Skip to searchSkip to main content
DISCIDIUM

  • CPS 230 - Operational Readiness and Resilience

    APRA's Prudential Standards

    Promoting a Stable and Efficient Financial System in Australia
    Read More
Info Hub /
APRA Regulation
/

APRA'S PRUDENTIAL FRAMEWORK

Australian Prudential Regulation Authority (APRA) sets legal requirements and guidance for the entities it regulates (the prudential framework). 


The prudential framework comprises:  

  • legally binding prudential standards  
  • legally binding reporting standards  
  • supporting guidance (such as prudential practice guides). 

View More

01

Building your project

Let us help create the framework and set up a plan of action to execute the project.


02

Achieving your goals

Ensuring the objectives and outcomes of your projects are fully aligned with the current and future commercial needs and your regulatory needs.

Navigating the Complex Web of CPS 230 Requirements with Profound Confidence

Partner with Discidium and Benefit from Regulatory Expertise

Access Discidium CPS230 Implementation Services

Why Partnering with Discidium?

Partnering with us for the implementation of the Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 230 Operational Risk Management offers a multitude of significant benefits for regulated entities. CPS 230 represents a substantial evolution in the regulatory landscape, demanding a more integrated, proactive, and resilient approach to managing operational risks, ensuring business continuity, and overseeing third-party service providers. The complexities inherent in interpreting and applying this standard, coupled with the stringent timelines for compliance, make the expertise and guidance of Discidium an invaluable asset.

Contact Us

APRA's CPS​230

Summary
Playbook for Executives
Playbook for Managers
Summary

Summary of CPS230 and its Origins

APRA (Australian Prudential Regulation Authority) introduced Prudential Standard CPS 230 Operational Risk Management (ARPA CPS 230) to enhance the operational resilience of financial institutions and protect the broader financial system from disruptions. CPS 230 details crucial requirements for managing operational risks, ensuring business continuity, and overseeing third-party service providers. The goal is to mitigate risks that could disrupt critical financial services, thereby maintaining the stability of the financial system. This prudential standard comes into effect on July 1, 2025, with APRA expecting regulated entities to be proactive in preparing for implementation.

Required Areas of Compliance

CPS 230 sets out vital requirements to enhance the operational resilience and risk management practices of APRA-regulated entities. The main focus areas are operational risk management, business continuity, and third-party service provider management, along with additional requirements for governance, incident management, and ongoing monitoring..

APRA Timelines & Key Milestones

  • Mid-2024: Identify Material Service Providers and Critical Operations.
  • End of 2024: Entities positioned to set tolerance levels.
  • 1 July 2025: CPS 230 commences.
  • 1 October 2025: First submission of the Material Service Provider register to APRA.
  • 1 July 2026: End of the transition period for pre-existing contractual arrangements with service providers; CPS 230 all requirements in effect for all entities.

Standards Being Replaced

CPS 230 replaces three existing standards:

  • CPS 231 (Outsourcing).
  • CPS 232 (Business Continuity Management).
  • CPG 233 (Operational Risk Management).

Additionally, it replaces 

  • SPS 231 (Outsourcing - Superannuation), 
  • SPS 232 (Business Continuity Management - Superannuation), and 
  • HPS 231 (Outsourcing - Private Health Insurance). 


APRA introduced CPS 230 to address gaps in the existing framework and enhance the operational resilience of APRA-regulated entities through a unified approach.

Playbook for Executives

Board Responsibilities & Risks

Below we outline the critical responsibilities that Board members and senior executives within APRA-regulated entities must ensure compliance with, particularly concerning Prudential Standard CPS 230 Operational Risk Management, along with associated risks. The standard aims to strengthen operational resilience, ensuring entities can manage disruptions and maintain critical operations while effectively overseeing third-party service providers. Non-compliance can lead to significant financial, operational, and reputational repercussions.

