Table of contents
Prudential standard
CPS 230 Operational Risk Management
-
Final not yet in force1 July 2025
Prudential framework pillars
About this standard
This standard requires an entity to effectively manage its operational risks. Entities must be able to maintain critical operations through disruptions and manage the risks arising from service providers.
This standard supports CPS 220 Risk Management, which is a core standard in the Risk Management Pillar. It applies to all entities.
Objectives and key requirements of this Prudential Standard
The aim of this Prudential Standard is to ensure that an APRA-regulated entity is resilient to operational risks and disruptions. An APRA-regulated entity must effectively manage its operational risks, maintain its critical operations through disruptions, and manage the risks arising from service providers.
An APRA-regulated entity’s approach to operational risk must be appropriate to its size, business mix and complexity. The key requirements of this Prudential Standard are that an APRA-regulated entity must:
- identify, assess and manage its operational risks, with effective internal controls, monitoring and remediation;
- be able to continue to deliver its critical operations within tolerance levels through severe disruptions, with a credible business continuity plan (BCP); and
- effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements and robust monitoring.
Preamble
Banking, Insurance, Life Insurance, Health Insurance and Superannuation (prudential standard) determination No. 2 of 2023
Prudential Standard CPS 230 Operational Risk Management
Banking Act 1959
Insurance Act 1973
Life Insurance Act 1995
Private Health Insurance (Prudential Supervision) Act 2015
Superannuation Industry (Supervision) Act 1993
I, John Lonsdale, a delegate of :
under subsections 11AF(3) of , 32(4) of , and 230A(5) of , REVOKE Banking, Insurance and Life Insurance (prudential standard) determination No. 6 of 2016 including Prudential Standard CPS 231 Outsourcing made under that determination;
under subsections 11AF(3) of the Banking Act, 32(4) of the Insurance Act, and 230A(5) of the Life Insurance Act, REVOKE Banking, Insurance and Life Insurance (prudential standard) determination No. 7 of 2016 including Prudential Standard CPS 232 Business Continuity Management made under that determination;
under subsection 92(5) of , REVOKE Health Insurance (prudential standard) determination No. 4 of 2015, including Prudential Standard HPS 231 Outsourcing made under that determination;
under subsection 34C(6) of , REVOKE Superannuation (prudential standard) determination No. 3 of 2012 including, Prudential Standard SPS 231 Outsourcing made under that determination, and Superannuation (prudential standard) determination No. 4 of 2012 including Prudential Standard SPS 232 Business Continuity Management made under that determination;
under subsection 11AF(1) of the Banking Act, DETERMINE the prudential standard which applies to all ADIs and authorised banking NOHCs;
under subsection 32(1) of the Insurance Act, DETERMINE which applies to all general insurers and authorised insurance NOHCs and subsidiaries of general insurers and authorised insurance NOHCs;
under subsection 230A(1) of the Life Insurance Act, DETERMINE the prudential standard which applies to all life companies, including friendly societies, and registered NOHCs;
under subsection 92(1) of the PHIPS Act, DETERMINE the prudential standard which applies to all private health insurers; and
under subsection 34C(1) of the SIS Act, DETERMINE the prudential standard which applies to all RSE licensees.
This instrument commences on 1 July 2025.
Date: 11 September 2023
John Lonsdale
Chair
APRA
Interpretation
In this Determination:
ADI has the meaning given in section 5 of the Banking Act.
APRA means the Australian Prudential Regulation Authority.
authorised banking NOHC has the meaning given to the expression authorised NOHC in section 5 of the Banking Act.
authorised insurance NOHC has the meaning given to the expression authorised NOHC in subsection 3(1) of the Insurance Act.
friendly society has the meaning given in section 16C of the Life Insurance Act.
general insurer has the meaning given in section 11 of the Insurance Act.
life company has the meaning given in the Schedule to the Life Insurance Act.
private health insurer has the meaning given in section 4 of the PHIPS Act.
registered NOHC has the meaning given in the Schedule to the Life Insurance Act.
RSE licensee has the meaning given in subsection 10(1) of the SIS Act.
the Banking Act means the Banking Act 1959.
the Insurance Act means the Insurance Act 1973.
the Life Insurance Act means the Life Insurance Act 1995.
the PHIPS Act means the Private Health Insurance (Prudential Supervision) Act 2015.
the prudential standard means Prudential Standard CPS 230 Operational Risk Management in the form set out in the Schedule.
the SIS Act means the Superannuation Industry (Supervision) Act 1993.
Schedule
Prudential Standard CPS 230 Operational Risk Management comprises the document commencing on the following page.
Prudential Standard CPS 230
Operational Risk Management
Authority
This Prudential Standard is made under:
section 11AF of the Banking Act 1959 (Banking Act);
section 32 of the Insurance Act 1973 (Insurance Act);
section 230A of the Life Insurance Act 1995 (Life Insurance Act);
section 92 of the Private Health Insurance (Prudential Supervision) Act 2015 (PHIPS Act); and
section 34C of the Superannuation Industry (Supervision) Act 1993 (SIS Act).
