Tell me in 2 minutes
- Following industry consultation, on 13 June 2023, the Australian Prudential Regulation Authority (APRA) finalised and released the Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230) and APRA’s Response Paper. APRA-regulated entities have been eagerly awaiting the release of final CPG 230 to provide guidance on implementation of the requirements under Prudential Standard CPS 230 Operational Risk Management (CPS 230), which comes into effect on 1 July 2025 (see here).
- In acknowledging feedback through the CPG 230 consultation process, final CPG 230 has been heavily streamlined into baseline compliance, and language has been removed which was perceived as causing confusion, including switching focus away from outlining “best” and “better” practice (although references to “prudent” practice remain).
- Alongside CPG 230, APRA released a Response Paper, providing colour and context on APRA’s expectations and is a key document to be read in conjunction with CPG 230.
- While some key areas of CPS 230 have been clarified in the final guidance and APRA’s Response Paper, APRA-regulated entities will need to continue to form their own assessments of key aspects of CPS 230 without additional guidance to what was included in draft CPG 230, including in relation to identifying critical operations and material service providers and the extent of obligations relating to downstream supply chain risks.
- Key substantive changes in CPG 230 and the positions in the Response Paper which will be of interest to APRA-regulated entities include:
- an extension of 12 months for non-Significant Financial Institutions (SFI) to comply with certain business continuity and scenario analysis obligations under CPS 230;
- the inclusion of a Day 1 checklist (which importantly identifies what APRA-regulated entities are not required to provide to APRA at Day 1);
- outlining a three year supervision programme for APRA to monitor implementation of CPS 230 which reflects a differentiated supervision approach for SFI and non-SFI entities in some areas;
- clarity on APRA’s expectations of how APRA-regulated entities can review third party contracts to comply with the requirements of CPS 230 and to comply with resolution ready positions under APRA Prudential Standard CPS 900 Resolution Planning (CPS 900); and
- clarity on key areas raised during the CPG 230 consultation process, including the application of CPS 230 to non-APRA regulated entities in a group, obligations of an APRA-regulated entity to identify fourth parties and the extent to which intermediaries will be treated as material service providers.
Key changes in CPG 230
12 month extension for non-SFIs for certain BCP related obligations
While APRA has generally resisted the request from some participants in the CPG 230 consultation process to extend the timeframes for CPS 230 compliance, for non-SFIs, APRA has agreed to delay the start date for certain business continuity related requirements under CPS 230 for 12 months from 1 July 2025 to 1 July 2026. APRA has flagged that this is designed to give smaller entities more time to focus on foundational issues and to complete the BCP and scenario analysis process towards the end of their CPS 230 implementation. Non-SFIs who take advantage of this extra time must in the meantime continue to comply with relevant equivalent obligations under Prudential Standard CPS 232 Business Continuity Management (CPS 232) and Prudential Standard SPS 232 Business Continuity Management (SPS 232) (as relevant).
Taking this change into account, APRA has flagged the following implementation timeframe for CPS 230 – changes from the timeframes indicated in draft CPG 230 are shown in gold text:
Non-SFIs are entities which are not significant financial institutions being, for example, in relation to authorised deposit-taking institutions (ADI), an ADI with less than AUD $20 billion in total assets, or, in relation to superannuation, an RSE licensee with less than AUD $30 billion in total assets. In any case, APRA may determine and classify a particular entity as an SFI, having regard to matters such as complexity in its operations or its membership of a group.
The following table sets out the CPS 230 obligations that will not apply to non-SFIs until 1 July 2026 (but will apply to SFIs from 1 July 2025).