Board Engagement

Board members and senior executives must proactively engage in understanding and implementing these requirements to ensure the operational resilience and regulatory compliance of their organizations. This necessitates a coordinated, organization-wide effort with clear accountabilities and robust processes for ongoing monitoring and improvement. Utilizing technology and automation can significantly aid in streamlining compliance efforts and enhancing the effectiveness of operational risk management practices. Regular communication with APRA and a commitment to continuous improvement are also essential for navigating this evolving regulatory landscape

Timelines & Key Milestones

  • Mid-2024: Identify Material Service Providers and Critical Operations.
  • End of 2024: Entities positioned to set tolerance levels.
  • 1 July 2025: CPS 230 commences.
  • 1 October 2025: First submission of the Material Service Provider register to APRA.
  • 1 July 2026: End of the transition period for pre-existing contractual arrangements with service providers; CPS 230 all requirements in effect for all entities.

Enhanced Governance and Accountability

RISKS 

Failure to establish clear governance and accountability structures can lead to a lack of ownership and oversight of operational risks, increasing the likelihood of disruptions and non-compliance. This can result in APRA requiring independent reviews, remediation programs, or imposing conditions on the entity's license.

Learn More
Comprehensive Operational Risk Management

RISKS 

Failure to effectively manage operational risks across these areas can lead to control failures, disruptions to critical operations, and regulatory breaches. Inadequate IT capabilities or insufficient monitoring can increase vulnerability to cyber threats and data breaches. Weaknesses in risk assessment and control testing can lead to unidentified vulnerabilities and a failure to meet tolerance levels.

Learn More
Robust Business Continuity Management

RISKS 

Deficiencies in business continuity planning and testing can severely impact an entity's ability to respond to disruptions, leading to prolonged outages, data loss, and an inability to deliver critical services. Failure to set appropriate tolerance levels or to notify APRA of significant disruptions can result in regulatory scrutiny and potential penalties.

Learn More
Effective Management of Service Provider Arrangements

RISKS 

Ineffective management of service provider arrangements can expose entities to significant operational risks, including service disruptions, data breaches, and regulatory non-compliance. Failure to conduct adequate due diligence, establish robust contracts, or monitor performance can lead to reliance on unreliable or non-compliant providers, potentially impacting critical operations and customer trust

Learn More
Playbook for Managers

Managers Responsibilities

This playbook outlines the steps for managers and analysts to execute the implementation of the CPS 230 program.


Managers and analysts can systematically execute the implementation of the CPS 230 program, ensuring your organization meets the regulatory requirements and strengthens its operational resilience.

Key Considerations for Managers & Analysts

  • Proactive Approach: Start early and maintain momentum in implementation.
  • Collaboration: Foster collaboration across different teams (risk, compliance, IT, business units).
  • Risk-Based Approach: Focus efforts on the most critical operations and material service providers based on risk.
  • Granularity: Determine the appropriate level of detail for process mapping and risk assessments, focusing on customer impact.
  • Data Quality: Ensure risk reporting is based on robust and quality data.
  • Documentation: Maintain thorough and up-to-date documentation for all aspects of CPS 230 compliance.
  • Communication: Maintain clear communication with the Board, senior management, and APRA.
  • Continuous Improvement: Compliance is not a one-time event; continuously assess and improve operational resilience practices


APRA Timelines & Key Milestones

  • Mid-2024: Identify Material Service Providers and Critical Operations.
  • End of 2024: Entities positioned to set tolerance levels.
  • 1 July 2025: CPS 230 commences.
  • 1 October 2025: First submission of the Material Service Provider register to APRA.
  • 1 July 2026: End of the transition period for pre-existing contractual arrangements with service providers; CPS 230 all requirements in effect for all entities.

