CPS 230 will disrupt vendor relationships for Australian financial institutions by giving APRA greater authority over service provider arrangements when prudential concerns are heightened.
If you’re an APRA-regulated entity, this post will help you understand the requirements of CPS 230, how the new standards differ from SPS 231 and SPS 232, and how to achieve compliance standards by the full compliance deadline of 1 July 2025.
Learn how UpGuard simplifies Vendor Risk Management >
What’s Different in CPS 230?
Prudential Standard CPS 230 will support Prudential Standard CPS 220 Risk Management and replace Prudential Standard SPS 231 Outsourcing (SPS 231) and Prudential Standard SPS 232 Business Continuity Management (SPS 232) for RSE licensees.
These changes are reflected across three categories - operational risk management, business continuity, and management of service provider arrangements.
1. Operational Risk Management
The ultimate objective of CPS 230 is to increase resilience to operational risks and disruptions for APRA-regulated entities. As such, an operational risk management framework must meet the following key requirements:
- Have the ability to identify, assess and manage operational risks.
- Have a means of monitoring the efficacy of remediation efforts in terms of minimizing operation risk impact.
- Have the ability to maintain critical operations within tolerance levels throughout severe disruptions
- Have a service provider management policy in place for effectively managing risks associated with service providers.
These standards reflect APRA’s shift towards a more outcome-orientated approach to operational risk management. This is a positive change as it encourages financial institutions to focus on the ultimate goal of improved operational risk management, rather than blindly following procedures - a “box-ticking” mentality many financial institutions habitually assume when it comes to compliance.
Learn how UpGuard protects Australian Financial Services >
The new requirements within the operational risk management category include:
Completing Risk Assessments Prior to Providing Material Services
An APRA-regulated entity must conduct a comprehensive risk assessment before providing a material service to another party, to ensure that the APRA-regulated entity is able to continue to meet its prudential obligations after entering into the arrangement. APRA may require an APRA-regulated entity to review and strengthen internal controls or processes where APRA considers there to be heightened prudential risks in such circumstances.
- Prudential Standard CPS 230
CPS 230 builds upon the operational risk management processes outlined in CPS 220, which are too broad and fail to achieve risk management outcomes within risk appetites. Risk assessments will play a key role in narrowing this focus by helping APRA-regulated entities identify their non-financial risk exposures within the context of board-approved risk appetites.
Risk assessments will also reveal the efficacy of internal controls and their overall impact on operational risk resilience, information that can be conveniently consolidated in a cybersecurity report to support greater board oversight - a key requirement of CPS 234.
Board members are now expected to be accountable and responsible for overseeing and managing operational risks.
Where previously, the criticality of an operation was determined by its impact on an entity in the event of a business operation disruption, CPS 230 shift the focus to the customer and market participants. Critical operations are now defined as processes that will have a negative material impact on customers, policyholders, beneficiaries, depositors, or their roles in the financial system if disrupted beyond tolerance levels.
Watch this video for an overview of UpGuard’s risk assessment workflow.
Start your free trial of UpGuard >
This dramatic shift in impact focus could require you to reevaluate the metrics influencing your risk appetite calculations. APRA offers some support in this area by outlining the types of business operations that should be classified as critical (at a minimum):
- For all APRA-regulated entities: Customer inquiries, systems, and infrastructures supporting critical operations.
- For Authorised Deposit-Taking Institutions: Any payments, deposit-taking and management, customer, settlement, and clearing process.
- For Insurers (general, life, private health): Claims processing.
- For RSE licensees: Investment management and fund administration processes.
Learn how to calculate your risk appetite >
Understanding Operational Risk Profiles
An APRA-regulated entity must maintain a comprehensive assessment of its operational risk profile. As part of this, an APRA-regulated entity must:
(a) Maintain appropriate and effective information systems to monitor operational risk, compile and analyse operational risk data and facilitate reporting to the Board and senior management;
(b) Identify and document the processes and resources needed to deliver critical operations, including people, technology, information, facilities and service providers, the interdependencies across them, and the associated risks, obligations, key data and controls; and
(c) Undertake scenario analysis to identify and assess the potential impact of severe operational risk events, test its operational resilience and identify the need for new or amended controls and other mitigation strategies.
