The Australian Prudential Regulation Authority (APRA) has released a new Prudential Standard, CPS 230 Operational Risk Management. This will direct how regulated entities manage operational risk, resilience, and business continuity.
CPS 230 Operational Risk Management (CPS 230) provides a foundation for APRA-regulated entities to:
- Strengthen operational risk management through new requirements to address identified weaknesses in existing controls;
- Improve business continuity planning to ensure they are positioned to respond to severe disruptions; and
- Enhance third-party risk management by ensuring risks from material service providers are appropriately managed.
APRA has also released a consultation process for CPG 230, a Prudential Practice Guide that will assist organizations with their CPS 230 compliance activities.
CPS 230 compliance will be required by 1 July 2025.
APRA Chair John Lonsdale said:
“The need for APRA’s new standard has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches. This new standard will ensure that regulated entities set and test controls and maintain robust business continuity plans to respond if disruptions do occur.
“We expect regulated entities to be proactive in preparing for implementation, rather than waiting until the last minute to get ready to meet the new requirements. There will be a transition phase for existing contractual arrangements with material service providers for entities that need some flexibility,” Mr Lonsdale said.