APRA launches final version of CPG 230 Operational Risk Management

  • 27 Jun 2024
  • Rebecca

On 13th June, the Australian Prudential Regulation Authority (APRA) released the Prudential Practice Guide CPG 230 Operational Risk Management written to provide practical advice to help organizations comply with the Prudential Standard CPS 230 Operational Risk Management (CPS 230).

CPS 230 is a new standard that obligates all APRA regulated entities to strengthen operational risk management, respond to business disruptions, and manage risks from the use of service providers. It was released in July 2023 and comes into effect on July 1st 2025. Missed deadlines can result in regulatory action.

To support practitioners in achieving this standard, the APRA have released the CPG 230, a set of guidelines designed to help practitioners reach the expectations of CPS 230. The document includes detailed guidance examples and case studies to aid compliance and encourages a proportional approach to operational risk management. 

The final form has undergone a number of changes from the original draft released in 2023. It’s shorter and more focused on how practitioners can reach the CPS standard. It also includes a day one checklist to support CPS 230 implementation, and a three-year plan outlining how the APRA will supervise CPS 230. In addition, non-significant financial institutions (non-SFI) have been given an extra year to comply.

Given the CPS 230 comes into effect next year, these new guidelines are a welcome support to obligated organizations. However, the BCI Operational Resilience Report 2024 indicated 70.6% of Australian organizations felt the timeframe for regulatory implementation was too short and could lead to organizations completing the necessary requirements in time for July 2025 as a ‘tick box’ exercise, but that it would take much longer to fully embed them.

Sam Hope, member of the BCI’s Special Interest Forum – APRA CPS 230 Operational Resilience Group said:

“The APRA have really taken the time to consider the CPG draft and have delivered a final version that is far clearer about their expectations whilst being sharper and to the point. The net effect is more certainty to our CPS 230 work and a clear indication of their supervisory timeframe is greatly appreciated.”

However, Sam explained that the initial draft gave a clear definition of a mature state for operational resilience, but the revised guidelines say the standard is a “baseline for all entities” and APRA expect larger firms to exceed it.

“This is a double-edged sword. On the one hand, it frees us up from just implementing the “better practice” as defined in the draft CPG, but it does mean we will need to drive a higher level of maturity and investment into our program, without clear, concrete regulator expectations to point it. I think the ability to meaningfully influence at the board and executive level is more critical than ever.”

Sam adds that he’s worried about organizations in a compromised position of having to comply with both the outgoing CPS 232 and parts of the incoming CPS 230 simultaneously

I think there is a significant amount of risk to non-SFIs slowing their work.”

BCI Members with an interest in this topic can join the Special Interest Forum that provides a space for BCI Members to collaborate and develop insights into the changes impacting the Financial Industry as a result of the implementation of the Australian Prudential Regulation Authority (APRA) Prudential Standard 230 – Operational Resilience.

More on
About the author