CPS 230 – The Risk Management Provisions

Introduction

This is the fifth article in our series on APRA Prudential Standard CPS 230 Operational Risk Management, which commences in July 2025.

In previous articles we have covered:

In this article we will look at the provisions of CPS 230 dealing specifically with risk management.

At the heart of CPS 230

As the name of the prudential standard suggests, risk management is at the heart of CPS 230.

The provisions on business continuity and material service providers in CPS 230 can be thought of as subcategories within overall operational risk management, while the governance provisions in CPS 230 are more to do with the operational risk management framework rather than how it is practically put into effect.

Operational risk management involves the everyday tasks and procedures that the organisation does to recognise, evaluate, limit, and track operational risks. It is how the organisation implements the principles and policies established by governance to manage risks at an operational level, covering the specific actions and steps taken by different business units and departments to deal with and reduce risks related to their daily operations.

How CPS 230 and CPS 220 will work together

APRA Prudential Standard CPS 220 Risk Management will continue to apply after CPS 230 commences.

CPS 220 is concerned with risk management generally, while CPS 230 deals only with operational risk.

CPS 230, then, will be a specific operational risk overlay to the general risk management foundations set by CPS 220.

Key requirements

CPS 230 sets out key requirements for the management of operational risk by an APRA-regulated entity. These include:

  • A general risk management obligation.

  • Risk profile assessment.

  • Maintaining capability.

  • Maintaining risk controls.

  • Assessment of decisions.

  • Assessment before providing material services.

  • Scenario analysis.

  • Checking risk controls.

  • Dealing with risk incidents.

  • Reporting to senior management.

  • Remediation.

  • APRA notification.

Each of these requirements is explained below.

Management obligation

CPS 230 has a baseline obligation of an APRA-regulated entity to manage operational risk.

The standard lists some different types of operational risk that must be managed. Although it is not an exhaustive list, it gives an idea of the types of risks which are top of mind for APRA. They are legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk, and change management risk.

In its draft guidance on CPS 230, APRA says that it expects entities to ensure that all specific operational risks that are most relevant to its particular business mix are captured. This may involve business process mapping, including functions performed by service providers.

CPS 230 squarely places responsibility for operational risk management on the senior management of the entity: operational risk controls may be distributed throughout the organisation, but responsibility rests with senior management. Ideally this is embedded within the various business lines. The Board is accountable for oversight of operational risk.

The approach taken in CPS 230 to operational risk management is principles based, with a focus on outcomes.

Risk profile assessment

A comprehensive assessment of its operational risk profile must be maintained by an APRA-regulated entity. This includes appropriate and effective information systems to monitor operational risk, compile and analyse operational risk data, and facilitate reporting to the Board and senior management. It also includes identifying and documenting the processes and resources required for the delivery of critical operations.  Resources include people, technology, information, facilities and service providers, as well as their interdependencies and associated risks, obligations, key data, and controls.

APRA’s draft guidance says that entities would frequently reassess their operational risk profile to reflect changes in strategy, risk profile or business mix.

APRA sees self-assessments as informing the overall comprehensive assessment of an entity’s operational risk profile (which suggests that third party assessments might also factor into developing the risk profile).

In its draft guidance on CPS 230, APRA outlines the typical stages of a self-assessment, including context, risk identification, controls identification, risk appetite and actions. APRA advises that better practice for self-assessments is to:

  • make sure to implement self-assessments across your entire organisation, covering all business activities, products, and services;

  • identify the connections between all components of the framework, such as risks, obligations, key data, and controls;

  • assign risks and controls to owners who have the appropriate level of seniority to manage them;

  • keep clear records of your assessments and provide evidence to support them, including information about actual events;

  • establish clear protocols for escalating risks that require the attention of the Board and senior management, including formal acceptance of higher-rated risks and actions that exceed your risk appetite; and

  • aggregate your data to support oversight by senior management and the Board.

