APRA refines Operational Risk Management Guidance in CPG 230

Insight
6 minute read
July 08, 2024

On 13 June 2024, the Australian Prudential Regulation Authority (APRA) finalised CPG 230, marking a significant milestone after an extensive industry consultation phase. These updates are designed to provide clearer guidance tailored to the diverse needs of entities, enhancing operational resilience across the financial sector.

Download the full report

Key updates and their impact

Extended start date for non-significant financial institutions (SFIs)

One of the pivotal changes introduced by APRA is an additional 12-month period granted to non-SFIs for meeting Business Continuity and Scenario Analysis requirements under CPS 230. Effective from 1 July 2026, this extension allows smaller entities crucial time to establish robust operational risk management foundations and align with APRA's expectations. During this transitional period, compliance with CPS 232 and SPS 232 remains mandatory until 30 June 2026, ensuring a phased approach to implementation.

Day-one compliance checklist

To facilitate a structured approach to compliance, APRA has introduced a day-one compliance checklist. This checklist guides entities through initial steps, emphasising the required submissions to APRA and distinguishing between the old and new requirements. While certain detailed submissions, such as the list of critical operations and tolerances, are not compulsory upon CPS 230 implementation, entities must be prepared to furnish this information if requested by APRA, underscoring the importance of readiness and transparency in operational resilience.

Three-year supervision program

APRA's newly announced three-year supervision program outlines tailored oversight for both significant financial institutions (SFIs) and non-SFIs. This proactive approach enables APRA to identify outliers and respond promptly to material events, ensuring continuous improvement and adherence to regulatory standards.

Streamlined guidance

The final version of CPG 230 has been streamlined to focus on minimum requirements, removing previous expectations on better practice. This adjustment grants entities greater flexibility in compliance while maintaining clarity on APRA's regulatory expectations. The accompanying response paper provides additional clarity on specific areas, addressing industry feedback to enhance understanding and implementation.

Implementation timeline and considerations

Entities are encouraged to adopt a progressive approach aligned with their operational scale and complexity. Whether SFI or non-SFI, each entity must strategically align its implementation timeline with APRA's extended deadlines and compliance milestones. This includes a proactive approach to integrating CPS 230 requirements alongside existing obligations under CPS 232 and SPS 232, where applicable.

Focus on intent and resilience

Central to CPS 230 is the identification and mitigation of vulnerabilities in the resilience of critical operations. It is common for organisations to spend a significant amount of time focusing on the complexities of methodologies and landing the ‘right’ answers. However, APRA’s updated CPG 230 is a reminder to reset and keep the intent of CPS 230 “that entities improve operational resilience where needed” front of mind.

Managing Material Service Providers (MSPs)

APRA's guidelines on MSPs emphasise risk management across cohorts and include expectations for managing fourth parties integral to critical operations. Entities must document their approach to fourth-party risk in their Service Provider Management Policy. Additionally, APRA mandates that the MSP register be submitted by October 1, 2025, with a template set to be released in the third quarter of 2024.

Interaction with CPS 900 and group entities

APRA clarifies the interplay between CPS 230 and CPS 900, particularly concerning resolution-resilient contracts and continuity of services post-resolution. For group entities, APRA-regulated heads must ensure CPS 230 compliance extends to non-regulated subsidiaries that could impact overall group resilience, demonstrating comprehensive risk management across the organisational hierarchy.

Partnering with PwC for compliance readiness and embedding operational resilience

APRA's finalisation of CPG 230 signifies a pivotal step towards enhancing operational resilience within the financial sector. By providing clearer guidance and extended timelines, APRA empowers entities to strengthen their operational risk frameworks while adapting to regulatory requirements. The finalised guidance aims to provide organisations with clarity on implementing the Standard.

No matter where you are in this process, PwC is here to help. Our specialised services are designed to establish and maintain robust, digitally enabled operational resilience, ensuring compliance with CPS 230. With global connectivity and extensive experience, we provide tailored solutions that address the Prepare, Respond, and Sustain phases of your compliance journey. PwC understands the complexities of CPS 230 and offers comprehensive support to meet your regulatory obligations effectively.