Prepared in partnership with CENTRL, ISG GovernX’s AI-powered platform for third-party risk
The revised standards of the Australian Prudential Regulation Authority’s (APRA) CPS 230 Operational Risk Management regulation is set to become effective on July 1, 2025. The aim of CPS 230 is to strengthen the resilience of regulated organisations to manage and respond to operational risks and disruptions posed by COVID-19, technology risks and natural disasters in recent years. The regulation encompasses the risk of loss, resulting from inadequate or failed internal processes, people, systems, or external events. CPS 230 is applicable to all entities, regulated by APRA which includes banks, credit unions, insurance companies and superannuation trustees.
Originally scheduled to commence on January 1, 2024, concerns from the financial services industry regarding the time required to implement for affected organisations, the regulation has been delayed until July 2025. APRA’s CPS 230 will replace existing Prudential Standards which relate to outsourcing business activities to material service providers and will introduce significant changes to governance, compliance, contractual and incident response arrangements.
Material service provider is defined as follows:
- For an ADI (authorised deposit-taking institution): credit assessment, funding and liquidity management, and mortgage brokerage;
- For an insurer (general, life, private health): underwriting, claims management, insurance brokerage, and reinsurance;
- For an RSE licensee (registered superannuation https://www.apra.gov.au/list-of-registered-financial-corporationsentities): fund administration, custodial services, investment management and arrangements with promoters and financial planners; and
- For all APRA-regulated entities: risk management, core technology services and internal audit.
The regulatory framework places a significant emphasis on board involvement in the compliance process, recognising their ultimate accountability. Under these regulations, APRA expects boards to take an active role in supervising operational risk management, endorsing impact tolerance levels, and critically assessing risks associated with an expanded group of material service providers. Concurrently, this new standard firmly positions business line management at the core of overseeing business processes, risks, and controls, signifying a collaborative approach in ensuring compliance and operational resilience. Leadership within affected organisations will need to complete the following:
- Enhance the Governance Arrangement for Oversight of Operational Risk. Emphasises the importance of strong governance structures within financial institutions, ensuring end-to-end operational risk is embedded throughout the organisation from board, senior management, risk functions and business. It requires the establishment of an operational risk management framework that aligns with the overall risk appetite and strategy of the institution.
- Undertake a Holistic Assessment to Identify Material Suppliers. Focuses on expanding from suppliers who perform an outsourced material business activity, to material suppliers relied on for a critical operation or expose the organisation to a material risk. The regulation requires ADIs to identify and assess their operational risks comprehensively, including mapping end-to-end processes, identifying key risk areas, and conducting regular risk assessments.
- Enhance Operational Risk Processes, Controls and Frameworks. Focuses on an organisation's capability to continue to operate, rather than recovery from disruption, emphasising implementation of robust risk mitigation strategies and controls. Financial institutions are expected to have appropriate policies, procedures, and systems in place to manage and monitor effectively.
- Enhance Business Continuity Plans. Identify critical operations, including those identified by APRA, setting appropriate tolerance levels for each function, as well as testing obligations.
- Develop a Board-Approved End-to-End Policy for Managing Material Risk. Highlights the importance of business continuity planning to ensure continued operating in the face of disruptive events. The policy must include the organisation’s supply chain, including subcontractors and fourth parties downstream from the suppliers, directly engaged by the organisation.
- Amend Contractual Arrangements with Material Suppliers. Review and update all contracts with Material Suppliers to ensure compliance.
- Enhance Reporting Processes. Move from “notify APRA of any major disruption” to “notify APRA of any activation of your Business Continuity Plan.” The regulation requires ADIs to establish a robust incident management framework. This includes promptly reporting and investigating operational incidents, identifying root causes, and implementing corrective actions to prevent recurrence.
In order to meet the new regulatory requirements and ensure compliance, organisations must diagnose and prioritise the necessary changes, mobilise change programs, and increase overall operational resilience. Here we will explore considerations for redesigning or updating internal processes to meet CPS 230 requirements, covering the potential impact to management, revised notification and reporting requirements, a summary of CPS changes, and the challenges that may lay ahead for managing suppliers and fourth parties.
