What is the ASFA Guidance Note and Why Does it Affect Due Diligence?

In June 2025, JANA and the Association of Superannuation Funds of Australia (ASFA) released a draft Guidance Note on Investment Management Operational Due Diligence for consultation with ASFA’s membership. The note is a practical toolbox for superannuation trustees (RSE licence‑holders) and fund managers, helping them meet the heightened operationalrisk obligations introduced by APRA’s new prudential standards. 

Background

ASFA Guidance Notes are intended to provide superannuation trustees and funds with information and guidance about ways of working that benefit members and the superannuation industry.

In November 2024, ASFA and JANA Investment Advisers announced “a cross-industry collaboration to replace and uplift previous industry guidance around investment management operational due diligence.” The resulting new ASFA guidance note aims to provide support for superannuation funds as they prepare for APRA’s Prudential Standard, CPS230 Operational Risk Management (the guidance may also apply to asset owners across other APRA-regulated industries), and CPS 234 (Information Security), which both came into effect on 1 July 2025. The draft note also aligns with SPS 231 Material Outsourcing, ensuring a consistent approach across APRA‑regulated entities. 

How has CPS230 driven these developments?

According to ASFA, CPS230 represents “a significant uplift to the regulatory requirements for operational risk management.” It demands that banks, insurers and superannuation institutions strengthen their resilience pertaining to operational risk, third-party service provider risk and business continuity. 

The big change is that it mandates these organisations must be proactive rather than reactive with their due diligence.

The key obligations of this Prudential Standard are that an APRA-regulated entity must:

• Identify, assess and manage its operational risks, with effective internal controls, monitoring and remediation.
• Be able to continue to deliver its critical operations within tolerance levels through severe disruptions, with a credible business continuity plan (BCP).
• Effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements and robust monitoring.

About the Investment Management Operational Due Diligence Guidance Note 2025

This note provides comprehensive guidance for superannuation trustees (RSE licensees) and funds on conducting operational due diligence (ODD) for investment managers, with proposed updates that aim to strengthen operational resilience and ensure investment managers are demonstrating effective risk management as they support the long-term objectives of superannuation funds.  

The Guidance Note is divided into enterprise-level and investment-type categories (listed asset classes/open-ended pooled funds and real asset classes/closed-end funds) to streamline the review process and avoid duplication. ​

Key areas of focus

1. Organisational structure and ownership: Assess the investment manager’s legal structure, financial stability, insurance coverage, and risk culture. ​
2. Personnel: Evaluate succession planning, diversity, equity, inclusion, remuneration, performance management, training, and recruitment processes.
3. Governance: Review governance frameworks, risk culture, compliance, conflicts of interest, and internal/external audit processes. ​
4. Trading processes and operational functions: Ensure robust trading policies, systems, and compliance with mandates for listed and real asset classes. ​
5. Valuations: Assess valuation processes for listed and unlisted assets, focusing on transparency, independence, and robustness. ​
6. IT systems and security: Evaluate IT governance, infrastructure, cybersecurity, data security, change management and AI usage. ​
7. Business continuity: Assess business continuity plans (BCP), disaster recovery plans (DRP), and call tree testing. ​
8. Service provider oversight: Ensure proper due diligence, monitoring, and governance of material service providers. ​
9. Environmental, Social, and Corporate Governance (ESG): Assess corporate ESG programs, climate change risk, regulatory monitoring, and investment application of ESG factors. ​

​Key takeaways

The draft Guidance Note emphasises the importance of tailored ODD practices based on the RSE’s risk appetite and investment strategy. ​

• It provides detailed criteria, examples, and good practices for evaluating investment managers across various operational aspects.
• It highlights the need for ongoing monitoring and periodic reviews to ensure alignment with regulatory standards and industry best practices. ​
• The guidance is not a substitute for professional advice and should be adapted to individual circumstances. ​

The shift to proactive risk management

The shift from reactive to proactive risk management within ODD aligns with the growing recognition that operational failures - ranging from inadequate cybersecurity defences to governance breakdowns - pose significant risks to institutional portfolios.

ODD involves analysing the philosophy, people, and processes of investment managers to ensure they can fulfil their roles in meeting investment strategies and objectives. ​

This review process should always be conducted by qualified professionals (internal teams or external providers) who are independent of the investment manager. It should include desktop reviews, questionnaires, and on-site due diligence. ​An effective ODD process results in a comprehensive report that outlines operational risks, helping RSEs to assess and monitor investment managers, and mitigate risk. ​

Proactive due diligence adds value

When a collapse or significant failure happens in a financial services company, the resulting inquiry always reveals a few basic steps that could have been implemented in order to mitigate the damage caused. Unfortunately, this means that risk teams are often left playing catch up after the event.

At Thomas Murray, we believe that risk professionals should be spending more time on preventative procedures, questions, and testing before incidents occur - being proactive, not reactive. 

Read our new framework document, Operational Due Diligence: A Playbook for Asset Owners and Allocators, which is designed to help asset owners address the challenge of modern risk management.