Understanding CPS 230 & Establishing Governance

  • Understand the Objectives and Scope of CPS 230
  • Establish Clear Governance and Accountability

Learn More
Developing the Operational Resilience Framework

  • Identify Critical Operations
  • Define and Refine Tolerance Levels
  • Conduct Operational Risk Assessment
  • Design, Implement, and Test Internal Controls

Learn More
Enhancing Business Continuity Planning (BCP)

  • Maintain a Credible BCP
  • Test the BCP Regularly
  • Review and Update the BCP

Learn More
Strengthening Service Provider Management

  • Develop a Comprehensive Service Provider Management Policy
  • Identify and Manage Material Service Providers (MSPs)
  • Conduct Due Diligence and Manage Contracts
  • Manage Fourth-Party Risks
  • Monitor, Review, and Report on MSPs

Learn More
Implement Incident Mngt & Ongoing Compliance

  • Implement Incident Management Processes
  • Notify APRA of Disruptions to Critical Operations
  • Notify APRA of Material Service Provider Arrangements
  • Maintain Documentation and Compliance

Learn More
Leveraging Technology and External Partnerships

  • Leverage Technology
  • Consider External Partnerships

Learn More

APRA's CPS​230 - Executive Playbook Details

Exec Playbook - Enhanced Governance and Accountability

Enhanced Governance

  • Board Accountability: The Board holds ultimate accountability for the oversight of the entity's operational risk management, encompassing business continuity and the management of service provider arrangements. This signifies a strong expectation from APRA that the Board takes ownership and ensures these areas are effectively managed across the entire business. For instance, the Board must ensure sufficient resources (time, money, people) are allocated to build and maintain a robust operational resilience framework.

  • Clear Roles and Responsibilities for Senior Management: The Board must ensure that the entity sets clear roles and responsibilities for senior managers in operational risk management, including business continuity and service provider management. This necessitates well-defined accountability across the three lines of defense and end-to-end business processes, aligned with accountability statements under the Financial Accountability Regime (FAR).

  • Board Oversight of Operational Risk Management: The Board is responsible for overseeing operational risk management and the effectiveness of key internal controls in maintaining the entity's operational risk profile within the defined risk appetite. Regular updates on the operational risk profile must be provided to the Board, and they must ensure senior management takes necessary actions to address any areas of concern. For example, if control testing reveals failures or deficiencies, these must be reported to the Board along with specific remediation actions

  • Approval of Business Continuity Plans and Tolerance Levels: The Board must approve the Business Continuity Plan (BCP) and the tolerance levels for disruptions to critical operations. This includes tolerance levels for the maximum period of disruption, the maximum extent of data loss, and minimum service levels during alternative arrangements. The Board must also review the results of BCP testing and oversee the execution of any identified findings.
  • Approval of Service Provider Management Policy and Review of Material Service Providers: The Board is required to approve the service provider management policy and review risk and performance reporting on material service providers. This ensures board-level awareness of all material service providers and their compliance with the entity's policies, due diligence processes, and risk assessments.
  • Understanding Impact of Strategic Decisions: Senior management must provide the Board with clear and comprehensive information on the expected impacts on the entity's critical operations when strategic decisions are being made that could affect the resilience of these operations. This ensures the Board considers resilience implications in all significant business choices.
Back to Executive Playbook
Exec Playbook - Comprehensive Operational Risk Management

Comprehensive Operational Risk Management

  • Managing the Full Range of Operational Risks: Entities must manage the full spectrum of operational risks, including but not limited to legal, regulatory, compliance, conduct, technology, data, and change management risks. Senior management holds responsibility for operational risk management across all end-to-end business operations.

  • Maintaining Appropriate Information and IT Capability: Entities must maintain appropriate and sound information and information technology (IT) capabilities to meet current and projected business requirements and to support critical operations and risk management. This includes monitoring the age and health of information assets and meeting information security requirements as per Prudential Standard CPS 234

  • Operational Risk Profile and Assessment: A comprehensive assessment of the operational risk profile must be maintained, including the impact of business and strategic decisions on this profile and operational resilience. This includes assessing the impact of new products, services, geographies, and technologies.

  • Information Systems for Monitoring: Entities must maintain appropriate and effective information systems to monitor operational risk, compile and analyze operational risk data, and facilitate reporting to the Board and senior management.

