Get ready for the APRA CPS 230 updates

As APRA finalises its new prudential standard on operational risk, we provide some background to the updates and explain how you can stay compliant.

The Prudential Standard CPS 230 is a regulatory framework developed by the Australian Prudential Regulation Authority (APRA) to ensure banks, insurers, and superannuation trustees can better manage operational risks and respond to business disruptions1.

It provides a foundation for APRA-regulated entities to:

  • strengthen operational risk management through new requirements to address identified weaknesses in existing controls; 
  • improve business continuity planning to ensure they are positioned to respond to severe disruptions; and
  • enhance third-party risk management by ensuring risks from material service providers are appropriately managed.

Let’s look at why the updates are so important.

In 20222, APRA recognised the need for a strengthening of the CPS 230 standard in response to the challenges experienced through the COVID-19 pandemic, the heightened cyber threat, and the increasing incidence of natural disasters.

These events demonstrated the critical importance of financial institutions being able to manage and respond to operational risks, with APRA3 explaining: “The new standard is designed to strengthen the management of operational risk, respond to business disruptions, and manage the risks from the use of service providers for all APRA-regulated entities.”

Speaking in July 2023, the APRA Chair, John Lonsdale, said the finalisation of CPS 230 will strengthen the management of operational risk across APRA’s regulated population, explaining:  

“Disruptions to financial services can cause a major detrimental impact to the people who rely on them to pay bills, recover from financial loss or support themselves in retirement.”

“The need for APRA’s new standard has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches. This new standard will ensure that regulated entities set and test controls and maintain robust business continuity plans to respond if disruptions do occur.”

“We expect regulated entities to be proactive in preparing for implementation, rather than waiting until the last minute to get ready to meet the new requirements. There will be a transition phase for existing contractual arrangements with material service providers for entities that need some flexibility,” Mr Lonsdale said. 

Because of the complexities involved in managing these operational risk management scenarios, financial institutions are relying more on technology service providers to support internal operations.

These changes therefore extend to the services provided by regulated financial service providers to their clients.

APRA4 finalised the standard following industry consultation5 that commenced in July 2022. The new standard will commence from 1st July 2025. 

How should you be approaching the APRA CPS 230 updates?

The first step in complying with APRA CPS 230 is to fully understand your current operations. Therefore running a risk assessment through the organisation is required to review existing business processes and identify weaknesses in existing controls.

Knowing your current processes is the foundation of risk analysis – until you have a big picture understanding of how work happens in your organisation, you can’t see areas of potential risk, vulnerability, and you won’t be able to identify areas that are in breach of APRA CPS 230 regulations.

This risk assessment will identify where improvements in the business continuity plan need to be made to ensure the organisation is able to respond to disruptions or breaches.

We’re here to help.

Tecala partners with Nintex to run its business continuity planning and disaster recovery planning risk assessments.

Our Automation, Data and AI consultants use Nintex Process Mapping Software to gather all the fragmented information about your existing processes. By visually and logically mapping your processes, we identify where problems lie.

Because this is a complex process that spans across the entire organisation, we use automation and AI to improve the efficacy of the process and mitigate human error. In essence, when you partner with Tecala, you can be more confident that you won’t miss a thing.

  • Automated tools can quickly process vast amounts of data, including financial transactions, customer information, and security logs. This accelerates the analysis phase of risk assessments.
  • AI (incorporating Machine Learning algorithms) can identify patterns, anomalies, and trends within the data, enabling a more sophisticated understanding of potential risks. This delivers a more accurate risk assessment.

Introducing Nintex Process Manager and its Business Process Mapping.

Nintex have spent years perfecting best-of-breed process management tools like Nintex Process Manager that makes discovering, planning, mapping, and then managing your business processes over time, so much easier6.

This is just one of the powerful process platforms to help manage, automate, and perfect workflows across your organisation.

By utilising existing capabilities and new AI-based innovation, the Nintex Process Platform:

  • provides easy-to-use tools for building solutions that orchestrate and manage work across disconnected systems and teams;
  • delivers insights and intelligence to drive continuous process improvement; and
  • enables better visibility and governance of processes across all teams7.

Why partner with Tecala?

Tecala has a strong track record partnering with Australia’s leading Superannuation providers. Our capabilities are geared towards financial services, and similarly governed industries, that operate in highly regulated environments.

Once we fully understand your business processes and workflows across your organisation, we can develop a business continuity plan and disaster recovery plan for your organisation that aligns with the updated requirements of APRA CPS 230.

We’ll also maintain your information security framework, policies, procedures, and risk assessments documentation to ensure it all demonstrates compliance during regulatory audits.

In this way, Tecala and Nintex approach APRA CPS 230 and all industry regulatory updates in the most efficient and effective way possible.

1, 4 APRA, Media Release
2 APRA Discussion Paper – Strengthening Operational Risk
3, 5 APRA, Operational Risk Management
6 Nintex Website
7 Nintex Website

Book a Technology Capability Assessment

Why you shouldn’t miss this session

We use our Technology Capabilities Assessment to engage directly with you and your teams, to measure how well your existing ICT solutions, services and platforms are meeting your business objectives.

Once we fully understand your business dynamics we’ll provide recommendations on the solutions and long-term strategies you need to ensure your people and business enjoy the very best experiences from your IT platforms, services and applications.



Data Privacy Act 2023 Update

In the wake of the increasing regularity of high-profile attacks on Australian organisations, including Optus, Medibank, and Medicare, the Australian Federal Government spent much of 2023 engaged in a consultation process to identify necessary updates to the Privacy Act.



Optimise your IT Spend

We’d have to think hard to remember a time when IT leaders weren’t being asked to ‘do more with less’. It’s part of the job description to find innovative ways to extract ‘optimal value’ from existing or shrinking budgets.