Operational Due Diligence in Australia: Meet APRA Standard CPS 230

APRA Standard CPS 230 is a prudential standard created by the Australian Prudential Regulation Authority (APRA) to strengthen the operational resilience of Australia's financial services industry. Coming into effect on the 1st July 2025, this new standard aims to ensure that APRA-regulated entities can effectively manage and mitigate operational risks that could have significant adverse impacts on customers and the financial system.

Who is affected by CPS 230?

CPS 230 primarily affects APRA-regulated entities, including:

• Banks, building societies, and credit unions
• Insurance companies
• Superannuation funds

These entities must comply with CPS 230 and implement the necessary measures to enhance their operational resilience by the July 2025 deadline, with an additional deadline of the 1st July 2026, for updating service provider agreements.

What does APRA mean to achieve with CPS 230?

APRA's intention with CPS 230 is to ensure that regulated entities maintain robust operational risk management frameworks to protect both customers and the broader financial system from disruptions. The standard represents a comprehensive overhaul of previous regulations on outsourcing and business continuity management, replacing five existing standards with a more cohesive and stringent framework. By implementing CPS 230, APRA aims to create a more resilient financial sector that can withstand and quickly recover from operational disruptions, ensuring the continued delivery of critical financial services even in challenging circumstances.

Under this new standard, regulated entities must:

• Develop and maintain a detailed operational risk management framework addressing all aspects of operational resilience
• Strengthen board governance structures, with boards required to actively review and set tolerance levels for disruptions
• Identify and manage critical operations that could have a material adverse impact on customers or the financial system if disrupted
• Implement and regularly test robust business continuity plans to ensure continued critical operations during disruptions
• Enhance oversight of material service providers, including fourth-party providers
• Promptly report significant operational incidents to APRA within specified timeframes
• Regularly conduct stress testing and scenario analysis to evaluate preparedness for operational risks

Key Focus: Third-Party and Fourth-Party Risk Management

A significant aspect of CPS 230 is the expanded focus on service provider management. APRA has broadened the definition of "material service providers" to include fourth-party providers, meaning that institutions must now assess risks associated with the service providers of their service providers.

This additional layer of complexity necessitates enhanced data collection, due diligence, and monitoring processes to ensure compliance. Outsourcing oversight is no longer limited to third-party relationships; institutions must extend their risk management processes to account for the performance and risks associated with fourth-party providers.

Board Oversight and Accountability

CPS 230 places strong emphasis on board-level governance, significantly elevating the responsibilities of directors in managing operational resilience. The standard creates a clear accountability framework where boards are no longer passive recipients of risk information but active participants in the risk management process.

Under CPS 230, boards must:

• Regularly review comprehensive key risk indicators (KRIs) related to operational resilience
• Actively set and approve tolerance levels for operational disruptions, determining what level of risk is acceptable
• Ensure the organisation maintains adequate resources and capabilities to manage operational risks
• Oversee the implementation and effectiveness of the operational risk management framework
• Review and approve critical operations assessments and business continuity plans
• Ensure thorough due diligence of material service providers, including fourth-party risks
• Receive timely updates on significant operational incidents and approve remediation actions
• Challenge management assumptions and provide strategic direction on operational resilience
• Make informed, data-driven decisions that align with CPS 230's governance expectations
• Take direct responsibility for ensuring the organisation can continue critical operations during disruptions

This heightened level of board engagement represents a significant shift in governance expectations, requiring directors to develop deeper understanding of operational risks and more hands-on involvement in resilience planning.

Addressing ESG, Cybersecurity, and Other Challenges

As part of the broader operational risk management framework, CPS 230 emphasizes the need to manage ESG (Environmental, Social, and Governance) and cybersecurity risks. Institutions must integrate ESG metrics to meet emerging regulatory requirements and investor expectations while continuously monitoring vulnerabilities in service providers' systems.

Preparing for Compliance

With the July 2025 deadline approaching, APRA-regulated entities must act swiftly to ensure they are prepared for CPS 230's operational risk management requirements. This includes:

1. Developing comprehensive operational risk management frameworks
2. Enhancing board governance and oversight mechanisms
3. Identifying and managing critical operations
4. Implementing robust business continuity plans
5. Strengthening service provider management processes
6. Establishing incident reporting procedures
7. Conducting regular stress testing and scenario analysis

CPS 230 represents a comprehensive overhaul of previous standards on outsourcing and business continuity management, marking a new era in operational risk oversight for Australian financial institutions. By implementing robust operational due diligence processes and strengthening risk management frameworks, APRA-regulated entities can ensure compliance with the new standard while enhancing their operational resilience and protecting critical operations.

If you are concerned about meeting the requirements of CPS 230 and want to ensure your organisation is fully prepared for the July 2025 deadline, contact our team to learn how we can help you navigate these regulatory complexities and strengthen your operational resilience.