Under CPS 230, Firms Must Prepare Now to Handle Operational Risks and Disruptions

With advancements and innovations in technology and systems in the financial services sector, operational risks are continually evolving, oftentimes at a faster pace than the delivery of those very advancements and innovations.

Spam, phishing, and denial-of-service (DoS) attacks are examples of operational risks threatening financial services organisations. These risks did not exist a few decades ago, and a successful attack by any one of them could have the potential for large-scale blackouts of services, reputational damage, and more recently the wrath of a regulator.

Technology has become increasingly critical to the functioning of the investment industry, enabling the volumes, speed, and accuracy that the industry demands, as well as allowing customers to predominantly interact with their financial institutions via digital technology. As such, tech downtime today is a critical risk.

Firm’s Cannot Outsource Risk Management

The reliance on outsourced providers for operations, data, technology, and other parts of critical operations has increased in recent times, partly shifting risk that usually resided internally only. Although this does not shift the responsibility that firmly remains with the client, it does reduce direct control of the operational risk and introduces requirements to use different mechanisms to monitor outcomes, which should be aligned with your firm’s risk framework.

Outsourcing, often seen as a cost-savings exercise, can enable growth by offering skill, scale, and technology, but it carries its own unique risks. For more information on outsourcing, check out Cutter’s Outsourcing Solutions Report Update (February 2023).

A common theme amongst regulators across the globe is improving operational resilience. In principle, operational resiliency is the ability of financial institutions to continue to operate critical operations during disruptions. However, the application of these requirements by regulators around the world may be different, but the intent remains the same ─ essentially you must be ready for disruptions and have a plan! Below are examples of regulations.

Relevant Regulations:

1. APRA CPS 230 (Operational risk management)
2. APRA CPS 220 (Risk management) & APRA SPS 220 (Risk management)
3. SEC Outsourcing by Investment Advisors (Proposed rule)
4. European Banking Authority (EBA) EBA/GL/2019/02 (Guidelines on outsourcing arrangements)
5. The Digital Operational Resilience Act (DORA) (EU) 2022/2554
6. Bank of England SS2/21 (Outsourcing and third-party risk management)
7. Bank of England PS 6/21 (Operational resilience)

APRA Cross-industry Prudential Standard (CPS) 230

APRA Cross-industry Prudential Standard (CPS) 230, the focus of this article, aims to ensure APRA-regulated entities in the superannuation, insurance, and banking industries show resilience to operational risks and disruptions, and that firms establish business continuation plans (BCPs) for when disruptions occur.

While CPS 230 is partly principles-based, it still goes into further detail with specific requirements building on CPS 220 and Superannuation Prudential Standard (SPS) 220. APRA-regulated entities need to develop a holistic framework that will encompass an operational risk management framework, roles and responsibilities, business continuity, and the management of service providers. This is an example of how APRA is requiring more from its regulated entities, through well-documented frameworks, and goes further into requiring evidence to back these up (e.g., Material Service Provider register).

Risk Management Framework

In Australia, many of the APRA-regulated entities have struggled to meet the minimum operational risk requirements set out by APRA. This is due to an evolving threat with the spate of new technology, such as identity masking using AI.

Moreover, an entangled list of outsourced providers is servicing these entities. This has proven difficult for trustees to effectively manage, exacerbated through in-flight, large-scale internal transformational change projects providing an array of challenges, and not just operational risk. The reliance on cloud-hosted services with multiple cloud providers is another example of a recent technological advancement that needs to be managed. This global coverage provides further consideration for potential operational risks such as data ringfencing within known geographical locations and that service providers are adequately managing these as well as the associated service concentration risks.

1 July 2025 is the deadline for CPS 230 compliance, with APRA publicly stating that it will be assessing entities from 2024 and therefore expect entities to start work on this now, specifically focusing on the following.

