APRA unveils new cross-industry blueprint for financial resilience

APRA unveils new cross-industry blueprint for financial resilience

APRA unveils new cross-industry blueprint for financial resilience | Insurance Business Australia

Insurance News

APRA unveils new cross-industry blueprint for financial resilience

Guide aims to help industry enhance operational risk management

Insurance News

By
Roxanne Libatique

The Australian Prudential Regulation Authority (APRA) has released its finalised Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230) to aid insurers, banks, and superannuation trustees in bolstering their operational risk management and business continuity planning.

The guidance focuses on enhancing the resilience of critical operations and improving third-party risk management.

Key revisions in CPG 230

APRA said the guidance has been condensed and aligned more closely with the standard’s expectations.

Non-significant financial institutions (non-SFIs) have been granted an additional 12 months to comply with specific requirements related to business continuity and scenario analysis.

The regulator has also included a “day one” checklist to assist entities in the implementation process of CPS 230.

Lastly, a three-year forward plan for supervising CPS 230 has been provided to assist with industry planning and implementation.

APRA chair John Lonsdale emphasised the increasing importance of operational resilience.

“Disruptions to financial services can have a major impact on people who rely on them to save, spend, recover from financial loss, or support themselves in retirement,” he said. “CPS 230 is designed to ensure entities safeguard the resilience of their operations and are well prepared to respond to disruptions. By amending the accompanying guidance, we aim to keep industry standards high while also being mindful of the compliance burden on smaller entities so they can remain competitive.”

See also  Cyber threats remain top concern for business leaders – report

In response, APRA has modified the guidance to provide smaller entities more time to meet certain components, streamline the guidance to align better with the standard, and clarify expectations for implementation. Non-SFIs now have a 12-month extension to comply with business continuity and scenario analysis requirements, providing them additional time to establish robust foundations.

APRA’s template for MSP registration

The guidance has been adjusted to allow entities discretion in their approach, particularly regarding business process mapping, scenario analysis, and third-party risk management. While CPS 230 sets baseline expectations for all entities, larger and more complex entities are expected to implement stronger practices.

Entities are required to evaluate their service providers to determine whether they are material service providers (MSPs) and ensure compliance with CPS 230 for material arrangements. APRA has introduced a template for the MSP register, with the first submission due by Oct. 1, 2025.

APRA’s expectations for managing fourth-party risks and cohorts

The regulator has moderated expectations for managing fourth-party risks.

Entities must outline their approach to managing these risks as part of their service provider management policy.

For cohorts of service providers, entities are expected to have additional processes and controls to address associated risks.

Implementation and supervision

APRA expects regulated entities to be proactive in transitioning to CPS 230. The guidance includes a “day one” checklist and details the supervision program for the first three years, including prudential reviews and ongoing supervision based on entity size and complexity.

Entities are encouraged to actively work on transitioning to CPS 230 and communicate with their supervisors regarding compliance readiness.

See also  AXA XL boosts cyber capabilities in Europe and Australia

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!