The prudential standard CPS 230 is a new operational risk management standard that is applicable to APRA-regulated entities in Australia. According to the Australian Prudential Regulation Authority it is a step on from the APRA CPS220 Risk Management standard. It has a strong focus on the role of the board and senior management in operational risk management processes.

To operate in line with the requirements of the standard, organizations must

• Identify, assess, and manage its operational risks, with effective internal controls, monitoring, and remediation.
• Be able to continue to deliver its critical operations within pre-defined tolerance levels through severe disruptions, with a credible business continuity plan (BCP).
• Effectively manage the risks associated with material service providers, third parties, and vendors, with a comprehensive service provider management policy, formal agreements, and robust monitoring.

For those wondering when the prudential standard CPS 230 becomes mandatory, firms have until 1 July 2025 to implement the APRA 230 necessary changes. The CPS230 changes are therefore mandatory for an APRA-regulated entity from 1 July 2025. However, the draft CPS 230 standard (CPG 230) was first released on 17 July 2023 giving firms ample time to implement measures to meet the requirements.

The prudential regulation APRA CPS 230 applies to all APRA-related entities in Australia. It includes many organizations in the financial services industry. According to APRA CPS 230 applies to:

• Authorized deposit-taking institutions (ADIs), including foreign ADIs,
  and non-operating holding companies authorized under the Banking Act (authorized banking NOHCs).
• General insurers, including Category C insurers, non-operating holding companies authorized under the Insurance Act (authorised insurance NOHCs) and parent entities of Level 2 insurance groups.
• Life companies, including friendly societies and eligible foreign life
  insurance companies (EFLICs), and non-operating holding companies registered under the Life Insurance Act (registered life NOHCs).

It is important for financial services firms to comply with APRA CPS 230 because many financial services firms in Australia are APRA-regulated making the new CPS 230 requirements mandatory for many financial services organizations.

There are several processes that organizations need to implement to meet CPS 230 APRA requirements and ensure unified observability. These include:

• Implementing a best-practice risk management program.
• Formalizing an incident reporting process that enables incidents to be logged and resolved quickly to minimize disruptions.
• Have robust business continuity and perform regular business impact assessments and disaster recovery testing to ensure they can recover from disruptions quickly.
• Establish a best-practice third-party risk management program to manage the risk associated with vendors and suppliers, this includes carrying out regular vendor risk assessments, benchmarking, and score-carding, and monitoring vendor performance against SLAs and KPIs.

The key features of CPS 230 software include:

• Automated workflows and notifications
• Online customizable forms
• Searchable registers
• Dashboards and reports
• API integrations with other systems and data sources
• Best-practice compliance templates
• Integrations with third-party risk intelligence providers

The key features of APRA aligned CPS 230 software include:

• Enterprise Risk Management (ERM)
• Controls and control testing and monitoring
• Third-Party risk management
• Business continuity
• Operational resilience
• Regulatory compliance and regulatory change
• Incident management

Organizations should:

• Implement a best-practice ERM program to identify, assess and manage its operational risks, with effective internal controls, monitoring, and remediation.
• Implement credible business continuity plans (BCPs) to continue to deliver critical operations within defined tolerance levels.
• Implement a third-party risk management program to effectively manage the risks associated with service providers including a service provider management policy, formal agreements, and robust monitoring.

Organizations can ensure compliance with CPS 230 operational risk management requirements by implementing a best-practice ERM program using GRC software. This will enable firms to set up an online risk register and assign ownership for risk. Roll out online risk assessment forms using automated workflows to easily monitor risk levels. Set Key Risk Indicators (KRIs) and define a risk appetite and operate within the agreed levels. Set controls to reduce unwanted risk and perform control testing to ensure controls are effective.

A. Firms should set up a best-practice third-party risk management program using CPS 230 compliant GRC software. The solution will enable you to build a comprehensive vendor register capturing key details around vendor contracts, costs, key contacts, SLAs, and KPIs. You can easily monitor supplier performance, perform benchmarking & score carding using integrations with risk intelligence providers, and carry out regular online vendor risk assessments via an online vendor portal that captures all data centrally. The real-time dashboards and reports will build a complete picture of your vendor risk exposure.

