experience, we will provide you with the confidence that we are the right people. Our propositions are designed to encompass each of the Prepare, Respond and Sustain phases of your journey. Whilst there are three distinct components in the CPS 230 Standard, they are not mutually exclusive, and we will support you in responding to this in a holistic manner.

Establishing Foundations
  • CPS 230 readiness assessment
  • Operational resilience Target Operating Model (TOM) design
  • Board and executive awareness sessions
  • Operational resilience governance and accountabilities definition
  • Operational resilience program planning, scoping and delivery

Critical operations
  • Critical operations definition and documentation, including resources (e.g. people, technology, data, service providers, facilities, risks, obligations, controls)
  • Operational risk and resilience framework, reporting and governance uplifts
Operational Risk Management 
  • Operational risk profiling (including identification, assessment and action)
  • Risk appetite definition
  • Obligations mapping
  • Controls assurance
Business Continuity 
  • Tolerance level identification
  • Business Continuity and Disaster Recovery Planning
  • Training and awareness
  • Scenario testing
Service Provider Management 
  • Material service provider (MSP) assessments
  • Third Party Risk Management Framework
  • Third party controls testing (for MSPs)
Technology enablement 
  • Operational resilience and risk tooling and integration to support management of operational resilience and risk requirements 

Embed and monitor 
  • Operational resilience culture and behaviour
  • Ongoing governance, monitoring and reporting

{{filterContent.facetedTitle}}

{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}
{{contentList.loadingText}}

Contact us

Susanna Chan

Partner, Cybersecurity & Digital Trust, PwC Australia

Tel: +61 414 544 066

Peter Malan

Partner, Cybersecurity & Digital Trust, PwC Australia

Tel: +61 413 745 343

Sam Hinchliffe

Partner, Risk and Regulation, PwC Australia

Tel: +61 434 182 665

Sara Afaghi

Partner, Risk Advisory, PwC Australia

Tel: +61 433 760 969

Hide