Banks, insurers, and superannuation funds in Australia are now subject to heightened operational risk management standards as the Australian Prudential Regulation Authority (APRA) implements its new requirements. Effective from today, the Cross-industry Prudential Standard (CPS) 230 mandates that APRA-regulated entities enhance their preparation to maintain essential services for the community during unexpected disruptions.
The CPS 230 stipulates several key actions that entities must take to ensure operational resilience. These include identifying vital business services and assessing their capacity to operate under severe disruptions; rigorously testing business continuity plans to uncover vulnerabilities; and bolstering third-party risk management by effectively identifying and addressing risks associated with critical service providers.
The need for robust operational resilience has grown increasingly significant, particularly given the financial system’s escalating interconnectedness and reliance on digital technologies. Moreover, recent geopolitical events have amplified risks, including cyber attacks and potential threats posed by malicious actors.
APRA Member Therese McCarthy Hockey highlighted the importance of CPS 230 in safeguarding the financial wellbeing of the community. “Australians depend on banking to pay for goods and services, insurance helps us rebuild after a flood or fire and pay for vital medical treatments, while superannuation supports us to maintain a dignified lifestyle in retirement. In an environment where one crashed server or ransomware attack could leave millions without access to these essential services, effective operational risk management is vital for financial stability and community wellbeing,” she said.
She further emphasised that entities must not only recognise their own vulnerabilities and devise mitigation strategies but also possess a comprehensive understanding of their most critical third-party service providers. “This will require an entirely new mindset about where the boundaries of responsibility sit,” she added.
In preparation for these new standards, APRA has collaborated closely with the industry over the last two years to ensure compliance readiness. However, smaller and less complex entities have been granted an additional 12 months to meet some of the requirements. Additionally, APRA expects each entity to compile a list of its most significant service providers, which will assist in identifying concentration risks across the financial services sector.
