Insurers, superannuation funds and banks in Australia will now need to meet higher standards of operational risk management as new requirements for operational risk management laid down by the Australian Prudential Regulation Authority (APRA) have come into force.
According to a media release by APRA, the new regulation Cross-industry Prudential Standard (CPS) 230 Operational Risk Management (CPS230) that has come into effect from 1 July 2025, requires APRA-regulated entities to be well-prepared to ensure continuity of critical services to the community and respond to business disruptions by implementing the following measures:
- Identifying important business services and determining the extent to which these services can continue during severe disruptions.
- Testing their business continuity planning to identify vulnerabilities to ensure they are positioned to overcome severe disruptions
- Enhancing third-party risk management by ensuring risks from material service providers are identified and appropriately managed.
The media release said the issue of operational resilience has taken on greater importance over recent years as the financial system has become more interconnected and more dependent on digital technologies and service providers. Recent geopolitical turmoil also increases risks such as cyber attacks and personnel risks associated with bad actors.
APRA member Therese McCarthy Hockey said CPS 230 will play an important role in financially protecting the community.
“Australians depend on banking to pay for goods and services, insurance helps us rebuild after a flood or fire and pay for vital medical treatments, while superannuation supports us to maintain a dignified lifestyle in retirement.
She said, “In an environment where one crashed server or ransomware attack could leave millions without access to these essential services, effective operational risk management is vital for financial stability and community wellbeing.”
Ms Hockey said this will also enable the players to, “Identify their own operational vulnerabilities and have plans to mitigate them. CPS 230 requires entities to have a detailed level of understanding and mitigation planning in relation to their most critical third-party service providers. This will require an entirely new mindset about where the boundaries of responsibility sit.”
Over the past two years, APRA has worked closely with industry to enable regulated entities to be ready to comply with the new standard, although APRA has granted smaller, less complex entities an extra 12 months to meet some requirements.
The regulator also requires each entity to provide a list of its most material service providers, which will help APRA identify concentration risks across the financial services sector.