APRA Focus Areas:

1. Establishing the right governance arrangements
2. Identifying critical operations and defining material service providers

Beginning to develop a new organisational mindset, Prudential Standard for Risk Management CPS 220 and SPS 220 introduce principles-based requirements for operational risk management frameworks. However, under CPS 230, the standards go into further detail, with the regulator requiring the development and maintenance of the following:

1. Operational risk governance
2. Assessment of operational risk profile, with a defined risk appetite (use of indicators, limits, and tolerance levels)
3. Internal controls for the management of operational risks
4. Monitoring, analysis, and reporting of operational risks, including escalation steps
5. BCPs that detail how an entity would identify, manage, and respond to a disruption
6. Processes for the management of service providers

Roles and Responsibilities

APRA has deemed boards as ultimately accountable through their fiduciary duty for an entity’s operational risk, business continuity, and management of service provider arrangements. Boards need to oversee operational risk management, the effectiveness of key internal controls, as well as approve BCP and tolerance levels and service provider management policy. In practice, business teams would need to implement and manage the risk management framework and report to the board. To ensure success, firms need to define clear roles and responsibilities. It’s crucial to translate the policies into practical application.

Operational Risk Management

CPS 230 states that the full spectrum of risks need to be considered ─ operational, legal, regulatory, compliance, conduct, technology, data, change management, and any other associated risks. APRA also states that business and strategic decisions need to consider operational risk and operational resilience. Examples include mergers and new products and services.

To effectively assess operational risk, trustees will need to maintain a comprehensive assessment of their operational risk profiles by implementing suitable systems to monitor, compile and analyse the risks, identify, and document processes and resources to deliver critical operations and undertake scenario analysis to identify and assess operational risk events.

To manage operational risk, APRA-regulated entities need appropriate internal controls. These controls, in turn, need to be regularly monitored, reviewed, and tested. Any material weakness or gaps must be identified and addressed in a timely manner.

Lastly, from an operational risk management perspective, any near misses or actual incidents must be identified, escalated, recorded, and addressed in a timely manner. APRA also must be notified no later than 72 hours after a firm becomes aware of an incident that has a material financial or operational impact.

Business Continuity

This area is where an uplift in operational capability has been prescribed from CPS 230. APRA-regulated entities will now need to ensure the continuation of critical operations during incidents and operational resilience during disruption needs to be built in and not considered as simply an operational risk.

To achieve this, trustees need to manage a register of critical operations, take reasonable steps to minimise the likelihood and impact of disruptions, maintain a credible BCP, have a clearly defined process for maintaining it, well documented and rehearsed steps for activating a BCP in a disruption event, and return to normal operations following the event. A BCP needs to include tolerance levels for items on a critical operations register, triggers to identify disruptions, actions to be taken, an assessment of execution risk, resources required, preparatory measures, and a communications strategy.

Management of Service Providers

Under CPS 230, APRA introduces the concept of ”Material Service Providers” as “those on which the entity relies to undertake a critical operation or that expose it to material operational risk” APRA goes into the following further detail, prescribing which types of service providers are material:

1. ADIs – credit assessment, funding/liquidity management, and mortgage brokerage
2. Insurance – underwriting, claims management insurance brokerage, and reinsurance
3. RSEs – fund administration, custodial services, investment management, and arrangements with promoters and financial planners
4. All APRA-regulated entities – risk management, core technology services, and internal audit

Under CPS 230, regulated entities are required to identify and maintain a register of material service providers, as well as the material operational risks associated with those service providers. This list must be submitted to APRA annually.

This new standard details obligations prior to and within legally binding service provider agreements, requiring but not limited to appropriate due diligence, selection processes, ongoing service provider capability, specifics on services covered, provisions ensuring ability of provider to meet legal and compliance obligations, a force majeure provision, and many others.

When firms consider these obligations, existing vendor and service provider policies and frameworks should be reviewed to ensure they support managing these ongoing operational risks.

How Can We Help?

As a target state, firms should establish a comprehensive and formalised operational risk framework embedded in its process and people. A pointed assessment such as a Health Check Review performed by Cutter, can assist in ensuring policies, processes, and roles and responsibilities are fit for purpose. Individual firms always have specific nuances, such as a service provider list and the individual functions that need to be considered. That is why, as part of a Health Check Review, a detailed assessment looking at specific functions, interactions, strengths, gaps, and risks is performed.

Cutter tailors projects and, more importantly, project deliverables based on the client and its needs. Cutter aims to deliver effective best practice client solutions by working with our clients collaboratively using our domain expertise and delivery experience. We provide expertise in the area of the review of and guidance on operational risk management frameworks.

Please reach out at [email protected] to receive a brief impact summary for your firm or to speak with a consultant.