|
CPS 230 OBLIGATIONS
|
INDIVIDUAL
|
Example
uses 2
|
|
|
Business continuity plan - 40
|
An APRA-regulated entity’s BCP must include: a. the register of critical operations and associated tolerance levels; b. triggers to identify a disruption and prompt activation of the plan, and arrangements to direct resources in the event activation; c. actions it would take to maintain its critical operations within tolerance levels through disruptions; d. an assessment of the execution risks, required resources, preparatory measures, including key internal and external dependencies needed to support the effective implementation of the BCP actions; and e. a communications strategy to support execution of the plan. |
|
|
|
Business continuity plan - 41
|
An APRA-regulated entity must maintain the capabilities required to execute the BCP, including access to people, resources and technology. An APRA-regulated entity must monitor compliance with its tolerance levels and report any failure to meet tolerance levels, together with a remediation plan, to the Board. |
|
|
|
Testing and review - 43
|
An APRA-regulated entity must have a systematic testing program for its BCP that covers all critical operations and includes an annual business continuity exercise. The program must test the effectiveness of the entity’s BCP and its ability to meet tolerance levels in a range of severe but plausible scenarios. |
|
|
|
Testing and review - 44
|
The testing program must be tailored to the material risks of the APRA-regulated entity and include a range of severe but plausible scenarios, including disruptions to services provided by material service providers and scenarios where contingency arrangements are required. APRA may require the inclusion of an APRA-determined scenario in a business continuity exercise for an APRA-regulated entity, or a class of APRA-regulated entities. |
|
|
|
Testing and review - 45
|
An APRA-regulated entity must update, as necessary, its BCP on an annual basis to reflect any changes in legal or organisational structure, business mix, strategy or risk profile or for shortcomings identified as a result of the review and testing of the BCP. |
|
|
|
Testing and review - 46
|
An APRA-regulated entity’s internal audit function must periodically review the entity’s BCP and provide assurance to the Board that the BCP sets out a credible plan for how the entity would maintain its critical operations within tolerance levels through severe disruptions and that testing procedures are adequate and have been conducted satisfactorily. |
|
|
APRA Day 1 Checklist
In APRA’s Response Paper, APRA has included a Day 1 Checklist to assist entities in their implementation of CPS 230. This compliance checklist aims to clarify what APRA expects and doesn’t expect from entities as well as what obligations and expectations will evolve over time (more of which is discussed below in relation to APRA’s three-year supervisory programme).
What is most interesting in this checklist is the clarification on what entities are not required to provide to APRA for Day One compliance (but which may be requested by APRA). For example, entities are not required to submit to APRA their list of critical operations or tolerance lists, updated senior management accountabilities or target operating model documentation, risk profiles or risk reporting, or updated operational accountabilities.
APRA Supervisory Programme
As part of APRA’s Response Paper, APRA has also outlined a planned three-year supervision programme for CPS 230 compliance. The programme separates out supervision of SFIs and non-SFIs, with more intensive supervision being highlighted for SFIs in line with the principles of proportionality between entities of different size and complexity which has been emphasised by APRA through the process of finalising CPS 230.
The supervision programme also highlights grounds for APRA to undertake heightened supervision of an APRA-regulated entity’s CPS 230 compliance where:
- an entity is an “MSP outlier” (which we presume means an entity which has not submitted its Material Service Provider Register by 1 October 2025 in line with APRA’s timeframes or is not otherwise complying with its MSP obligations); or
- a material event occurs.
APRA has also flagged that APRA may consult on a formal reporting standard for CPS 230 compliance in 2027-2028 (but that APRA will otherwise undertake ongoing supervision from 2027).
Key additional points clarified in APRA’s Response Paper
APPLICATION OF CPS 230
Proportionality
One of the key areas flagged in the consultation process on CPG 230 was clearer guidance on how proportionality between entities of different sizes and complexities would apply in implementing CPS 230, particularly the differences between small and mid-size entities compared with larger, more complex entities.
Instead of setting different obligations for non-SFIs and SFIs in CPG 230, APRA has streamlined CPG 230 to represent the baseline position for compliance with CPS 230 for all APRA-regulated entities. This includes removing references to “best” or “better” practice so it is clear that they are not intended to be additional requirements, as well as amending CPG 230 to allow greater discretion by entities in how they approach compliance with specific requirements (e.g. management of service provider risks).
Consistent with its previous guidance, APRA has also emphasised that an APRA-regulated entity may apply CPS 230 commensurate with the size, business mix and complexity of the entity’s operations. APRA has also flagged that it expects SFIs to have stronger practices to comply with CPS 230 reflecting the size and complexity of their operations.
However, it is clear that all APRA-regulated entities are expected to adapt and mature their practices overtime as their operations grow and evolve, regardless of their size.
CPS 900 Interaction
APRA has sought to clarify how APRA-regulated entities can manage the overlap between ‘critical functions’ in relation to resolution planning (under CPS 900) and ‘critical operations’ under CPS 230. Importantly, APRA has taken the (not insignificant) step of clarifying what terms will need to be amended in third party contracts to make contracts for critical functions of an APRA-regulated entity resilient from a resolution perspective to comply with CPS 900. This is important for those APRA-regulated entities which are subject to CPS 900 (being SFIs plus non-SFIs where the non-SFI performs functions that APRA considers critical to the financial system, industry or communities).