APRA says that to manage operational risk effectively, an entity needs to have a deep knowledge of its business processes. By clearly defining the processes involved in each critical operation from start to finish, an entity can recognise risks, obligations, key data and controls.  Some better practices for identifying and documenting end-to-end processes and resources are: 

  • using a structured approach to create maps of the end-to-end processes for each critical operation, covering the people, technology, information, facilities and service providers required for the operation; 

  • using these maps to identify risks, obligations, key data and controls, as well as interdependencies; 

  • assigning owners and establishing clear lines of responsibility for risks, obligations, key data and controls, as well as for issues or incidents that occur; 

  • checking maps for completeness and accuracy and updating them when there are changes in the business or risks; and 

  • identifying and documenting end-to-end processes for operations that are not critical but still pose a significant operational risk to an entity, such as distribution channels.

Maintaining capability

Under CPS 230, an APRA-regulated entity is required to maintain appropriate and sound information capability and information technology capability to meet current and projected business requirements and to support critical operations and risk management. Specifically, CPS 230 requires that in managing its technology risk, an APRA-regulated entity must monitor the age and health of its information assets and meet the information security requirements in CPS 234. 

Maintaining risk controls

To mitigate operational risks in line with its risk appetite, and to meet its compliance obligations, an APRA-regulated entity must design, implement, and embed internal controls.  

Assessment of decisions

As part of its business and strategic planning processes, an APRA-regulated entity must assess the impact of business and strategic decisions on its operational risk profile and operational resilience. CPS 230 specifically requires an assessment of the impact of new products, services, geography and technologies on the operational risk profile. These may require changes to controls and risk management processes. Risk assessments could be included as part of the business case.

In its draft guidance, APRA singles out crypto-assets because of heightened risks around fraud, cyber, conduct, financial crime and technology. APRA suggests that any service providers relied on for such activities should be classified as material.

Assessment before providing material services

Before it provides a material service to another party, an APRA-regulated entity must conduct a comprehensive risk assessment. The purpose of the assessment is to ensure that the entity can meet its potential obligations after entering into the arrangement. If APRA considers that there are heightened potential risks, it can require the entity to review and strengthen internal controls or processes.

A risk assessment is required whether the party receiving the services is within the same group or not regulated by APRA. For example, ADIs need to assess risks like money laundering, cyber-attacks, or data breaches when they let third parties use their banking platform (BaaS). Insurers need to assess risks when they handle claims for a third-party. The main consideration is whether the service poses material operational risks or affects prudential obligations.

Scenario analysis

An APRA-regulated entity must undertake scenario analysis to identify and assess the potential impact of severe operational risk events, test its operational resilience, and identify the need for new or amended controls and other mitigation strategies. The scenarios should provide sufficient coverage and an adequate understanding of financial and operational resilience impacts from severe but plausible operational risk events.

Scenario analysis should also be used to assess how well an entity's risk profile covers the risks they face, along with the current state of the control environment and mitigation strategies.  APRA expects that prudent entities would make sure the scenarios they use are stressful enough to challenge the adequacy of the risk and control environment. If problems are found, the entity would be expected to take suitable corrective action. A good practice would be for an entity to follow a documented procedure to do its scenario analysis and update scenarios at least once a year. 

APRA says that larger entities would generally do separate scenario analysis exercises, with individual reports, while smaller entities would typically examine operational risk scenarios as part of their strategic and business planning process.

Checking risk controls

Risk controls must be regularly monitored, reviewed and tested for design and operating effectiveness. How often this occurs will depend on the materiality of the risk.

To evaluate the performance of controls, APRA’s draft guidance says that better practice is to:

  • use criteria to ensure uniformity of evaluations across the entity;

  • cover all controls, including those owned by the risk owner or by other owners, such as related parties and service providers;

  • ensure the sufficiency of coverage of controls, including controls that prevent, detect and respond to risks;

  • find a suitable balance between automated and manual controls;

  • consider problems and incidents linked to controls, which can signal weakness or gaps in the control environment;

  • document the reasoning for the control performance evaluation; and

  • consider any recent changes in the environment or business strategies that could affect control performance.

The responsibility for ensuring that controls are regularly tested and monitored would typically rest with the control owners. It should be performed by staff and teams that are independent of those with operational responsibility for the controls being validated.

