APRA releases final prudential standard for Operational Risk Management
The Australian Prudential Regulation Authority (APRA) has finalised the new prudential standard CPS 230 (Operational Risk Management) (Standard), designed to strengthen regulated entities’ operational risk management and ensure they can maintain critical operations through disruptions.
The Standard commences on 1 July 2025 and will replace existing standards CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management). To supplement the Standard, APRA has also released a draft prudential practice guide CPG 230 (Guide) outlining the best practice approach to complying with the Standards – the Guide is open for consultation until 13 October 2023.
Key changes from draft to final
While the Standard is not dissimilar to its draft form (which we discussed in a previous article) (Draft Standard), there have been a number of key changes, which we consider below.
Responding to industry consultation on the proposed start date of 1 July 2024 in the Draft Standard, the Standard will commence on 1 July 2025. Regulated entities will also need to ensure that their arrangements with service providers comply with the Standard, and have until the earlier of 1 July 2026, or the next renewal date of the relevant arrangement, to update their arrangements.
Obligation to classify ‘critical operations’
The Standard requires that regulated entities classify certain prescribed business operations as ‘critical operations’ (some of which will not apply to some regulated entities, depending on whether they’re an ADI, insurer, RSE licensee, etc), unless it can justify that one or more of those operations is not critical – this requirement was not part of the Draft Standard.
Under the Draft Standard, regulated entities were required to notify APRA within 24 hours of an activation of its business continuity plan. However, the Standard instead requires that such notification is given within 24 hours of the regulated entity suffering a disruption to a critical operation outside of pre-determined tolerance levels.
Management of service provider arrangements
A regulated entity’s service provider management policy no longer needs to include a register of its material service providers (though the relevant entity will still be required to maintain the register itself), but is now required to include in that policy its approach to managing the risks associated with any fourth parties that material service providers rely on to deliver a critical operation.
The Standard also introduces:
- a concept of a ‘material arrangement’, being one which a regulated entity relies on to undertake a critical operation, or that exposes it to material operational risk. APRA also has the power to direct a regulated entity to classify an arrangement as material; and
- a requirement that regulated entities classify certain prescribed service providers as material service providers, unless it can justify otherwise (this requirement was not part of the Draft Standard), adding risk management, core technology services and internal audit service providers to that list.
Service provider agreements
The Standard removes the requirement (from the Draft Standard) that a regulated entity must assess whether a material service provider is systemically important in Australia before it enters into or modifies a material arrangement.
The Standard also requires that the agreement underlying any material arrangement contains obligations on the service provider to notify the regulated entity where it uses other material service providers (through sub-contracting or other arrangements), but unlike the Draft Standard, this is confined to those material service providers that the counterparty ‘materially relies upon in providing the service’ to the relevant entity.
While the broader notifications requirements of the Draft Standard have not changed under the Standard, regulated entities are only required to notify APRA prior to entering into a material offshoring arrangement, as opposed to any agreement with a material service provider.
How can DLA Piper help?
DLA Piper is well-placed to assist you in navigating the raft of requirements proposed by the Standard. We frequently work with APRA-regulated clients and have an intricate understanding of what is required to achieve compliance with APRA standards and regulations. We can assist in the review and uplift of contracts, provision of advice in relation to the classification of material service providers, and assist in the development of internal policies, procedures, frameworks and training initiatives.