Operational risk management
This page sets out details of APRA’s proposals in relation to Operational Risk Management for all APRA-regulated entities, it includes a discussion paper and proposed new prudential standard.
On 17 July, APRA released the final new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230).
The new standard is designed to strengthen the management of operational risk, respond to business disruptions and manage the risks from the use of service providers for all APRA-regulated entities.
APRA has also released for consultation a draft of Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230) to accompany the new standard. APRA will consult on this draft until 13 October 2023.
A response to consultation on CPS 230, the clean and marked up versions of CPS 230, the draft CPG 230 and non-confidential submissions are available below:
Media release: APRA finalises new prudential standard on operational risk.
Prudential practice guide
On 13 April, APRA released an updated timeline for the implementation of new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230).
APRA received a range of feedback from regulated entities and other stakeholders during consultation, including a request for more time for preparation before the requirements come into effect. Accordingly, APRA intends to:
- move the effective date for the new standard to 1 July 2025; and
- provide transitional arrangements for pre-existing contractual arrangements with service providers, with the requirements in the standard applying from the earlier of the next contract renewal date or 1 July 2026.
APRA plans to release a final version of the standard, together with draft supporting guidance, in mid-2023.
On 28 July, APRA released for consultation a new prudential standard designed to strengthen the management of operational risk in the banking, insurance and superannuation industries.
APRA proposes to introduce a new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230) which will set out minimum standards for managing operational risk, including updated requirements for business continuity and service provider management.
Written submissions are requested by 21 October 2022.
The discussion paper and draft CPS 230 are available below:
Note on submissions
It is APRA's policy to publish all submissions on the APRA website unless the respondent specifically tells APRA in writing that all or part of the submission is to remain confidential. An automatically generated confidentiality statement in an email does not satisfy this purpose. If you would like only part of your submission to be confidential, you should provide this information marked as 'confidential' in a separate attachment.
Submissions may be the subject of a request for access made under the Freedom of Information Act 1982 (FOIA). APRA will determine such requests, if any, in accordance with the provisions of the FOIA. Information in the submission about any APRA-regulated entity that is not in the public domain and that is identified as confidential will be protected by section 56 of the Australian Prudential Regulation Authority Act 1998 and will therefore be exempt from production under the FOIA.