APRA updates industry on operational resilience guidance

The Australian Prudential Regulation Authority (APRA) has released its finalised prudential practice guide to help superannuation trustees, banks and insurers strengthen their management of operational risk and improve business continuity planning.

The new Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230) is designed to assist in the implementation of Prudential Standard CPS 230 Operational Risk Management (CPS 230), which was finalised in July last year and takes effect from 1 July 2025.

APRA reconfirmed its focus on the resilience of critical operations and uplift in third-party risk management, while also announcing a range of changes to the new guidance.

As part of the changes, the guidance has been shortened and is more tightly focused on how to meet expectations set by the standard.

In addition, entities that are classified as non-Significant Financial Institutions will have an additional 12 months to comply with certain requirements in CPS 230 relating to business continuity and scenario analysis.

APRA has also included a "day one" checklist for entities to assist in their implementation of CPS 230; and the regulator has provided a three-year forward plan of its intended approach to supervising CPS 230 to assist industry with implementation and planning.

The "day one" checklist sets out 10 requirements entities are expected to meet come 1 July 2025. These include:

• Identifying critical operations (CO)
• Tolerances defined and approved by the board
• Material Service Providers (MSP) identified
• Notifications operational for material events, tolerance breaches and MSP changes
• Board governance and oversight in place and clear roles and responsibilities set
• Risk profiles and reporting  established and supporting oversight accountabilities
• Accountability for COs and MSPs, and monitoring is in place
• Contract updates have an extension of 12 months
• Business continuity management (BCM) shifts from critical operations focus
• Scenarios align with BCM uplift and focus on severe yet plausible scenarios for COs and MSPs

"Disruptions to financial services can have a major impact on people who rely on them to save, spend, recover from financial loss or support themselves in retirement," he said.

"CPS 230 is designed to ensure entities safeguard the resilience of their operations and are well prepared to respond to disruptions. By amending the accompanying guidance, we aim to keep industry standards high while also being mindful of the compliance burden on smaller entities so they can remain competitive."

APRA said it expects entities to start with the identification of its critical operations. In doing so, it should identify its critical operations, set tolerance levels for disruption of these critical operations, and identify the processes and resources needed to deliver these critical operations, including material service providers.

"A prudent entity would then use this information as the starting point for an assessment of its operational risk profile," APRA said.