According to CPS 230 firms must have a credible business continuity plan and be able to continue to deliver critical operations within agreed tolerance levels through severe disruptions. To demonstrate this, firms should look to implement a Business Continuity software platform that aligns with CPS230 requirements. The platform should enable firms to identify business critical processes and build a business process register. Regular Business Impact Assessments (BIAs) should be carried out to understand the impact of unexpected events and how they will be resolved and in what timeframe. Firms should identify RTOs, RPOs, WRTs and MTDs and put plans in place to achieve these objectives. Tools that offer business process modelling will help to demonstrate requirements by making it easy to understand the impact of unforeseen events in terms of costs, man hours and lost revenue. Process modelling functionality can also be used to support continuous improvement efforts. Look for BCM platforms that trigger BCM plans based incidents logged and send mass notifications to instigate BCM plans and track recovery progress. The solutions should also allow you to perform scenario and vulnerability testing and disaster recovery exercises.

When selecting a CPS 230 compatible software platform to meet the regulatory requirements of CPS 230, leaders must consider:

• Does the platform offer sufficient capabilities to manage CPS 230 APRA requirements? – Look for a platform that offers operational risk management, ERM, business continuity, incident management, third-party risk management and other supporting functionality such as compliance and audit capabilities out-of-the-box.
• Can the risk & compliance platform be implemented in a way that meets the specific requirements of your organization?
• Can the operational risk management capabilities scale with your firm as your needs expand and your GRC program matures – look for solutions that enable you to align risk management with strategic objectives and enterprise performance.
• What data privacy protocols & security features does the CPS 230 tool offer as standard, and does it align with your IT requirements?
• Does the CPS 230 compatible software link to your other internal applications and systems via APIs to pull relevant data into the platform to ensure a single source of truth for risk data and reducing data input errors?

The benefits of using GRC software to manage CPS 230 requirements include:

• A reduction in time spent on risk reporting, data aggregation, and administration tasks.
• Risk and compliance platforms provide a centralized view of risk across the entire enterprise supporting you to improve operational performance.
• Governance, Risk & compliance solutions enable the entire organization to understand CPS 230 requirements and actively participate in complying with the guidelines – completing risk related tasks and logging and resolving incidents as part of their daily role. This creates ample risk data to inform business decision-making and provide proof of CPS 230 compliance.
• Governance, risk & compliance solutions generate better visibility of an organizations operational risk profile and many offer enterprise risk management, cyber risk management, project risk management, and supply chain & third-party risk management in the same platform.
• CPS 230 enabled GRC platforms reduce the costs associated with risk monitoring and operational risk reporting.
• CPS 230 compatible software platforms improve an organizations risk management approach, by facilitating crucial links between risk management, strategic objectives, vendor risk, incidents, and enterprise performance.
• GRC solutions support firms to carry out adequate due diligence to provide proof of CPS 230 compliance to regulators.

• Poor quality risk data due to a lack of data governance & data entry errors.
• Capturing risk and incident data across various forms and spreadsheets creates data input problems like copy & paste errors, over written data, and incomplete fields.
• Disparate risk and incident data held in dispersed, unintegrated spreadsheets creates poor quality data, and an inconsistent risk framework that results in distorted reporting outputs – causing problems with CPS 230 compliance.
• Relying on manual processes that lack automation slows down risk escalation and remediation, allowing risk to escalate to intolerable levels, leaving companies struggling to meet CPS 230 guidelines.
• Manual ad hoc processes affect compliance with CPS 230 – making it hard for firms to prove they are meeting requirements due to a lack of documented evidence.
• Disjointed processes and siloed data make it difficult to link risks to the relevant controls and incidents, causing gaps in CPS 230 compliance.
• Firms are unable to compare risk & incident data across different sites due to inconsistent risk frameworks and siloed data. This makes it hard to make risk-based decisions and provide proof of CPS 230 compliance across departments and sites.