In addition, APRA has flagged the potential efficiencies of entities reviewing third party contracts for both CPS 900 and CPS 230 compliance together (rather than having to re-review those contracts when APRA initiates resolution planning with entities). This is also significant for suppliers to APRA-regulated entities to the extent that broader negotiation of CPS 900 terms are requested by APRA-regulated entities as well as CPS 230 uplifts (see pop up box also).
Application of CPS 230 to non-regulated subsidiaries
The Response Paper has clarified APRA's expectations as to whether CPS 230 applies to subsidiaries that are not regulated by APRA. APRA has clarified that, while CPS 230 does not directly apply to non-regulated subsidiaries, APRA expects that a regulated entity would apply the CPS 230 requirements, in their entirety, to any material non-regulated subsidiary (being one that could have a material adverse impact on the regulated entity). While APRA recognises that an APRA-regulated entity can determine how it approaches CPS 230 compliance across its broader group, where an APRA-regulated entity decides not to apply CPS 230 in its entirety, APRA expects that the entity will justify this decision. This is consistent with the overall objective of CPS 230 to safeguard the resilience of APRA-regulated entity’s operations.
MATERIAL SERVICE PROVIDERS
Identifying Material Service Providers (MSP)
In the finalised guidance, APRA recommends a ‘top down’ approach to identifying MSPs by APRA-regulated entities starting by identifying critical operations, setting tolerance levels for those critical operations and then identifying the processes and resources needed to deliver these critical operations, including third party suppliers (see paragraphs 2 and 3 of CPG 230).
While APRA has not provided express guidance on all issues relevant to identifying and managing MSPs raised during the CPG 230 consultation process, APRA has clarified that:
- for those types of service providers which are prescribed as being in a cohort of material service providers under CPS 230, not all individual MSPs in a cohort will necessarily be considered to be material in their own right (because they do not support a critical operation or mitigate a material operational risk). We take this to mean that it is open to an APRA-regulated entity to individually assess material service providers based on materiality even if they are within one of the prescribed categories of material service providers. However, APRA still expects that entities monitor and manage the overall risk of a cohort of service providers.
- in relation to reinsurance and insurance brokers, CPS 230 does not intend to capture arm’s length transactions (such as the purchase of reinsurance or the intermediation of an insurance policy to an insurer’s client facilitated by an insurance broker). Instead CPS 230 only applies to arrangements where an APRA-regulated entity relies on a service provider to undertake a critical operation, or where a material operational risk to the entity is introduced by the arrangement. APRA has called out insurance brokers in particular – although they are prescribed as a material service provider for insurers, APRA does not expect brokers to be included as material service providers unless they meet the above criteria. While it is not express, we presume this would also apply for mortgage brokers and other similar providers.
Fourth Parties
In acknowledging the consultation feedback concerning the difficulties raised with managing fourth party risks, APRA has modified its expectations in the final CPG 230 guidance. In addition to an APRA-regulated entity outlining its approach to managing the risks associated with any fourth parties that MSPs rely on to deliver a critical operation in its service provider management policy, APRA has clarified that an entity is expected to take reasonable steps to know who the fourth parties are that the MSP relies on in delivering a service necessary to support a critical operation.
APRA has not provided additional detail on what is involved in taking reasonable steps and CPG 230 no longer includes the more prescriptive expectations set out in the draft CPG 230, for an APRA-regulated entity to, at a minimum, conduct due diligence to identify material fourth parties and, where feasible, other downstream providers, implement contractual provisions with the MSP to ensure the entity is informed of material fourth parties, and obtain assurance from service providers that they have the capability to manage material fourth parties. This means that entities are likely to have more discretion to determine how downstream service providers are identified and managed.
CPG 230 includes some additional considerations for suppliers to APRA-regulated entities (in addition to those in CPS 230 highlighted in our previous article – here)
- APRA-regulated customers may require uplifts to existing supplier terms to include provisions that reflect CPS 230 and CPS 900 obligations. This will require suppliers to consider a broader set of contractual changes across different APRA-regulated entities.
- Suppliers may also be asked to uplift contract terms which apply to subsidiaries in an APRA-regulated group, even if the subsidiaries themselves are not directly regulated by APRA.
- The clarified expectations concerning fourth party suppliers highlights the need for suppliers to consider their approach to identifying suppliers in their downstream supply chain for material services provided to APRA-regulated entities and requests for additional information or diligence by customers.
- Given APRA’s expectations that APRA-regulated entities submit a register of material service providers annually to APRA (with the first register to be submitted by 1 October 2025), suppliers should consider processes to monitor and inform its customers which are subject to CPS 230 of any changes to the supplier’s material downstream providers. Suppliers should consider how to create consistency across its customer base for this reporting.