Application and commencement
This Prudential Standard applies to all APRA-regulated entities defined as:
authorised deposit-taking institutions (ADIs), including foreign ADIs, and non-operating holding companies authorised under the Banking Act (authorised banking NOHCs);
general insurers, including Category C insurers, non-operating holding companies authorised under the Insurance Act (authorised insurance NOHCs) and parent entities of Level 2 insurance groups;
life companies, including friendly societies, eligible foreign life insurance companies (EFLICs) and registered NOHCs;
private health insurers registered under the PHIPS Act; and
registrable superannuation entity licensees (RSE licensees) under the SIS Act in respect of their business operations.
The obligations imposed by this Prudential Standard on, or in relation to, a foreign , a Category C insurer and an EFLIC apply only in relation to the Australian branch operations of that entity.
Where an APRA-regulated entity is the Head of a group, it must comply with a requirement of this Prudential Standard:
in its capacity as an APRA-regulated entity;
by ensuring that the requirement is applied appropriately throughout the group, including in relation to entities that are not APRA-regulated; and
on a group basis.
In applying the requirements of this Prudential Standard on a group basis, references to an APRA-regulated entity are to be read as ‘Head of a group’ and references to entity are to be read as ‘group’.
This Prudential Standard commences on 1 July 2025.
Where an APRA-regulated entity has pre-existing contractual arrangements in place with a service provider, the requirements in this Prudential Standard will apply in relation to those arrangements from the earlier of the next renewal date of the contract with the service provider or 1 July 2026.
Interpretation
Terms that are defined in Prudential Standard APS 001 Definitions, Prudential Standard GPS 001 Definitions, Prudential Standard LPS 001 Definitions, Prudential Standard HPS 001 Definitions or Prudential Standard 3PS 001 Definitions appear in bold the first time they are used in this Prudential Standard.
In this Prudential Standard, unless the contrary intention appears, a reference to an Act, Regulation or Prudential Standard is a reference to the Act, Regulation or Prudential Standard as in force from time to time.
Where this Prudential Standard provides for APRA to exercise a power or discretion, the power or discretion is to be exercised in writing.
Adjustments and exclusions
APRA may adjust or exclude a specific prudential requirement in this Prudential Standard in relation to an APRA-regulated entity.
APRA
APRA means the Australian Prudential Regulation Authority.
the Banking Act
the Banking Act means the Banking Act 1959.
the Insurance Act
the Insurance Act means the Insurance Act 1973.
the Life Insurance Act
the Life Insurance Act means the Life Insurance Act 1995.
the PHIPS Act
the PHIPS Act means the Private Health Insurance (Prudential Supervision) Act 2015.
the SIS Act
the SIS Act means the Superannuation Industry (Supervision) Act 1993.
the prudential standard
the prudential standard means Prudential Standard CPS 230 Operational Risk Management in the form set out in the Schedule.
[1]
RSE licensee has the meaning given in subsection 10(1) of the SIS Act. For the purposes of this Prudential Standard, an RSE licensee’s business operations includes all activities of an RSE licensee, including the activities of each RSE of which it is the licensee, and all other activities of the RSE licensee to the extent that they are relevant to, or may impact on, its activities as an RSE licensee.
ADI
ADI has the meaning given in section 5 of the Banking Act.
[2]
Where a Level 2 group operates within a Level 3 group, a requirement expressed as applying to a Head of a group is to be read as applying to the Level 3 Head.
[3]
Group means a Level 2 group, Level 3 group or a group comprising the RSE licensee and all connected entities (as defined in subsection 10(1) of the SIS Act) and all related bodies corporate (with the meaning given in section 50 of the Corporations Act 2001) of the RSE licensee, as relevant. Level 2 group means the entities that comprise Level 2 (for ADIs) or Level 2 insurance groups (for general insurers). For the avoidance of doubt, group includes a group as defined in APS 001 and, for an RSE licensee, where the RSE licensee is part of a corporate group.
[4]
Refer to subsection 11AF(2) of the Banking Act, subsection 32(3D) of the Insurance Act, subsection 230A(4) of the Life Insurance Act, subsection 92(4) of the PHIPS Act and subsection 34C(5) of the SIS Act.
Key principles
An APRA-regulated entity must:
effectively manage its operational risks, and set and maintain appropriate standards for conduct and compliance;
maintain its critical operations within tolerance levels through severe disruptions; and
manage the risks associated with the use of service providers.
An APRA-regulated entity must identify, assess and manage operational risks that may result from inadequate or failed internal processes or systems, the actions or inactions of people or external drivers and events. Operational risk is inherent in all products, activities, processes and systems.
