Module Application
Is your organisation an APRA regulated entity?
Does your organisation have policies and procedures in place to manage operational risks in line with Prudential Standard CPS 230 Operational Risk Management?
Module Scope
The OPERATIONAL RISK MANAGEMENT module aims to assist organisations to comply with Prudential Standard CPS 230 Operational Risk Management (CPS 230), which will generally apply to entities regulated by APRA in the banking, insurance and superannuation industries from 1 July 2025.
The purpose of CPS 230 is to ensure that an entity regulated by APRA is resilient to operational risks and disruptions. Accordingly, the entity is required to:
- Identify, assess and manage its operational risks, utilising effective internal controls, monitoring and remediation
- Have the ability to continue delivering critical operations within tolerance levels during severe disruptions, and have a credible business continuity plan in place
- Effectively manage risks associated with service providers, including through the use of a comprehensive service provider management policy, formal agreements and robust monitoring
CPS 230 supports and builds on the general risk management requirements contained in Prudential Standard CPS 220 Risk Management (CPS 220). On application, CPS 230 will replace and supersede the following five existing prudential standards that apply to APRA-regulated entities depending on the particular industry:
- Prudential Standard CPS 231 Outsourcing (CPS 231)
- Prudential Standard SPS 231 Outsourcing (SPS 231)
- Prudential Standard HPS 231 Outsourcing (HPS 231)
- Prudential Standard CPS 232 Business Continuity Management (CPS 232)
- Prudential Standard SPS 232 Business Continuity Management (SPS 232)
Application of CPS 230
CPS 230 applies from 1 July 2025 to all APRA-regulated entities, being:
- Authorised deposit-taking institutions (ADIs), foreign ADIs and authorised non-operating holding companies (as defined in the banking legislation)
- General insurers, including Category C insurers, non-operating holding companies authorised under the insurance legislation, and parent entities of Level 2 insurance groups
- Life companies, including friendly societies, eligible foreign life insurance companies, and non-operating holding companies registered under the life insurance legislation
- Private health insurers
- Registrable superannuation entity licensees in respect of their business operations
APRA has, however, confirmed in its response to submissions on draft CPG 230 that it will give ‘non-significant financial institutions’ (non-SFIs) — as this term is defined for the different types of regulated entities in various prudential standards — a 12-month extension (to 1 July 2026) on requirements relating to business continuity and scenario analysis. These entities may transition to CPS 230 in full before the conclusion of the 12-month extension; entities that do not transition early must continue to comply with existing prudential standards on business continuity until 1 July 2026.
Implementation of CPS 230
CPS 230 requires that operational risk management be integrated into the entity’s overall risk management framework and processes, and that business continuity planning be consistent with (and not conflict with or undermine) the entity’s recovery and exit planning.
The entity is required to manage its full range of operational risks, including (but not limited to):
- Legal risk
- Regulatory risk
- Compliance risk
- Conduct risk
- Technology risk
- Data risk
- Change management risk
The entity’s senior management are responsible for managing operational risk across the end-to-end process for all business operations.
While CPS 230 applies to all APRA-regulated entities, CPG 230 confirms that APRA expects significant financial institutions (SFIs) to have stronger practices in place that are commensurate with the size and complexity of their operations. All entities should, however, mature their risk management practices over time as their business grows and evolves, and to match the scale of their risks and role in the financial system.
Significant consequences can apply to entities regulated by APRA in the banking, insurance and superannuation industries found to have breached or not complied with their legal obligations. These consequences vary considerably depending on the nature and extent of the breach or failure.
The OPERATIONAL RISK MANAGEMENT module covers the roles and responsibilities of regulated entities. The module does not cover the role or actions to be taken by consumers in the event of a breach of regulations or obligations by an organisation.