APRA have released the final, streamlined version of their Prudential Practice Guide CPG 230 Operational Risk Management[1]. The guidance comes alongside APRA’s response to industry submissions, which has provided limited timeline extensions for some, as well as insights into some of the key areas for focus in CPS 230 implementations[2].
In this blog we will cover:
- Timeline extension for non-SFIs
- Overall view of the streamlined guidance
- Some of the key responses to industry
- Some of the more nuanced changes within the guidance
Dive into CPS 230 with Protecht’s combined guide to CPS 230 compliance and blueprint for enhancing operational risk management:
Timeline extension for business continuity
The major piece of news isn’t related to the guidance itself, but to a limited extension for implementation. For non-SFIs (smaller entities not registered as Significant Financial Institutions) there is an extension on some of the business continuity planning requirements. This primarily relates to the specific inclusions in a business continuity plan and scenario testing, with an extension granted until 1 July 2026. However, if those entities aren’t meeting those new requirements under CPS 230, they still need to meet pre-existing clauses in CPS 232/SPS 232 until they transition.
Overall view of streamlined guidance
APRA responded to feedback on certain paragraphs that suggested ‘better practice’. To avoid confusion that these would be considered de facto requirements, these have been stripped right back (with an impressive 40% reduction in page count). You might want to refer to the previous draft if you found some of the examples useful, but they aren’t requirements. It’s an acknowledgement that there may be multiple ways to achieve alignment with CPS 230, and implementation needs to be commensurate for the size and scope of your organisation.
One of the biggest changes – and most welcome in my eyes – is bringing critical operations front and centre of the operational risk profile. While defining critical operations remains in the business continuity section of the standard itself, the related clauses of the guidance get pulled up into the operational risk management section. This is reinforced by APRA’s comments regarding implementation – having witnessed some bottom-up approaches, they are advocating top-down, starting with identifying critical operations, and then material service providers (personally I’d throw process mapping in the middle to add further clarity).
Responses to industry feedback
Fourth parties
While there was industry feedback regarding challenges with managing fourth parties, APRA reinforced that it remained an expectation. One of the keys to addressing this is to specifically identify your material service providers own third parties, as well as articulating the approach to managing fourth parties in your service provider management policy. Due to growing demand, we’ve developed reporting in our vendor risk management product to capture fourth parties, which can also help identify concentration risks.
Cohorts of service providers
The management of cohorts of service providers received what I’m sure is welcome clarity for some. If individually they aren’t critical to an operation, then they may not need to be identified as Material Service Providers. However, there is still a need to manage material risks. I recommend entities with these types of cohorts carefully consider concentration risks – those that might undermine the ability of large parts of the cohort to not be able to deliver.
Interaction between CPS 230 and CPS 900
Some submission called out the relationship between CPS 230 and CPS 900 Resolution Planning and the significant overlap in definitions of critical functions and critical operations, and how contractual arrangements with service providers. While stripped from the guidance itself, the response provides additional information from APRA on resolution resilient contracts.
Insurer brokers and reinsurance
For insurers in particular, APRA responded to comments about some of the minimum requirements for material service providers, including brokers and reinsurance. ‘Arm’s length’ transactions such as purchase of reinsurance do not automatically deem them as material service providers. There needs to be an assessment of whether they are relied upon to support critical operations, or otherwise pose material risk.
Services provided by the same or different legal entity
APRA also reinforced clauses in the standard that services provided by a related entity are material service providers (assuming services meet that definition). My assessment is that for some smaller entities, this will require a governance shift. There may have been an organic evolution of certain services being provided across a group without formal intercompany agreements in place – services not previously covered under outsourcing but now fall under the material service provider definition.
Even within the same legal entity, if the services are provided by another part of the organisation, APRA expects there should be service level agreements in place.
Non-regulated subsidiaries
As an extension to the above, CPS 230 in its entirety should also apply to non-regulated subsidiaries on the assumption that they are part of a group, and the subsidiary could have a material adverse impact on the regulated entity. Technically those entities are not regulated, but APRA adopt a ‘comply or explain’ approach.
Other changes to the guidance
As noted above, the guide is significantly streamlined. Here are a few other changes I noticed between the draft guidance and the final guidance. Remember that the guidance is just that – guidance – and the requirements of the CPS 230 standard are enforceable (or will be as of 1 July 2025).
Compliance and conduct
Compliance and conduct are only mentioned a few times in CPS 230 itself as part of the operational risk profile. Commentary in the final guidance has been removed, but don’t sleep on integrating your compliance management and risk management. To find out more, check out our eBook on integrating compliance and risk or our Academy course on compliance and compliance risk management.
Board control oversight and remediation
The draft guidance indicate that the board should ‘review and challenge the effectiveness of the key control environment’. The final guidance state ‘oversee the effectiveness of key controls’. It might be pedantic, but the former implies the environment, while the latter implies looking closer at specific controls.
On the flipside, board oversight of remediation of weaknesses seems to have been de-emphasised. The draft guidance proposed board responsibilities might include ‘…deep dive into significant weaknesses…’ which has been adjusted to ‘be kept informed’ of weaknesses and remediation. The former indicates a much more proactive approach from the board.
Material service provider register
There is now an inclusion that makes recommendations about what to include in a material service provider register (paragraph 48 of the guidance). This includes identifying the person responsible for each material arrangement (not just service provider), identifying the critical operations the arrangement supports or risks it maps to, and the identification of fourth parties. While the guidance has been streamlined, these all appear to be new.
Conclusions and next steps for your organisation
The guidance is now final, and APRA have responded to industry comments. If you’ve been waiting for the final guidance to be issued before really kicking your CPS 230 implementation program into gear, it’s time to get moving. If you are already along the path, I’m sure any action you’ve taken to date has been ‘no regrets’.
Wherever you are in your journey, Protecht is here to help. Dive into CPS 230 with Protecht’s detailed summary, highlighting its significance and implications for regulated entities. This document serves as both a guide to compliance and a blueprint for enhancing operational risk management. Ensure your organisation is ready to meet the deadline:
We’re also hosting a webinar on material service providers under CPS 230 – join us on Tuesday 25 June to find out the key insights on how you can up your game as a regulated entity, a service provider or both:
References
[1] APRA, June 2024 - Link to document
[2] APRA, June 2024 - Link to webpage