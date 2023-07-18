Newspaper icon
APRA finalises operational risk prudential standard

BY ANDREW MCKEAN  |  TUESDAY, 18 JUL 2023   12:37PM

APRA has finalised Prudential Standard CPS 230 Operational Risk Management, which aims to enhance the ability of banks, insurers, and superannuation trustees to manage operational risks and respond to business disruptions.

According to QMV legal, the key changes in CPS 230 from the previous draft include a commencement date of 1 July 2025, a transitional deadline of 1 July 2026 for existing contractual arrangements, and increased flexibility for entities to justify their operational and service provider risk management strategies.

QMV Legal further highlighted that under the new standard, the service provider policy no longer needs to include the register of material service providers. Additionally, the requirement for entities to take reasonable steps to assess whether a provider is systemically important in Australia before entering into or modifying a material arrangement has been removed.

The regulator said CPS 230 serves as a foundation for APRA-regulated entities to bolster operational risk management through new requirements that address identified weaknesses in existing controls. It also aims to improve business continuity planning, positioning entities to respond effectively to severe disruptions. Moreover, it enhances third-party risk management by ensuring risks from material service providers are appropriately managed.

APRA chair John Lonsdale said the finalisation of CPS 230 will strengthen the management of operational risk across APRA's regulated population.

"Disruptions to financial services can cause a major detrimental impact to the people who rely on them to pay bills, recover from financial loss or support themselves in retirement," he said.

"The need for APRA's new standard has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches."

In May, NGS Super suffered a cyber-attack. Last year, Spirit Super also experienced a data incident that resulted in around 50,000 member records becoming compromised.

"This new standard will ensure that regulated entities set and test controls and maintain robust business continuity plans to respond if disruptions do occur," Lonsdale said.

"We expect regulated entities to be proactive in preparing for implementation, rather than waiting until the last minute to get ready to meet the new requirements. There will be a transition phase for existing contractual arrangements with material service providers for entities that need some flexibility."