  • Documentation of Critical Operations: Processes and resources needed to deliver critical operations must be identified and documented. This includes people, technology, information, facilities, and service providers, along with their interdependencies, associated risks, obligations, key data, and controls.

  • Scenario Analysis: Undertaking scenario analysis is crucial to identify and assess the potential impact of severe operational risk events, test operational resilience, and identify the need for new or amended controls and mitigation strategies.

  • Design, Implementation, and Embedding of Internal Controls: Internal controls must be designed, implemented, and embedded to mitigate operational risks in line with the risk appetite and meet compliance obligations.

  • Monitoring, Review, and Testing of Controls: Controls must be regularly monitored, reviewed, and tested for design and operating effectiveness, with the frequency aligned with the materiality of the risks being controlled. Testing results must be reported to senior management, and any gaps or deficiencies must be rectified promptly

  • Remediation of Material Weaknesses: Material weaknesses in operational risk management, including control gaps, weaknesses, and failures, must be remediated. This remediation requires clear accountabilities, assurance, and addressing the root causes in a timely manner. Identified weaknesses must be included in the operational risk profile until resolved.

  • Operational Risk Incident Management: Operational risk incidents and near misses must be identified, escalated, recorded, and addressed promptly. These incidents and near misses must be considered in the assessment of the operational risk profile and control effectiveness.

  • Notification of Material Operational Risk Incidents: APRA must be notified as soon as possible, and no later than 72 hours, after becoming aware of an operational risk incident likely to have a material financial impact or a material impact on the ability to maintain critical operations.

Back to Executive Playbook
Exec Playbook - Robust Business Continuity Management

Robust Business Continuity Management

  • Definition, Identification, and Register of Critical Operations: Entities must define, identify, and maintain a register of their critical operations. Critical operations are processes that, if disrupted beyond tolerance levels, would have a material adverse impact on customers or the financial system. APRA specifies minimum critical operations for different entity types.

  • Minimizing Likelihood and Impact of Disruptions: Reasonable steps must be taken to minimize the likelihood and impact of disruptions to critical operations.

  • Credible Business Continuity Plan (BCP): A credible BCP must be maintained, outlining how critical operations would be maintained within tolerance levels through disruptions, including disaster recovery planning for critical information assets. The BCP requires Board approval.

  • BCP Activation: The BCP must be activated if needed during a disruption.

  • Prompt Return to Normal Operations: Entities must ensure a prompt return to normal operations after a disruption.

  • Tolerance Levels for Critical Operations: For each critical operation, tolerance levels must be established for the maximum period of disruption, maximum data loss, and minimum service levels. Failure to meet these levels must be reported to the Board. APRA can review and change these tolerance levels or set them if heightened risk or material weakness is identified.

  • BCP Content: The BCP must include the register of critical operations and tolerance levels, triggers for activation, actions to maintain operations, assessment of execution risks, required resources, preparatory measures, and a communications strategy.

  • Maintenance of Capabilities: The capabilities to execute the BCP, including access to people, resources, and technology, must be maintained.

  • Notification of Disruptions Outside Tolerance: APRA must be notified as soon as possible, and no later than 24 hours, if a disruption to a critical operation occurs outside tolerance levels. The notification must detail the nature of the disruption, actions taken, likely impact, and timeframe for recovery.

  • Systematic Testing Program: A systematic testing program for the BCP, covering all critical operations and including an annual business continuity exercise, is mandatory. Testing must assess the BCP's effectiveness and the ability to meet tolerance levels in severe but plausible scenarios, including disruptions to material service providers. APRA may require testing against specific scenarios.

  • Annual BCP Update: The BCP must be updated annually, reflecting changes in legal or organizational structure, business mix, strategy, risk profile, or shortcomings identified during review and testing.

  • Internal Audit Review: The internal audit function must periodically review the BCP and provide assurance to the Board regarding its credibility and the adequacy of testing procedures.