- Prudential Standard CPS 230
CPS 230 expects APRA-regulated entities to implement operational risk monitoring systems beyond point-in-time risk assessments. The expectation for systems to monitor operational risk data seems to suggest real-time attack surface monitoring, capable of feeding this information into a report generation tool to create always up-to-date board reports.
Learn how to choose a cyber risk remediation tool for finanical services >
These standards highlight two key changes in CPS 230 compared to previous compliance functions:
Previously, risk management policies covered third-party providers completing outsourced services that would otherwise be performed internally. CPS 230 broaden this scope to include all third and fourth-party providers supporting critical operations through their service and, therefore, exposing organisations to increased material operational risks.
These risks associated with third and fourth-party service providers are to e managed and monitored continuously.
By now, it should be apparent that CPS 230 is primarily characterized by an emphasis on operational risk specificity. This is perhaps most vividly reflected in its requirement for processes impacting operational resilience to be clearly identified.
Risk management frameworks will no longer map to broad material impact risk categories as either “financial” or “non-financial. An organization’s entire risk profile will need to be audited to ensure it maps to approved risk tolerance levels and critical operations and their interdependencies with third and fourth-party entities.
How to Comply with the Operational Risk Function of CPS 230
The following response actions support alignment with the operational risk standards of CPS 230.
- Ensure operational near misses are identified in a timely manner, addressed, recorded, and shared with APRA no later than 72 hours after identification.
- Maintain an IT infrastructure comprising of reliable systems with a low likelihood of disturbing business processes.
- Ensure your IT infrastructure can support your current and projected business process needs - this might require increased data storage processing and storage limits.
- Ensure all IT technology can reliably support your most important business tasks.
- Implement security measures to mitigate operational risks throughout your IT infrastructure - this could include backup systems or the prompt detection and remediation of security risks that could facilitate data breaches.
- Ensure you can identify and manage operational risks across a diverse risk profile, including legal, regulatory, change management, and security risks.
- Be capable of identifying the most effective remediation method for all discovered risks, in line with board-approved risk appetites.
- Conduct risk assessments for prospective vendors to ensure alignment with the standards of CPS 230 before committing to a business relationship.
- Conducts ongoing risk assessments for existing vendors to ensure ongoing compliance with CPS 230.
- Continuously monitor the efficacy of controls mitigating security and operational risks and be capable of filling control gaps when they’re identified.
Learn the ideal features of an attack surface management tool for finance services >
How UpGuard Can Help
UpGuard vulnerability detection feature automatically evaluates the severity of risks, reflecting the potential impact on an entity’s operational risk management efforts.
By projecting the impact of selected remediation tasks on an organization’s security posture, UpGuard helps Australian financial entities maintain an efficient remediation strategy ensuring minimal critical operation disruptions from internal and service provider risks.
Watch this video for an overview of UpGuard’s remediation workflow.
Start your free trial of UpGuard >
2. Business Continuity
Because, under CPS 230, the impact of critical operations extends to third and fourth-party vendors, your Business Continuity Plan (BCP) should be updated to address this category of disruption. Failing to complete such an audit means your BCP will remain unequipped to address the full scope of critical operation disruptions - which would constitute a CPS 230 violation.
Disaster recovery plans should also be updated to ensure minimal impact on critical operations, and timely return to normal business operations.
Once updated, your BCP should be regularly tested with simulated operational risk incidents with an outcome-oriented approach of continuously reducing disruption periods.
Board members must approve your Business Continuity Plan, tolerance levels, and service provider management policy
Australian financial entities should ensure their recovery plans are adjusted based on the following risk tolerance level criteria outlined in CPS 230.
- The maximum period of tolerance in the event of an operation disruption.
- The maximum degree of acceptable data loss in the event of an operational disruption.
- The minimum service levels can be provided while operating during a disruption.
Tolerance levels may need to be adjusted for critical operations.
Previously, Australian financial services focused on recovery timeframes as a primary metric for reducing the impact of disruptions.
.png)
CPS 230 shifts the focus on tolerance levels, requiring business continuity metrics to expand beyond Maximum Allowable Outages and Recovery Time Objectives to also include Maximum Data Losses and Minimum Recovery objectives.