Management Impact
The requirements for management of suppliers and fourth parties will change significantly under CPS 230. Under the new Supplier Management Policy, risks stemming from arrangements with suppliers to undertake a critical operation as well as arrangements which expose organisations to material operational risk must be appropriately managed. This includes managing risks associated with any fourth parties, relied upon by material suppliers.
Under CPS 230, the management of risks and requirements will undergo significant changes. The Supplier Management Policy mandates that organisations must have arrangements for conducting critical operations that may expose the organisation to material operational risk. This includes the crucial task of managing risks associated with any fourth parties relied upon by material suppliers.
The new Supplier Management Policy must include:
- register of material suppliers which must be submitted to APRA on an annual basis,
- approaches to changes of such suppliers, and
- approaches to risks associated with such suppliers and any fourth parties they rely on.
Additionally, within the framework of the new policy, a significant focal point involves the revision and modernisation of procurement processes and the procedures for engaging with material service providers. This policy acknowledges the dynamic nature of operational risk in today's financial landscape. As such, it necessitates a thorough overhaul of how financial institutions approach their procurement strategies. This includes the implementation of more rigorous due diligence practices to assess the operational resilience of material suppliers, as well as a heightened focus on contractual agreements that explicitly outline expectations and obligations related to operational resilience. These changes are designed to enhance the institution's overall operational resilience and establish a more adaptable and robust supply chain framework, aligning it more closely with the demands and challenges of modern financial environments.
Processes must ensure that before entering into, renewing or materially modifying an arrangement with a material supplier, organisation must:
- undertake appropriate due diligence
- assess the financial and non-financial risks of relying on a particular Material Supplier, including risks associated with geographic location or concentration of the Material Supplier or parties the material supplier relies upon in providing the service
- take reasonable steps to assess whether the Material Supplier is systemically important in Australia
- maintain a formal legal binding agreement in respect of all Material Arrangements, which includes the updated list of contractual terms set out in CPS 230
- update approval processes to ensure organisations do not rely on a Material Supplier unless they continuously meet prudential obligations and effectively manage the associated risks.
Management will be required to update monitoring and internal reporting requirements to ensure detailed reporting to senior management on material arrangements. This shift reflects the recognition that the complexity and interdependencies within these arrangements demand a higher level of scrutiny and entails not only tracking the performance and compliance of material suppliers but also assessing the arrangements' resilience and their alignment with the institution's operational resilience objectives. Furthermore, internal reporting procedures will need to be updated to ensure that senior management is provided with a clear picture of how material arrangements are functioning and if they might impact the institution's operational resilience. These enhancements are intended to empower management with the insights needed to make informed decisions and to proactively address any emerging operational risks within material arrangements.
Under CPS 230, monitoring and reporting must include:
- performance under specific service agreements (by reference to agreed service levels),
- the effectiveness of controls to manage risks associated with the Material Supplier, and
- the compliance to the relevant agreement.
Establishing operational leadership sponsorship for CPS 230 implementation and the transition to business as usual will be critical for lasting change. The principles and outcomes of CPS 230 should be embedded into operational strategies, plans and processes, with responsibilities cascading across the organisation through to performance management and incentives structures.
Revised Notification and Reporting Requirements under CPS 230
Notification and reporting requirements under CPS 230 represent a critical aspect of this operational risk management framework. Organisations operating under CPS 230 are mandated to establish robust procedures for timely and comprehensive reporting of operational incidents and disruptions. This includes promptly notifying APRA about any and all disruptions that may impact the institution's business continuity. Moreover, internal reporting requirements necessitate transparent communication channels within the organisation. These requirements aim to foster transparency, accountability, and a proactive approach to managing operational risks. Below details the revised notification events, requirements and timelines as stated by APRA.