Back to Executive Playbook
Exec Playbook - Effective Management of Service Provider Arrangements

Effective Management of Service Provider Arrangements

  • Comprehensive Service Provider Management Policy: A comprehensive service provider management policy must be maintained, covering the identification of material service providers and the management of all service provider arrangements, including associated material risks. The policy requires Board approval.

  • Identification and Register of Material Service Providers: Material service providers, those relied upon for critical operations or that expose the entity to material operational risk, must be identified and a register maintained. This register must be submitted to APRA annually. APRA can classify service providers as material.

    Policy Content: The policy must detail the entity's approach to entering into, monitoring, substituting, and exiting agreements with material service providers; managing risks associated with these providers; and managing risks associated with fourth parties that material service providers rely on to deliver critical operations

  • Material Arrangements: Material arrangements, those relied upon for critical operations or posing material operational risk, are subject to specific requirements.
  • Due Diligence: Before entering into or materially modifying a material arrangement, appropriate due diligence must be undertaken, including assessing the service provider's ongoing ability to provide the service and evaluating financial and non-financial risks, including those related to geographic location and concentration.
  • Formal Agreements: Formal, legally binding agreements must be maintained for all material arrangements, including specific clauses related to services, service levels, rights, responsibilities, data ownership, dispute resolution, audit access, liability, indemnity, legal and compliance obligations, notification of sub-contracting to other material service providers, liability for sub-contractor failures, force majeure, and termination rights (including for RSE licensees acting in beneficiaries' best financial interests). These agreements must also grant APRA access to documentation, data, and the right to conduct on-site visits.
  • Risk Management for Material Arrangements: Risks affecting the service provider's ongoing ability to provide the service and risks to the entity resulting from the arrangement (e.g., step-in risk, contagion risk) must be identified and managed. Entities must ensure they can execute their BCP and conduct an orderly exit from the arrangement if needed.
  • Monitoring and Reporting: Senior management must receive regular reports on material arrangements commensurate with their nature and usage. This includes assessing performance against service levels, the effectiveness of controls, and compliance with the agreement by both parties.
  • Notifications to APRA: APRA must be notified as soon as possible and within 20 business days after entering into or materially changing an agreement for a service relied upon for a critical operation. Prior notification is required for any material offshoring arrangement or significant changes to such arrangements.
  • Internal Audit Review: Internal audit must review any proposed material arrangement involving outsourcing a critical operation and regularly report to the Board or Board Audit Committee on compliance with the service provider management policy.
Back to Executive Playbook

​APRA's CPS230 - Managers Playbook Details

Managers Playbook -Understanding CPS 230 & Establishing Governance

Understanding CPS 230 & Establishing Governance

Understanding CPS 230 and Establishing Governance

    • CPS 230 is a prudential standard introduced by the Australian Prudential Regulation Authority (APRA) to enhance the operational resilience of financial institutions and protect the broader financial system from disruptions.
    • It aims to ensure that APRA-regulated entities effectively manage operational risks, maintain critical operations through disruptions, and manage the risks arising from service providers.
    • CPS 230 applies to a broad range of financial entities regulated by APRA, including banks, credit unions, insurers, superannuation funds, and other financial institutions.
    • It replaces five existing prudential standards related to outsourcing and business continuity management across banking, insurance, and superannuation.
    • The implementation of CPS 230 has a hard deadline of 1 July 2025. For pre-existing contractual arrangements with service providers, the requirements apply from the earlier of the next renewal date or 1 July 2026.
    • APRA expects regulated entities to be proactive in preparing for implementation.

Establish Clear Governance and Accountability

    • The Board of an APRA-regulated entity is ultimately accountable for the oversight of the entity’s operational risk management, including business continuity and the management of service provider arrangements.
    • The Board must ensure that the entity sets clear roles and responsibilities for senior managers for operational risk management, business continuity, and service provider arrangements.
    • Managers and analysts should document these roles and responsibilities clearly.
    • The Board must oversee operational risk management and the effectiveness of key internal controls, ensuring senior management addresses any areas of concern.
    • Regular updates on the operational risk profile must be provided to the Board.
    • The Board must approve the Business Continuity Plan (BCP) and tolerance levels for disruptions to critical operations.
    • The results of BCP testing must be reviewed by the Board, and they must oversee the execution of any findings.
    • The Board must approve the service provider management policy and review risk and performance reporting on material service providers.
    • Senior management is responsible for operational risk management across the end-to-end process for all business operations, including legal, regulatory, compliance, conduct, technology, data, and change management risks.

