APRA unveils new cross-industry blueprint for financial resilience
APRA unveils new cross-industry blueprint for financial resilience | Insurance Business Australia
Insurance News
APRA unveils new cross-industry blueprint for financial resilience
Guide aims to help industry enhance operational risk management
Insurance News
By
Roxanne Libatique
The Australian Prudential Regulation Authority (APRA) has released its finalised Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230) to aid insurers, banks, and superannuation trustees in bolstering their operational risk management and business continuity planning.
The guidance focuses on enhancing the resilience of critical operations and improving third-party risk management.
Key revisions in CPG 230
APRA said the guidance has been condensed and aligned more closely with the standard’s expectations.
Non-significant financial institutions (non-SFIs) have been granted an additional 12 months to comply with specific requirements related to business continuity and scenario analysis.
The regulator has also included a “day one” checklist to assist entities in the implementation process of CPS 230.
Lastly, a three-year forward plan for supervising CPS 230 has been provided to assist with industry planning and implementation.
APRA chair John Lonsdale emphasised the increasing importance of operational resilience.
“Disruptions to financial services can have a major impact on people who rely on them to save, spend, recover from financial loss, or support themselves in retirement,” he said. “CPS 230 is designed to ensure entities safeguard the resilience of their operations and are well prepared to respond to disruptions. By amending the accompanying guidance, we aim to keep industry standards high while also being mindful of the compliance burden on smaller entities so they can remain competitive.”
In response, APRA has modified the guidance to provide smaller entities more time to meet certain components, streamline the guidance to align better with the standard, and clarify expectations for implementation. Non-SFIs now have a 12-month extension to comply with business continuity and scenario analysis requirements, providing them additional time to establish robust foundations.
APRA’s template for MSP registration
The guidance has been adjusted to allow entities discretion in their approach, particularly regarding business process mapping, scenario analysis, and third-party risk management. While CPS 230 sets baseline expectations for all entities, larger and more complex entities are expected to implement stronger practices.
Entities are required to evaluate their service providers to determine whether they are material service providers (MSPs) and ensure compliance with CPS 230 for material arrangements. APRA has introduced a template for the MSP register, with the first submission due by Oct. 1, 2025.
APRA’s expectations for managing fourth-party risks and cohorts
The regulator has moderated expectations for managing fourth-party risks.
Entities must outline their approach to managing these risks as part of their service provider management policy.
For cohorts of service providers, entities are expected to have additional processes and controls to address associated risks.
Implementation and supervision
APRA expects regulated entities to be proactive in transitioning to CPS 230. The guidance includes a “day one” checklist and details the supervision program for the first three years, including prudential reviews and ongoing supervision based on entity size and complexity.
Entities are encouraged to actively work on transitioning to CPS 230 and communicate with their supervisors regarding compliance readiness.
Related Stories
Keep up with the latest news and events
Join our mailing list, it’s free!