Your roadmap to compliance
Final CPS 230 published
APRA has released a final version of new Prudential Standard CPS 230 (Operational Risk Management) which will apply to all APRA-regulated entities (ie financial institutions, superannuation funds and insurers), and will require significant uplifts to governance, compliance, contractual and incident response arrangements.
CPS 230 will replace existing prudential standards which relate to outsourcing of material business activities (CPS 231, SPS 231 and HPS 231) and business continuity management (CPS 232 and SPS 232). It will operate alongside CPS 220 and SPS 220 (Risk Management), CPS 234 (Information Security) and APS 222 (Associations with Related Entities).
CPS 230 will come into effect on 1 July 2025. For existing service provider arrangements, APRA-regulated entities will have until the earlier of 1 July 2026 or the next renewal date of an existing agreement, to ensure compliance with CPS 230. APRA expects regulated entities to demonstrate that they have made meaningful progress in 2023 and 2024 to prepare for CPS 230.
Draft CPG 230 published for consultation
APRA has also released for consultation a draft Prudential Practice Guide CPG 230 (Operational Risk Management), which sets out proposed guidance on CPS 230. CPG 230 will replace five existing Prudential Practice Guides: GPG 230 / LPG 230 Operational Risk, CPG 231 / SPG 231 Outsourcing and SPG 232 Business Continuity Management.
Consultation on CPG 230 closes on 13 October 2023. APRA expects to finalise the guidance by the end of 2023.