Data breaches. The COVID pandemic. Devastating climate events. It’s not a case of ‘if’ disruption might happen, but when. Meet APRA's CPS 230 requirements and be confident you can prepare for and respond to these events quickly and effectively.
Comply with the new Operational Resilience framework set in place by the Australian Prudential Regulation Authority (APRA) in time for the 1 July 2025 deadline.
Identify and map your critical operations and the critical processes and resources that support them.
Conduct robust scenario testing to assess your ability to stay within impact tolerances and ensure you are prepared against the maximum level of disruption.
Report on your readiness and results to APRA, auditors, the Board and senior management.
Most companies simply aren’t prepared for disruption. Data from BCG shows that only 10% are resilient and thriving. That’s why the Australian Prudential Regulation Authority (APRA) has finalised a new prudential standard for insurers, banks and superannuation firms - CPS 230 Operational Risk Management - to ensure they better manage operational risks and business disruptions.
The new CPS 230 Operational Risk Management Standard (CPS 230) sets out key requirements for managing operational risk, including updated requirements for business continuity and service provider management. Regulated firms must comply with the new standard by July 2025.
The CPS 230 standard is made up of three strategic pillars.
Objectives:
Key features:
Source: APRA
Address all three of APRA's CPS 230 pillars while building an operationally resilient firm.
Stage 1 is identifying your critical operations and mapping out the processes and resources that support them. For each important service, break down critical processes into the resources that support them, mapping each process flow to understand its conditions and resource dependencies.
Use Ansarada GRC to:
Set clear impact tolerances for the maximum level of disruption you are willing to accept. Critical operations must be maintained within tolerance levels - before they cross into ‘intolerable harm’ - and calibrated with regular scenario testing.
Use Ansarada GRC to:
APRA requires robust scenario testing, using severe but plausible scenarios to assess your ability to remain within your defined impact tolerances. Find drivers, triggers and other factors to inspire useful scenarios in our AI-powered Scenario Library, which includes any mandatory testing required or suggested by APRA.
Coming soon to Ansarada GRC:
APRA-regulated firms must have BCPs in place that outline how the firm identifies, manages, and responds to disruptions within tolerance levels. These BCPs must be regularly tested with severe but plausible scenarios.
BCPs must include Disaster Recovery (DR) planning for critical information assets, ready to be activated during a disruption before returning to normal operations.
Use Ansarada GRC to:
Under CPS 230, firms must maintain a register of material service providers and manage risks associated with them. Regularly monitor material arrangements, assess performance, evaluate risk controls, and ensure compliance with the service provider agreement.
Use Ansarada GRC to:
There's only so far spreadsheets can take you when it comes to meeting your firm's Operational Resilience requirements. Manage current and future risk with purpose-built software.
Clear and easily accessible list of your critical operations and processes
Automatic creation, allocation and notification of scheduled reviews
Adhoc reviews resulting from a material change to your business
Mapping to 3rd parties to show relationship considerations
BI Dashboards for high level analysis
Scenario testing, recording findings and resolutions