CPS 230 - Operational Risk Governance
Introduction
The new prudential standard CPS 230 Operational Risk Management for APRA-regulated entities commences in July 2025 (see our overview here).
In our last article on CPS 230 we looked at the requirements in relation to material service providers.
In this article we will turn to governance of operational risk.
Governance and management of operational risk – two different concepts
CPS 230 refers to both governance and management of operational risk. The two concepts are closely related, but involve different aspects of dealing with risks within an organisation.
CPS 230 does not explain the differences between governance and management, but our understanding of the differences is set out below.
Governance of operational risk: Governance of operational risk refers to the overall framework, structures, processes, and practices that guide and control an organisation's activities. In the context of operational risk, governance focuses on establishing the principles, policies, and oversight mechanisms to ensure that operational risks are identified, assessed, and mitigated effectively. It encompasses the high-level strategic decisions and policies made by the Board and senior management, and involves setting the tone for risk management, defining risk appetite, and ensuring that there is a culture of risk awareness and compliance throughout the organisation. The responsibility for governance lies with the top-level management and the Board. They are accountable for defining the risk management framework, allocating resources, and establishing communication channels to monitor and address operational risks at a strategic level.
Operational risk management: Management of operational risk involves the day-to-day activities and processes undertaken by the organisation to identify, assess, control, and monitor operational risks. It is the practical application of the principles and policies set by governance to manage risks at an operational level. Management of operational risk deals with the specific actions and measures taken by various business units and departments to handle and mitigate risks associated with their daily operations. It includes processes for risk assessment, incident response, business continuity planning, and continuous improvement of risk management practices. In its draft guidance on CPS 230, APRA says that best practice is for business line management to be responsible for embedding operational risk management practices, and be the owners of the risk within the entity.
In summary, governance of operational risk focuses on establishing the overarching framework and strategic direction for risk management, while the management of operational risk involves the practical application of these principles at the operational level to ensure that risks are effectively identified, assessed, and mitigated in day-to-day activities.
Key requirements for Boards
CPS 230 says that a part of its required risk management framework, an APRA-regulated entity must develop and maintain governance arrangements for the oversight of operational risk. The Board of the entity is ultimately accountable for oversight of operational risk management, including business continuity and the management of service provider arrangements.
To effectively oversee the operational risk profile of an entity, APRA expects that a Board would:
clearly and concisely check and question the regular updates it receives on operational risks, such as by using indicators, limits and tolerance levels to identify and fix risky or unacceptable areas;
review and challenge the main internal controls that impact the operational risk profile;
look into any major weaknesses and follow up on the progress of important improvement programs;
be alert to new activities that may involve material operational risks, such as crypto assets; and
get reliable assurance from internal audit on operational risk, with enough audit coverage, and proper skills and capabilities.
CPS 230 allocates 4 specific tasks to the Board in relation to operational risk.
Senior managers: Ensure that the APRA-regulated entity sets clear roles and responsibilities for senior managers for operational risk management.
Oversight: Oversee operational risk management and the effectiveness of key internal controls in maintaining the entity’s operational risk profile within risk appetite. The Board must be provided with regular updates on the APRA regulated entity’s operational risk profile and ensure senior management takes action as required to address any areas of concern.
Business continuity plan (“BCP”): Approve the BCP and tolerance levels for disruptions to critical operations, review the results of testing and oversee the execution of any findings.
Material service providers: approve the service provider management policy, and review risk and performance reporting on material service providers.
This builds on the existing requirements of APRA-regulated entities under existing prudential standards for risk management (CPS 220 and SPS 220). Under these standards, APRA-regulated institutions must maintain a Board-approved risk management strategy. Among other things, the RMS must describe the risk governance relationship between the Board of the APRA-regulated institution, Board committees of the APRA-regulated institution and senior management of the institution with respect to the risk management framework.
Key requirements for senior management
CPS 230 also sets out responsibilities of senior management in relation to the governance of operational risk.
Senior management must provide clear and comprehensive information to the Board on the expected impacts on the entity’s critical operations when the Board is making decisions that could affect the resilience of critical operations. APRA has found that Boards are not being provided consistently with important information on operational risk when making strategic decisions. It expects that information provided to Boards should be targeted, relevant and sufficient for directors to clearly understand the potential impact of their decisions on the operational resilience of an entity's critical operations - decisions such as new products, new core technology, and material outsourcing.
In its draft guidance, APRA says that senior management would typically define the roles and responsibilities for operational risk management that the Board must ensure are in place.
On risk tolerance levels, APRA's view is that while the Board would approve overall tolerance levels across the entity, senior management would be able to set more granular tolerance levels consistent with Board approved levels.
Action steps to prepare for CPS 230 risk governance
Here are some possible actions that an APRA-regulated entity could take to get ready for the risk governance expectations under CPS 230.
Governance arrangements: Assess how operational risk management is currently governed and make any necessary changes to have clear structures, processes, and practices that comply with CPS 230. Make sure that governance arrangements are part of the overall risk management framework and match the risk appetite set by the Board.
Risk Management Strategy (“RMS”): Review and update the existing RMS to specifically address operational risk in accordance with CPS 230. Clearly define the operational risk governance relationship between the Board, board committees, and senior management within the updated RMS.
Board's oversight responsibilities: Ensure that the Board is fulfilling its allocated tasks, such as setting roles for senior managers, overseeing operational risk management, and approving BCPs and the service provider management policy. Establish reporting mechanisms to provide regular updates to the Board on the operational risk profile, internal controls, and actions taken to address concerns.
Board involvement: Ensure clear lines of communication among the Board, senior management, and related committees to enable effective supervision. Conduct training sessions for Board members to improve their knowledge of operational risk management and their responsibility in monitoring it.
Senior management: Implement processes to ensure senior management is providing timely and comprehensive information to the Board regarding operational risks. Foster collaboration between senior management and the Board.
BCP: Collaborate with relevant stakeholders to review and update the BCP and Board-approved tolerance levels for disruptions to critical operations. Ensure that the BCP aligns with CPS 230 requirements and the Board's approved tolerance levels.
Material service providers: Develop and implement a service provider management policy for Board approval and embed regular Board reviews of risk and performance reporting related to material service providers. See our article here.
Need help with CPS 230?
We advise many APRA-regulated entities on governance and regulatory compliance. Please get in touch with us if you need help with CPS 230 implementation.
Kathleen Harris and Patrick Dwyer
Legal Directors