Back to Managers Playbook
Managers Playbook - Developing the Operational Resilience Framework

Developing the Operational Resilience Framework

Identify Critical Operations

    • This is the first thing regulated entities should do. APRA has set a July 2024 expectation for this.
    • Critical operations are processes undertaken by the entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on depositors, policyholders, beneficiaries, or the financial system.
    • Managers and analysts should use a scorecard approach to assess operations against agreed criteria, such as those in APRA’s Prudential Practice Guide CPG 230.
    • A top-down approach ensures material risks are identified and prioritized.
    • At a minimum, entities must classify certain business operations as critical unless they can justify otherwise. These include payments, deposit-taking, claims processing, investment management, fund administration, and customer enquiries.
    • Document the identified critical operations and the processes and resources needed to deliver them.

Define and Refine Tolerance Levels

    • For each critical operation, establish tolerance levels for the maximum period of disruption, the maximum extent of data loss, and minimum service levels during alternative arrangements. APRA expects entities to be positioned to set these by the end of 2024.
    • Managers and analysts should document the interdependencies between tolerance levels, BCPs, and service provider arrangements.
    • Tolerance levels should be regularly reassessed based on lessons from disruptions, testing, scenario analysis, and industry practices.
    • APRA may require entities to review and change their tolerance levels or may set them where heightened risk or material weakness is identified.

Conduct Operational Risk Assessment

    • Maintain a comprehensive assessment of the operational risk profile.
    • Assess the impact of business and strategic decisions on the operational risk profile.
    • Identify and assess operational risks that may result from inadequate processes, people, systems, or external events.
    • Regularly update the risk profile in response to changing strategy, risk environment, or business mix.
    • Maintain appropriate information systems to monitor operational risk, compile and analyze data, and facilitate reporting

Design, Implement, and Test Internal Controls

    • Design, implement, and embed internal controls to mitigate operational risks in line with risk appetite and compliance obligations.
    • Regularly monitor, review, and test controls for design and operating effectiveness. The frequency should be commensurate with the materiality of the risks.
    • Report testing results to senior management and rectify any gaps or deficiencies promptly.
    • Implement a program for the remediation of material weaknesses, with clear accountabilities and root cause analysis

Back to Managers Playbook
Managers Playbook - Enhancing Business Continuity Planning (BCP)

Enhancing Business Continuity Planning (BCP)

Maintain a Credible BCP

    • The BCP must set out how the entity would maintain its critical operations within tolerance levels through disruptions, including disaster recovery for critical information assets.
    • It should include the register of critical operations and tolerance levels, triggers for activation, actions to maintain critical operations, assessment of execution risks, and a communications strategy.
    • Ensure the BCP is consistent with recovery and exit planning

Test the BCP Regularly

    • Have a systematic testing program covering all critical operations, including an annual business continuity exercise.
    • Testing should assess the BCP's effectiveness and the ability to meet tolerance levels in severe but plausible scenarios, including disruptions to material service providers. APRA may require the inclusion of specific scenarios.
    • Document testing scenarios, findings, and remediation plans

Review and Update the BCP

    • Update the BCP at least annually and after any material changes or shortcomings identified during testing or actual disruptions.
    • Internal audit must periodically review the BCP and provide assurance to the Board on its credibility
Back to Mangers Playbook
Managers Playbook - Strengthening Service Provider Management

Strengthening Service Provider Management

Develop a Comprehensive Service Provider Management Policy

    • The policy must cover how the entity will identify material service providers and manage service provider arrangements, including material risks and fourth-party risks.
    • It should outline the approach to entering into, monitoring, substituting, and exiting agreements

