Legal development

APRA CPS 230 Operational Risk Management implementation benchmarking: How do you compare?

By Niki Short

04 October 2024

Share Share
ice climbing
Share

    What you need to know

    The new APRA CPS 230 Operational Risk Management standard (CPS 230) is aimed at strengthening a financial service entity's operational resilience through more robust operational risk management to prevent disruption, or if disruption does occur, to maintain minimum service standards, respond and recover quickly. The final standard was released in July 2024, with only 9 months remaining until the effective date of 1 July 2025 (with some exceptions for non Significant Financial Institutions (SFIs)).

    With the implementation deadline fast approaching, no entity wants to be an outlier – either in terms of progress or their approach to operationalise. The consequence of being out of step with peers could expose an entity to the risk of missing the compliance deadline, attracting regulatory attention, or worse, leave them vulnerable to disruption without the ability to respond and recover in a timely manner. 

    Ashurst Risk Advisory has conducted a survey of leading superannuation funds to provide a benchmark on readiness, highlight any gaps in the planned approach and share common challenges in implementation. 

    Progress on implementation

    The major funds were surveyed and all respondents indicated they were well progressed, not surprisingly, with the identification of critical operations and material service providers in line with APRA's suggested "proactive" implementation timeline. Progress on other key deliverables were varied such as documenting the critical operations, updating their operational risk profile and risk reporting, and redefining accountabilities, with different funds prioritising different aspects of the standard. For instance, while one fund had fully implemented its business continuity requirements, the majority of other funds were still in the initial phases of developing their business continuity management (BCM) approach and "severe yet plausible" scenarios. The next deadline in APRA's implementation timeline requires entities to "be ready to set tolerance levels" by the end of 2024 which will prompt many to prioritise BCM and scenarios in the near term.

    Insights on the CPS 230 program set up and approach

    The survey also asked the funds to provide insights into their:

    • Program set up, integration with other regulatory change, resources and spend
    • Approach and identification of critical operations
    • Approach to Business Continuity Management and tolerances
    • Criteria and approach to service provider management including the expected increase in identified material service providers; and
    • Changes in accountabilities and governance and engagement with the Board to date.

    The responses were collected and analysed, with Niki Short, leader of the Ashurst Risk Advisory CPS 230 offering, noting that "many of the responses aligned with our expectations and were consistent with other entities we are advising on CPS 230. However, there were some surprising results, particularly in the variations of critical operations identified and the exceptions related to material service providers."

    Challenges to date

    The respondents also had some insightful observations when asked about their greatest challenges in the implementation which also aligned with our own experience with clients including:

    • Maintaining compliance with existing APRA standards such as CPS 232 and CPS 231 during the transition while simultaneously building the new frameworks, particularly with the same SMEs in demand
    • Documenting critical operations in enough detail to develop effective Business Continuity Plans in an efficient manner to operate in a crisis balanced with keeping critical operations documentation relevant to Executives; and
    • Finding practical ways to set workable tolerance levels for critical operations, given the varied tolerances of the numerous underlying processes

    Some funds have indicated they will be seeking independent assurance to ensure these challenges are addressed appropriately and their approach is in line with regulatory and industry expectations ahead of the 1 July 2025 implementation date.

    How we can help

    If you are interested in understanding how you compare to your peers, reach out to Ashurst for insights based on the benchmarking survey outcomes. 

    We would also be happy to discuss our range of CPS 230 offerings that can help set you up for success to meet the new requirement from designing frameworks and the approach to providing independent assurance and insights.


    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com

    This material is current as at 2 October 2024 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts