CPS 230 - Operational Risk Management
As part of its major multi-year initiative to modernise its prudential architecture, APRA released for consultation a
proposed new standard for operational risk management – CPS 230, which will replace and supersede:
▪ SPS 231 – Outsourcing; and
▪ SPS 232 – Business Continuity Management.
The requirements of CPS 230 relate to:
▪ Operational risk management;
▪ Maintaining critical operations with tolerance levels through severe disruption; and
▪ Material service provider risk management and monitoring.
APRA has identified specific questions for feedback that will assist it in finalising the requirements. The standard will commence from 1 January 2024. APRA intends to finalise the standard and release draft guidance for consultation in early 2023, and finalise the guidance in the first half of 2023.
Key items
Operational Risk Management
The risk management framework will need to specifically address operational risk, including governance arrangements for oversight, assessment, controls, monitoring and reporting, business continuity and processes for management of service provider arrangements. Information technology infrastructure maintenance is also a required component of operational risk management.
Senior managers will be required to have clear roles and responsibilities for operational risk management set by the Board and with responsibility for operational risk management across the end-to-end process for all business operations.
Trustees must assess the impact of business and strategic decisions on the operational risk profile and operational resilience.
Operational risk incidents and “near misses” need to be identified, escalated, recorded and addressed, with incidents that are likely to have a material financial impact or material impact on the ability to maintain critical operations reported to APRA within 72 hours.
Where APRA considers that there is a material weakness to the entity’s management of operational risk, APRA may require an independent review, remediation, and impose additional licence requirements, amongst other things.
Business Continuity
A broader focus on “critical operations” (processes undertaken by the entity or a service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on beneficiaries or role in the financial system) and Board approved “tolerance levels” for disruption, data loss and minimum service levels.
Critical operations include fund administration, customer enquiries, investment management services and systems and infrastructure needed to support these operations.
Service Provider Management
APRA regulated entities must have a Board approved service provider management policy. The Board must review
risk and performance reporting on material service provider arrangements.
A move away from a focus on “outsourcing” and “material business activity” to “material service providers” – those providers on which the entity relies to undertake a critical operation or that expose it to material operational risk and include core technology services, fund administration, custodial services, investment management and providers that manage information assets classified as critical under CPS 234.
Agreements must include, amongst other things, a right to terminate where, to continue the arrangements would be inconsistent with the RSE licensee’s duty to act in the best financial interests of beneficiaries.
If your trustee office needs further clarification or assistance with keeping up to date with changes in regulatory policy, please contact QMV Legal at sayhi@qmvsolutions.com or 03 9620 0707.
ABOUT QMV
QMV provides independent advisory, consulting, legal services and technology to superannuation, wealth management, banking and insurance organisations.
Like what you see? Please subscribe to receive original QMV content!
You may also benefit from our free monthly pensions and superannuation regulatory updates.