The Australian Prudential Regulation Authority (APRA) is consulting on a new Prudential Standard designed to strengthen the management of operational risk in Australia’s banking, insurance, and superannuation industries.
The definition of operational risk
APRA defines operational risk as the potential for financial loss or material disruption as a result of inadequate or failed internal processes or systems, the actions of people, or external drivers and events, such as a pandemic or natural disaster.
The new Prudential Standard, CPS 230 Operational Risk Management
In a consultation package, APRA proposes to introduce a new cross-industry Prudential Standard, CPS 230 Operational Risk Management, which will set out minimum standards for managing operational risk, including updated requirements for business continuity and service provider management.
The proposed new standard includes requirements for regulated entities to:
- Maintain effective internal controls for operational risk, commensurate with the size, business mix and complexity of the activities they undertake;
- Be prepared and ready to ensure continued delivery of critical operations during periods of disruption; and
- Effectively manage the risks associated with the use of service providers.
The new standard will incorporate updated requirements for service provider management (currently outsourcing) and business continuity management that are currently contained in prudential standards CPS 231 Outsourcing and CPS 232 Business Continuity Management (and the corresponding superannuation standards SPS 231 and SPS 232 and private health insurance standard HPS 231). These five standards will be replaced by the new CPS 230.
After reviewing industry feedback in response to the consultation, APRA expects to release the final CPS 230 early next year, before the new standard comes into force from 1st January 2024.
The consultation package is available here.
The deadline for consultation submissions is 21st October 2022.
