APRA has released draft Prudential Standard CPS 230 Operational Risk Management for comment. The comment period is open until 12 October 2022, with the standard due to be effective from 1 January 2024.
CPS 230 will replace CPS 231: Outsourcing and CPS 232: Business Continuity, and the sector specific standards HPS 231, SPS 231 and SPS 232.
In consolidating requirements relating to operational risk management, business continuity planning and third-party service providers, CPS 230 establishes APRA’s expectations regarding operational resilience – defined as: “the ability to effectively manage and control operational risk and maintain critical operations through disruption.”
Key points of focus include:
- A requirement to strengthen operational risk management – this will require entities to prioritise process and control mapping, profiling of operational risks and control assurance programs.
- Expanding BCP obligations from a focus on physical resources to digital assets and third parties.
- Acknowledgement that third party service providers are an integral and established component of business models and service delivery.
- Focusing the Board on the importance of operational resilience through requiring the setting of tolerance levels for disruptions to critical operations. Although similar in concept, this differs to risk appetite in that the risks have crystallised.
- Setting out the actions that APRA may take should they consider that an entity’s operational risk management is deficient. We have already seen APRA impose requirements to undertake an independent review and develop remediation program with quite prescriptive requirements.
Over the course of the implementation period, Grant Thornton will provide guidance and analysis to assist our clients with their implementation of CPS 230.