| Event/Requirement | Further Details | Timeframe | New or Uplifted Requirement | |
| Notification Event | Certain operational risk incidents | An operational risk incident that an organisation determines to be likely to have a material financial impact or a material impact on the ability of the organisation to maintain its critical operations | As soon as possible and not later than 72 hours after becoming aware | New Requirement |
| Activation of BCP | The notification must cover the nature of the disruption, the action being taken, the likely impact on the organisation’s operations and the timeframe for returning to normal operations | As soon as possible and no later than 24 hours after activation | Uplifted Requirement | |
| Agreement for critical operation | Entering into or materially changing an agreement for the provision of a service on which your organisation relies to undertake a critical operation | As soon as possible and not more than 20 business days after | Uplifted Requirement | |
| Offshoring arrangements | Entering into any offshoring agreement with a Material Supplier, or when there is a significant change proposed to the agreement, including where data or personnel relevant to the service being provided will be located offshore | Prior to entering into the arrangement | Uplifted Requirement | |
| Reporting Requirement | Requirement to submit Material Supplier Register | Organisations are required to submit their register of Material Suppliers to APRA on an annual basis | Annual | New Requirement |
Credit: ISG
Technology will have to play a pivotal role in meeting the evolving demands of operational risk management. One crucial aspect is the consolidation of all necessary documentation related to critical processes into a single repository, streamlining accessibility and organisation. It may be necessary to upgrade the existing technology infrastructure and explore advanced technological solutions, including machine learning, natural language processing, and business process automation. These technologies can be leveraged for automating controls and testing to enhance scalability, while reducing human intervention that can often lead to error. The integration of technology into these facets of operational risk management promises to enhance efficiency, accuracy, and overall resilience.
Summary of Key Changes introduced by CPS 230
The Supplier Management Policy faces a pivotal shift in reporting obligations under CPS 230. In compliance with the regulation, organisations must now provide clear and concise summaries of the key alterations made to their operational risk management practices. These summaries should encapsulate the revisions in procurement processes, the engagement procedures with material suppliers, and enhanced monitoring and reporting processes. By effectively conveying these key changes, organisations demonstrate transparency and adherence to CPS 230 and serves as a vital communication tool to showcase the organisation's proactive approach to managing risks throughout the lifecycle, from supplier due diligence and selection to the ongoing management phase.
The expansion of Designated Material Business Activities, which have notably increased from 2 to 14 activities under CPS 230, is a significant development as well and reflects the growing recognition of the intricate web of dependencies that modern financial institutions rely upon. These activities encompass critical functions vital for operational resilience. Reporting now entails a more meticulous examination of these expanded activities, their interconnections, and the potential risks they pose. Organisations are required to comprehensively assess and report on each of these Designated Material Business Activities, detailing the associated operational risks, resilience measures, and any significant incidents or disruptions that may impact them. By extending the scope of reporting to cover more diverse activities, organisations will have a holistic and nuanced understanding of their operational risks.
Designated Material Business Activities now include the following:
- risk management
- core technology services
- internal audit
- credit assessment
- funding and liquidity management
- mortgage brokerage
- underwriting
- claims management
- insurance brokerage
- reinsurance
- fund administration
- custodial services
- investment management
- arrangements with promoters and financial planners
Inclusion of supply chain and fourth party risks represents a fundamental uplift of operational risk management for organisations as well. They are required to establish robust mechanisms for monitoring and reporting on these risks and conducting comprehensive assessments of suppliers and fourth-party service providers and promptly reporting any significant incidents or disruptions to senior management and regulatory authorities. The reporting process should encompass the identification of critical dependencies on these external entities, the assessment of potential impacts on the institution's operations, and the implementation of appropriate risk mitigation strategies. By maintaining a clear and transparent reporting framework for supply chain and fourth-party risks, APRA regulated entities not only fulfill regulatory obligations but also enhance their ability to proactively address and mitigate potential disruptions.
Evidence of comprehensive end-to-end due diligence process
Evidence should showcase that business continuity and disaster recovery plans have been tailored to address end-to-end critical processes. Regular monitoring and reporting mechanisms should be in place to track and evaluate operational risks. Furthermore, evidence of regular testing and validation of these processes and controls reinforces the commitment to operational resilience. Ultimately, this serves as a robust testament to an institution's dedication to maintaining operational resilience and the ability to swiftly adapt to disruptions in an ever-evolving business landscape. Leveraging automation technologies and AI tools can strengthen an institution's ability to identify, assess, and mitigate operational risks in real-time.
