CPS230 Check in: How does your progress stack up?

CPS230 and CPG230

With the release of Apra’s Practice Guide CPG230 – Operational Risk Management, the CPS230 regulatory framework has now been finalised making it an opportune time to take stock on where you are up to in your CPS230 journey. The implementation of CPS230 is a marathon, not a sprint, and it is vital to check in to ensure that your organisation is on track, given it will be difficult to catch up closer to it coming into force during 2025.

Here we share three check in points for your CPS230 journey. First, our thoughts on CPG230 and the accompanying letter from APRA. Second, our views on the progress entities of different sizes should have made by now. And third, looking to the future, we pose questions for Board Risk Committees to consider in the lead up to CPS230 coming into effect.

Guidance is now final

APRA has released the final version of CPG230 which provides practical guidance on the requirements in CPS230. APRA has adopted a new layout for this Practice Guide in an attempt to improve readability. This includes inserting the requirements from the standard which makes cross-referencing easy.

Notably, APRA has refrained from outlining what it considers ‘better practice’, a break with previous CPG’s. Some have welcomed this development as they feel it provides a clearer set of expectations. However, this view is not necessarily universal, as some clients liked the guidance and felt it was useful.

Nevertheless, APRA typically seek to provide principles rather than prescription. Removing the detailed examples means there is less clarity but also less prescription and we would encourage clients to consider the spirit and intent of the requirements, using insights from their industry peers and from advisors such as PFS to answer the question – “are we doing enough for the size, scale and complexity of our business?”

The release of CPG230 was accompanied by a letter responding to submissions on the draft version of CPG230. This letter is essential reading as part of your CPS230 journey. It covers a range of important points on how APRA will enforce CPS230 as well as some practical guidance. The letter includes:

  • Giving non-SFIs a 12-month extension on requirements relating to business continuity and scenario analysis. Non-SFIs can choose to transition to CPS 230 in full by 1 July 2025. However, entities that choose to take advantage of this extra time must comply with existing prudential standards CPS 232 Business Continuity Management and SPS 232 Business Continuity Management until they are fully compliant with CPS230.

PFS Insight: non-SFIs may find the extra time welcome, however we recommend selecting a date by which you make a formal go/no-go decision about whether you will take advantage of the additional time, and if so, the expected compliance date.

  • Advice for transition including timelines and day-one compliance checklists that includes what is required to be submitted to APRA and whether certain requirements are new or build on CPS231 and CPS232.

PFS Insight: We recommend you compare your project plans against APRA’s expectations to ensure you are set up for success.

  • APRA’s supervision programme for the first three years of CPS 230.

PFS Insight: The three year settling in period is much longer than we have seen for other new Prudential Standards. This reflects its pervasive requirements and the expectations from APRA that it will require significant effort to implement.

  • A selection of submission comments APRA received during feedback on the draft of CPG230 and APRA’s responses to them. These read almost like an FAQ and are a useful inclusion.

Final version of CPG230:

https://www.apra.gov.au/news-and-publications/apra-finalises-cross-industry-guidance-on-operational-resilience

Response to submissions paper:

https://www.apra.gov.au/response-to-submissions-cpg-230-operational-risk-management

Where are you up to?

Progress to date

Most entities will by now have taken some steps towards meeting CPS230. Some entities will have made significant progress on their CPS230 journey, but where should you be up to? Below we share our thoughts:

CPS230 Requirements

Incorporation of operational risk into RMF including profile, assessment, identification of controls and incident management processes.

CPS230 Requirement Progress Bar

Activities

  • Established governance arrangements for operational risk
  • Assessment of operational risk
  • Update to control library and associated testing/validation
  • Updates to incident management procedures

IT Capability

CPS230 Requirement Progress Bar

Activities

  • Assess age and health of IT assets
  • Assess appropriateness of IT capability to meet current and projected business requirements

Roles and responsibilities

CPS230 Requirement Progress Bar

Activities

  • Identified key roles relevant to operational risk and its management
  • Update role descriptions
  • Recruitment for any new positions

Critical operations + register

CPS230 Requirement Progress Bar

Activities

  • Identification of critical operations through working groups, workshops and other means
  • Design and populate register

Setting tolerance levels for CO’s

CPS230 Requirement Progress Bar

Activities

  • Identify and quantify metrics for CO’s
  • Select, test and calibrate tolerance levels

Processes and resources for delivery of critical operations

CPS230 Requirement Progress Bar

Activities

  • Document and review processes, update and change as needed
  • Identify key roles, update role descriptions, recruit as needed

Service Provider Management Policy

CPS230 Requirement Progress Bar

Activities

  • Over and above the normal policy development policy (workshops, drafting, review, etc) other worthwhile actions include testing and independent reviews even before the CPS230 comes into effect

Resources available to oversight 3rd parties

CPS230 Requirement Progress Bar

Activities

  • Comprehensive analysis of existing resources (including skills and capacity) and identification of any gaps
  • Where gaps require additional resources, taking action early to fulfil these requirements as demand for relevant skills could increase

Register for MSP’s

CPS230 Requirement Progress Bar

Activities

  • Design of register which can assist with business needs now and into the future
  • Workshops to populate and development of processes to ensure it is maintained

Service provider agreements

CPS230 Requirement Progress Bar

Activities

  • Use Policy to devise and draft template wording where needed
  • Ensure proper communication with service providers regarding any changes is undertaken well in advance

Vendors who aren’t MSPs

CPS230 Requirement Progress Bar

Activities

  • Ensure agreements are fit for purpose
  • Review oversight and reporting arrangements

4th parties

CPS230 Requirement Progress Bar

Activities

  • Engage with 3rd parties to provide information on their providers (4th parties)
  • Analyse 4th party providers and impacts on CO’s

Key geographies

CPS230 Requirement Progress Bar

Activities

  • Thorough and broad analysis of risks arising from all key geographies

Enhanced BCP/DRP testing including joint exercises with service providers, resilience planning, BCP/DRP and robustness of scenarios

CPS230 Requirement Progress Bar

Activities

  • Allocation of resources and budget to testing program
  • Detailed testing plan and communicate with internal stakeholders and service providers

Top 10 questions to consider

As you continue as your CPS230 journey, here are 10 questions that Board Risk Committees can ask themselves:

  1. How would you rate the resilience of your organisation to operational shocks?
  2. Are you comfortable with the process undertaken to assess your operational risk profile? Did it uncover any previously unidentified operational risks or issues?
  3. Do you have a clear understanding of who is responsible for each aspect of operational risk management, including BCP and service providers?
  4. Are you comfortable with the level of resources in place to comply and maintain compliance with CPS230, especially in relation to material service providers?
  5. Are you confident that all critical operations have been identified appropriately?
  6. Whether or not you were affected by the Crowdstrike event, what are the learnings for resilience in your business?
  7. What additional reporting on operational risk will you receive when CPS230 comes into effect?
  8. Do you understand the IT capability needs of your organisation both now and into the future? Do you understand the criticality of these systems for the operation of your business?
  9. How confident are you that you understand which geographies your business is exposed to, and the significance to your business?
  10. Is the management of operational risk helping to achieve strategic objectives?

Share:

Search

More Posts

Pet Insurance

Pet Insurance: Market and product overview.

Pet insurance has a history dating back to 1890 when the first policy was issued in Sweden focusing on horses and livestock. By 1924, Sweden expanded coverage to include dogs and the concept crossed borders, reaching the United Kingdom in 1947 with the issuance of its first pet insurance policy.

Send Us A Message