Identify and Manage Material Service Providers (MSPs)

    • MSPs are those relied on for a critical operation or that expose the entity to material operational risk.
    • Maintain a register of MSPs and the material risks associated with them. This register must be submitted to APRA annually, with the first submission due by 1 October 2025. APRA will provide a template.
    • APRA has a minimum list of service providers that must be classified as material unless justified otherwise

Conduct Due Diligence and Manage Contracts

    • Before entering into or materially modifying a material arrangement, undertake appropriate due diligence and assess financial and non-financial risks, including those related to geographic location and concentration.
    • Maintain formal, legally binding agreements for all material arrangements that specify services, service levels, rights, responsibilities, data ownership, dispute resolution, audit access, liability, indemnity, compliance provisions, data breach notifications, termination rights (including for inconsistency with beneficiaries' best financial interests for RSE licensees), and force majeure.
    • Contracts must include provisions for APRA access to documentation, data, and on-site visits.
    • Manage risks that could affect the MSP's ability to provide services and risks to the entity resulting from the arrangement, such as step-in risk and contagion risk.

Manage Fourth-Party Risks

    • The service provider management policy must include the approach to managing risks associated with fourth parties that MSPs rely on for critical operations.
    • Take reasonable steps to identify and list fourth parties involved in the delivery of critical operations in the MSP register

Monitor, Review, and Report on MSPs

    • Monitor and ensure senior management receives reporting on material arrangements, including performance against SLAs, effectiveness of controls, and compliance with agreements.
    • Internal audit must review proposed material arrangements involving critical operations and regularly report to the Board or Board Audit Committee on compliance with the service provider management policy.
Back to Mangers Playbook
Managers Playbook - Implement Incident Mngt & Ongoing Compliance

Implement Incident Management & Ongoing Compliance

Implement Incident Management Processes

    • Ensure operational risk incidents and near misses are identified, escalated, recorded, and addressed promptly.
    • Take incidents and near misses into account in the assessment of the operational risk profile and control effectiveness.
    • Notify APRA as soon as possible, and not later than 72 hours, after becoming aware of an operational risk incident likely to have a material financial impact or impact on critical operations. Notifications of information security incidents under CPS 234 do not need separate reporting under CPS 230

Notify APRA of Disruptions to Critical Operations

    • Notify APRA as soon as possible, and not later than 24 hours after, if a disruption to a critical operation occurs outside tolerance levels. The notification must cover the nature of the disruption, actions taken, likely impact, and timeframe for returning to normal operations

Notify APRA of Material Service Provider Arrangements

    • Notify APRA as soon as possible, and not more than 20 business days after entering into or materially changing an agreement for a service on which the entity relies for a critical operation.
    • Notify APRA prior to entering into any material offshoring arrangement or significant change to such an arrangement

Maintain Documentation and Compliance

    • Maintain accurate and comprehensive documentation of operational risk assessments, BCPs, third-party due diligence, incident reports, and test results.
    • Update documentation regularly to reflect changes.
    • Be prepared to provide documentation to APRA upon request.
    • Consider using GRC software to manage and track compliance
Back to Mangers Playbook
Managers Playbook - Leveraging Technology and External Partnerships

Leveraging Technology and External Partnerships

Leverage Technology

    • Adopt appropriate technologies and tools (GRC, process management, IT asset management, BCP, supplier management software) to increase effectiveness and efficiency.
    • Consider cloud services and their shared responsibility model for operational resilience. Some key vendors provide resources to help Registerable Superannuation Entities (AREs) comply with CPS 230.
    • Utilize automation to speed up repetitive tasks, reduce errors, handle large data, and improve monitoring and reporting

Consider External Partnerships

    • Engage with regulators, other regulated entities, existing suppliers, and external experts for guidance and expertise.
    • Specialized consulting firms can assist with setting up TPRM capabilities or managing the process.
    • Consider managed service partners for TPRM

Back to Mangers Playbook