This article is designed to provide guidance and clarity on the Prudential Standard CPS 230 Operational Risk Management which was released by The Australian Prudential Regulation Authority (APRA) in July 2022. CPS 230 supports CPS 220 Risk Management and replaces other standards such as CPS/SPS 231 Outsourcing and CPS/SPS 232 Business Continuity Management.
Who is accountable for CPS 230 compliance?
As per other APRA Prudential Standards such as CPS 234 Information Security, the Board is ultimately accountable for the requirements of the Standard.
What are the Board’s responsibilities?
Provide oversight of an entity’s operational risk management, business continuity and the management of service provider arrangements.
Other Board responsibilities include overseeing operational risk management and the effectiveness of key internal controls, approve the Business Continuity Plan (BCP) and tolerance levels and approving the service provider management policy.
What are the key changes to CPS 230?
Operational Risk Management
The New APRA standard takes an outcome and principle-based approach to operational risk rather than being process focused.
New requirements include performing risk assessments before providing material services, understanding the operational risk profile and implementing risk controls in all systems, processes and activities.
In-line with APRA’s outcome-focused supervision, the board is now accountable for operational risk management rather than being responsible as stipulated in previous prudential standards. APRA has also increased its capabilities in monitoring operational risk such as mandating entities to take specific actions to address material weaknesses.
Following its approach in CPS 234 to report security incidents within 72 hours of identification, now APRA is expecting the same level of reporting for new operational risk incidents.
Business Continuity
As previously mandated by CPS/SPS 232 APRA regulated entities must maintain a BCP however the concepts of 'critical operations' and 'tolerances' have been broadened. Sticking with their principle-based approach, APRA is expecting entities to determine if their BCP is adequate for their business.
The identification of Critical Operations now includes processes of both the APRA-regulated entity and its service providers. As a result, service provider processes must be documented as part of the entities’ BCP.
The focus on Tolerance Setting has shifted to focus on the entities’ risk appetite to disruptions in regard to all processes as part of their BCP rather than plausible disruption scenario.
The Testing requirements have been deepened and more specific requirements are not stipulated in the Standard. Rather than only requiring entities to ‘review and test’ the BCP, now entities are expected to develop a systematic testing program which is in-line with their material risk.
Management of Service Provider Arrangements
CPS 230 focuses on the materiality of the operational risk posed by the service provider arrangement rather than outsourcing and the materiality of the service being provided as previously stipulated in CPS/SPS/HPS 231. With the increased reliance on service providers the new definition has been designed to capture more service providers.
Although it was previously mandated to require a policy, the new standard has introduced ‘material service providers’ as stated above, as well as a requirement to address ‘fourth-party’ risk. Service providers assume liability for failure of a sub-contractor, and for each APRA-regulated entity to otherwise set its own approach for the management of fourth-party risk.
In terms of reporting, APRA is now expecting entities to submit a register of service providers on annual basis and to be notified when material changes to service provider agreements are made. For private health insurers specifically, notifications have been shortened to 20 business days rather than 28 days as currently applies under HPS 231.
Strong focus on operational resilience
Across the standard there is a strong focus on operational resilience. It has been made clear that operational resilience is part of adequate operational risk management and is a direct outcome and extension of business continuity management.
What do you need to do as a regulated entity from a cyber resilience perspective?
Operational Risk Management
Maintain appropriate and sound information and information technology (IT) infrastructure to meet your current and projected business requirements and to support your critical operations and risk management.
Maintain a comprehensive assessment of your operational risk profile and manage your full range of operational risks, including but not limited to legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk, reputational risk and change management risk by implementing internal controls to mitigate your operational risks in line with your risk appetite and meet its compliance obligations.
Continually conduct risk assessments, including when providing a material service to another party to ensure that you can continue to meet your prudential obligations after entering the arrangement.
Monitor, review and test controls for design and operating effectiveness, the frequency of which must be commensurate with the materiality of the risks being controlled by establishing and executing a security control assurance program. Material weaknesses identified in your operational risk management, including control gaps, weaknesses and failures must be remediated.
Operational risk incidents and near misses are identified, escalated, recorded and addressed in a timely manner and notify APRA as soon as possible, and not later than 72 hours from identification.
Business Continuity
Have a comprehensive understanding of your critical operations and define, identify and maintain a register of your critical operations and tolerance levels such as Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
Implement controls to minimise the likelihood and impact of disruptions to your critical operations.
Maintain a credible BCP that sets out how you maintain critical operations within tolerance levels through disruptions, including disaster recovery planning for critical information assets.
Regularly test and review the BCP.
Management of Service Provider Arrangements
Expand third-party management policies and procedures to include fourth-party risk. This must cover all material services providers that the entity relies on for critical operations or that exposes them to material operational risk.
Establish a comprehensive outsourcing management policy, formal agreements, and robust monitoring processes. Monitoring processes can include review cycles and service delivery monitoring.
Submit a register of service providers on an annual basis to APRA.
Notify APRA when material changes to service provider agreements are made.
CPS 230 Key Compliance Dates
July 2022 – Consultation Open
October 2022 – Consultation Closed
Early 2023 – CPS 230 Finalised
January 2024 – Effective Date
Get in touch with Sekuro to learn more and discover how we can help with CPS 230 and your risk management needs.
Zachary Vella
Managing Consultant, Sekuro
Zachary is a diverse industry experience professional with over 7 years in the field, providing a unique combination of Technology, Security and Risk management expertise to transform any businesses towards a highly effective, efficient and positive "Risk Aware" organisation. He currently holds the role of a GRC Managing Consultant, overseeing and delivering engagements in this space. His key expertise lies in providing business value by managing risk and transforming risk into opportunity.
More Articles
In conversation with Nathan Wenzler, Chief Security Strategist at Tenable (Part 1)
Emerging Threat: AI vs. Human Deceit