Business Continuity Management principles have also been adjusted under CPS 230. Now, continuity testing programs must include more robust reviews of all critical operations and material risks instead of limiting the scope to critical operational dependencies. Because testing will now occur through the lens of tolerance levels, operational impact will be evaluated by an ability to maintain business operations through ‘severe but plausible disruptions.
How to Comply with the Business Continuity Function of CPS 230
The following steps will help you align with CPS 230’s business continuity standards.
- Establish a systemized BCP testing program addressing all critical operations annually, at the least.
- Clearly define triggers for activating a BCP in line with risks associated with CPS 230’s definition of operational criticality.
- Establish a communication strategy to streamline BCP activation and implementation.
- Ensure BCPS is updated to reflect the latest changes in legal or organisational structure, business strategy, or any shortcomings discovered from BCP testing.
- Expand business continuity metrics to include Maximum Data Losses, Minimum Recovery, and service level objectives
3. Management of Service Provider Arrangements
Compared to CPS 231, HPS 231, and SPS 231, CPS has broadened its score of regulatory scrutiny to adjust to an increasing reliance on outsourced services. CPS 230 focuses on the material risks associated with using service providers, which now includes fourth-party risks.
APRA-regulated entities can choose their own fourth-party risk management program for mitigating critical operation impact from fourth parties in the supply chain.
Learn about Fourth-Party Risk Management >
A fourth party is a service provider of a third-party service provider.
Each risk management program must be unified by a policy outlining how service providers will be identified and how their material risk will be managed.
An APRA-regulated entity must maintain a comprehensive service provider management policy. The policy must cover how the entity will identify material service providers and manage service provider arrangements, including the management of material risks associated with the arrangements.
- Prudential Standard CPS 230
How to Comply with the Management of Service Provider Arrangements Function of CPS 230
To comply with APRA’s Management of Service Provider Arrangement standards, financial entities in Australia have tasks that need to be addressed before and after engaging in a service provider relationship.
Before engaging in a service provider relationship:
- Undertake proper due diligence to ensure service providers can meet your expected levels of service on an ongoing basis.
- Assess the financial and non-financial risks associated with dependence on the service provider. This assessment should consider geographical location risks and any risks associated with the service provider’s outsource network (fourth-party risks from this service provider’s perspective).
- Have the service provider sign a formal agreement addressing:
- Expected service levels,
- Rights and responsibilities concerning asset/data ownership
- The service provider’s responsibility for any failures caused by any of their subcontractors
- Termination provisions including, but not limited to, the right to terminate both the arrangement in its entirety or parts of the arrangement.
- Permitting APRA to access any relevant documentation or data associated with service provisions.
- Permitting APRA to conduct on-site visits.
- An agreement to not impede APRA in its duties as a prudential regulator.
After establishing a service provider relationship:
- Notify APRA no more than 20 days after entering a service provider agreement supporting critical operations.
- Notify APRA no more than 20 days after
- Maintain an accurate register of material service providers.
- Submit an up-to-date register of all service providers to the Australian Prudential Regulation Authority annually.
- Ensure stakeholders and senior management are kept informed of service provider performance with reference to agreed-upon service levels.
- Ensure stakeholders and senior management are kept informed of the efficacy of risk controls for managing risk associated with service providers.
- Ensure stakeholders and senior management is capable of tracking the compliance obligations of service providers as stipulated in their service agreements.
How UpGuard Can Help
UpGuard’s attack surface monitoring capabilities extend to the fourth-party network, helping APRA-Regulated entities easily identify fourth-party risks potentially impacting CPS 230 operational risk management.
With UpGuard’s report-generation feature, you can instantly generate reports summarising your vendor risk profile and improving cybersecurity posture over time.
Board summary reports can be instantly exported as PowerPoint presentation slides to support impromptu meetings about internal audits and service provider risk controls.
To support collaboration with APRA, UpGuard offers a Shared Profile feature, allowing service providers to host any relevant documentation that will assist APRA in completing its duties as a prudential regulator.
Watch this video to learn about some of UpGuard’s reporting features.
.png){kind=avatar}