Source:ISG
Evidence of compliance with Deliverables and Obligations (contractual arrangement) as well as Service Levels
Organisations must ensure that suppliers and third-party service providers fulfill their contractual commitments as outlined in the agreements and are required to provide evidence that the services and products promised by these entities are delivered in accordance with the agreed-upon terms. This includes evidence of meeting timelines, quality standards, and any other specifications, defined in the contracts. The aim is to confirm that the contractual obligations are met to minimise disruptions to business critical operations.
Service levels are standards of performance and agreed upon in the SLAs between the organisation and its suppliers or suppliers. Evidence of compliance with service levels entails monitoring and documenting whether the services provided consistently meet or exceed these predefined performance metrics. This includes evidence related to response times, uptime, error rates, and other key performance indicators specified in the SLAs.
Take a proactive approach.
The challenges faced by organisations often stem from a lack of visibility and comprehensive management of their supplier relationships. This deficiency includes a historical lack of visibility in contract terms, making it challenging to track and enforce those agreements effectively. The absence of standardised means to manage suppliers across the board exacerbates issues related to risks, service levels reporting, deliverables and obligations tracking, as well as changes in scope and evaluating the financial viability of suppliers. These problems are compounded by reporting structures that operate in silos across different departments, hindering an organisation's ability to holistically address operational risks and optimise supplier relationships. To mitigate these challenges, organisations are increasingly turning to technology solutions and integrated approaches to supplier management to enhance transparency, streamline processes, and ensure compliance with contractual obligations.
To adhere to the requirements of CPS 230, organisations will need to undertake a significant transformation in their supplier management practices. This transformation involves the comprehensive update of contracts to include all the required clauses stipulated by the regulation. Moreover, organisations should set up end-to-end due diligence processes that encompass not only the initial onboarding of suppliers but also their ongoing management, including capturing any changes in scope. Additionally, robust control mechanisms should be established to identify, assess, monitor, and report on operational risks effectively, including the capacity to gauge the effectiveness of these controls. Organisations need to enhance their ability to report on service levels as outlined in contractual arrangements, ensuring that service quality remains aligned with expectations. To demonstrate compliance with contractual agreements, organisations should implement systems to track and report on the fulfillment of deliverables and obligations, thus ensuring transparency and adherence to CPS 230 guidelines.
But this is no small undertaking. Planning for implementation will take time and impacted entities should be considering gaps to implement CPS 230 now. According to APRA, organisations should have a framework in place by mid-2024. Minimising manual processes within the framework will be a must. Embracing technology to automate workflows will be imperative to meet APRA’s requirements. Considering the use of Artificial Intelligence could be the real game-changer in facilitating adherence to CPS 230 requirements. AI-powered solutions can enhance risk assessment and monitoring to streamline compliance processes. With machine learning models, organisations can analyze vast datasets to identify emerging operational risks and trends in order to stay ahead of possible disruptions. AI can also support the monitoring and reporting of operational risks and business continuity against defined tolerance levels in real-time, saving organisations valuable time.
In conclusion
CPS 230 brings forth a pivotal transformation in how financial institutions manage operational risks and uphold their resilience. The regulatory changes necessitate a holistic approach, embracing advancements in technology, supplier management, and diligent compliance with contractual arrangements. The emphasis on board accountability, broader oversight of material service providers, and active business line management underscores the need for a collective effort within organisations to meet APRA expectations. By embracing digitisation and automation as well as harnessing the power of generative AI, organisations can efficiently meet CPS 230 requirements. Automation of risk assessments, issue management, and controls can assist in streamlining compliance processes. Meanwhile, data analytics and predictive insights will enable proactive risk management. Adopting digital tools and technologies strengthens overall operational resilience, ensuring compliance and earning the confidence of stakeholders and regulatory bodies.
About the author
Hanne McBlain
Ms. McBlain brings over 25 years’ experience in building and managing vendor management relationships to clients of ISG, including establishing vendor governance frameworks, in-depth knowledge of sourcing policies and practices in a government as well as commercial environment, conducting contract and commercial negotiations and assessing and managing risk within a vendor governance framework.
