APRA Explains the importance of managing operational risk
Access to financial services is essential for all Australian households and businesses. We rely on banking to pay, or accept payment, for goods and services. Insurance helps us rebuild after a flood or fire and pay for vital medical treatments. And superannuation supports us to maintain a dignified lifestyle in retirement.
But sometimes, despite best efforts, these services are threatened or disrupted; for example, if there’s a power outage, an internet outage or cyber incident. The ability of a company to deal with the risks that arise from operating its business, including those that may compromise its ability to provide services to the customers who depend on it, is known as operational risk management.
Disruptions to these services not only have a detrimental impact on the households and businesses that rely on them. A catastrophic operational risk incident, if not well managed, could lead to significant financial losses for the institution involved and undermine financial stability. As a result, APRA takes seriously operational risk management among the banks, insurers and superannuation trustees it supervises.
The issue has taken on greater importance over recent years as the financial system has become more interconnected, more dependent on digital technologies and more reliant on service providers. Many technological innovations in finance rely on the successful integration of multiple technologies provided by a range of financial system players: the banks, insurers and super funds themselves, the cloud, payments providers, telcos and big tech companies. A failure at any point in the chain has the potential to compromise services to the entire system.
Add in the worsening scourge of scams, the advancement of artificial intelligence and the declining use of physical cash, and the operational environment is becoming more complex for APRA-regulated entities to manage.
Responding to this heightened risk environment, APRA released in 2023 a new prudential standard outlining formal requirements that banks, insurers and superannuation trustees must meet around operational risk management. The new cross-industry prudential standard (CPS) 230 Operational Risk Management came into force from 1 July 2025.
Under CPS 230, banks, insurers and superannuation trustees must:
- identify important business services and determine the extent to which these services can continue during severe disruptions;
- test their business continuity planning to identify vulnerabilities so they are prepared to overcome severe disruptions; and
- enhance third-party risk management by ensuring risks from material service providers are identified and appropriately managed.
That third point is especially important in an ever more interconnected world where the ability of banks, insurers and superannuation trustees to deliver their essential services often hinges on other service providers such as core technology services (website management, cloud storage, cyber security), claims management, fund administration, investment management and many others.
Under CPS 230, a bank, insurer or super fund may not be directly responsible for its website going offline when a network gateway fails, but it will be responsible for the outcome – which is the inability of customers to transfer funds, lodge claims or access other services. In such instances, APRA expects entities to have contingency plans in place to limit the disruption and restore full service as quickly as possible.
In an environment where one crashed server or ransomware attack could leave millions of Australians without access to essential financial services, effective operational risk management is vital for financial stability and community wellbeing.