APRA thinks that controls testing should be monitored to ensure completion. Exceptions should be identified, escalated and resolved. Testing would typically include the objectives, scope, approach, success criteria, frequency and roles and responsibilities for testing controls. Any control gaps, weaknesses and failures would be identified as issues and managed accordingly, and reflected in the entity’s operational risk profile.

Dealing with risk incidents

An APRA-regulated entity must identify, escalate, record and address operational risk incidents and near misses in a timely manner. Incidents and near misses must be taken into account in the assessment of the operational risk profile and control effectiveness in a timely manner.

APRA expects that an entity would not delay or prolong the resolution of operational risk incidents without valid reasons. Incidents and near misses would be logged in the entity’s system for operational risk information and linked to controls to ensure the risk profile accurately captures any control deficiencies or gaps.  An entity would typically have mechanisms for handling all relevant phases of an incident. These typically include the following steps:

  • Detection: Identification of an incident using automated sensors and manual review. 

  • Escalation: Notification to ensure that decision-makers are aware of the incident and to activate response processes. 

  • Containment: Isolation to minimise harm. 

  • Response: Response and remediation. 

  • Review: Post-incident examination and review to improve procedures for handling incidents, and support attribution and restitution (where relevant). 

Reporting to senior management

The results of controls testing must be reported to senior management and gaps or deficiencies in the control environment must be rectified promptly. 

Remediation

An APRA-regulated entity must remediate material weaknesses in its operational risk management, including control, gaps, weaknesses, and failures. APRA requires that the remediation is supported by clear accountabilities and assurance, and that it must address the root causes of weaknesses in a timely manner. Identified control gaps, weaknesses, and failures must be included in the operational risk profile of an entity until the matters are remediated.

To address weaknesses in the controls, APRA says that management should consider:

  • interim measures and oversight to ensure risks are properly managed until a long-term solution is in place; and

  • changes to processes, people, and systems to enhance the management of, and reduce the exposure to, operational risk on an ongoing basis.

Management actions to remediate control issues and gaps could include:

  • well-documented details of actions, including implementation status and responsibilities for fixing;

  • target dates for completion and tracking of any changes;

  • costs and approved budgets;

  • relevant indicators for monitoring legal and regulatory compliance; and

  • control design and operating effectiveness, and how well risk is being mitigated is linked back to the risk profile of the entity.

APRA says that a key part of effective issue and control remediation is to do a root cause analysis. A root cause analysis can lower the chance of the incident happening again and help to find any common underlying problems in different products and business areas, the control framework and risk culture. Root cause analysis should be based on a clearly defined, documented and tested method that considers the role and interaction of the main elements of people, processes and systems in the entity’s business operations.

APRA notification

APRA must be notified as soon as possible, and not later than 72 hours, after an APRA-regulated entity becomes aware of an operational risk incident which it determines is likely to have a material financial impact, or a material impact on the ability of the entity to maintain critical operations. 

Action steps to prepare for CPS 230 risk management

To prepare for the risk management requirements of CPS 230, some action steps that an APRA-regulated entity may wish to take include:

  • Review all operational risks. Map business processes from end to end.

  • Develop and document an operational risk profile for the whole business, conducting a self-assessment.

  • Review information systems to ensure that they have capability to provide data and reporting of operational risks.

  • Identify and document resources for critical operations.

  • Define risk controls for all identified operational risks.

  • Ensure that risk controls have processes for monitoring, review and testing.

  • Amend decision making processes to include the impact on operational risk profile as a relevant consideration.

  • Introduce a policy and procedure for a risk assessment before providing a material service to another party.

  • Create and test scenarios for scenario analyses of operational risk.

  • Ensure that procedures are in place for identifying, escalating, recording and addressing risk incidents and near misses.

  • Embed reporting procedures for reporting of risk controls testing.

  • Develop protocols for remediation of material weaknesses in operational risk management, including root cause analysis.

  • Ensure that procedures include reporting to APRA of material operational risk incidents.

Need help with CPS 230?

We advise many APRA-regulated entities on regulatory compliance. Please get in touch with us if you need help with CPS 230 implementation.

Kathleen Harris and Patrick Dwyer
Legal Directors

Previous
Previous

Financial Services and Credit Monthly Update April 2024

Next
Next

Financial Services and Credit Monthly Update March 2024