An APRA-regulated entity must, to the extent practicable, prevent disruption to critical operations, adapt processes and systems to continue to operate within tolerance levels in the event of a disruption and return to normal operations promptly once a disruption is over.
An APRA-regulated entity must not rely on a service provider unless it can ensure that in doing so it can continue to meet its prudential obligations in full and effectively manage the associated risks.
Risk management framework
As part of its risk management framework required under Prudential Standard CPS 220 Risk Management (CPS 220) and Prudential Standard SPS 220 Risk Management (SPS 220), an APRA-regulated entity must develop and maintain:
governance arrangements for the oversight of operational risk;
an assessment of its operational risk profile, with a defined risk appetite supported by indicators, limits and tolerance levels;
internal controls that are designed and operating effectively for the management of operational risks;
appropriate monitoring, analysis and reporting of operational risks and escalation processes for operational incidents and events;
business continuity plan(s) (BCPs) that set out how the entity would identify, manage and respond to a disruption within tolerance levels and are regularly tested with severe but plausible scenarios; and
processes for the management of service provider arrangements.
Operational risk management must be integrated into an APRA-regulated entity’s overall risk management framework and processes. Business continuity planning must be consistent with, and not conflict or undermine, an APRA-regulated entity’s recovery and exit planning.
[6]
Where APRA considers that an APRA-regulated entity’s operational risk management has material weaknesses, APRA may:
require an independent review of the entity’s operational risk management;
require the entity to develop a remediation program;
require the entity to hold additional capital, as relevant;
[7]
For an RSE licensee, APRA may require an RSE licensee to meet an ORFR target amount determined by APRA under Prudential Standard SPS 114 Operational Risk Financial Requirement.
impose conditions on the entity’s licence; and
take other actions required in the supervision of this Prudential Standard.
Roles and responsibilities
The Board of an APRA-regulated entity is ultimately accountable for oversight of an entity’s operational risk management. This includes business continuity and the management of service provider arrangements.
[8]
For an RSE licensee, a reference to the Board is to be read as a reference to the Board of directors or group of individual trustees of an RSE licensee, as applicable. ‘Group of individual trustees’ has the meaning given in subsection 10(1) of the SIS Act. A reference to the Board in the case of a foreign ADI is a reference to the senior officer outside Australia.
The Board must ensure that the APRA-regulated entity sets clear roles and responsibilities for senior managers for operational risk management, including business continuity and the management of service provider arrangements.
[9]
Senior manager in relation to life insurers has the meaning given in the Life Insurance Act, `and in relation to RSE licensees has the meaning given in Prudential Standard SPS 520 Fit and Proper.
The Board must:
oversee operational risk management and the effectiveness of key internal controls in maintaining the entity’s operational risk profile within risk appetite. The Board must be provided with regular updates on the APRA-regulated entity’s operational risk profile and ensure senior management takes action as required to address any areas of concern;
approve the BCP and tolerance levels for disruptions to critical operations, review the results of testing and oversee the execution of any findings; and
approve the service provider management policy, and review risk and performance reporting on material service providers.
Senior management of an APRA-regulated entity must provide clear and comprehensive information to the Board on the expected impacts on the entity’s critical operations when the Board is making decisions that could affect the resilience of critical operations.
Operational risk management
An APRA-regulated entity must manage its full range of operational risks, including but not limited to legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. Senior management are responsible for operational risk management across the end-to-end process for all business operations.
An APRA-regulated entity must maintain appropriate and sound information and information technology (IT) capability to meet its current and projected business requirements and to support its critical operations and risk management. In managing technology risks, an APRA-regulated entity must monitor the age and health of its information assets and meet the requirements for information security in Prudential Standard CPS 234 Information Security (CPS 234).
Operational risk profile and assessment
An APRA-regulated entity must assess the impact of its business and strategic decisions on its operational risk profile and operational resilience, as part of its business and strategic planning processes. This must include an assessment of the impact of new products, services, geographies and technologies on its operational risk profile.
[10]
Refer to Prudential Standard SPS 515 Strategic Planning and Member Outcomes for requirements applying to an RSE licensee with respect to strategic objectives and business planning.
An APRA-regulated entity must maintain a comprehensive assessment of its operational risk profile. As part of this, an APRA-regulated entity must:
maintain appropriate and effective information systems to monitor operational risk, compile and analyse operational risk data and facilitate reporting to the Board and senior management;
identify and document the processes and resources needed to deliver critical operations, including people, technology, information, facilities and service providers, the interdependencies across them, and the associated risks, obligations, key data and controls; and
undertake scenario analysis to identify and assess the potential impact of severe operational risk events, test its operational resilience and identify the need for new or amended controls and other mitigation strategies.
An APRA-regulated entity must conduct a comprehensive risk assessment before providing a material service to another party, to ensure that the APRA-regulated entity is able to continue to meet its prudential obligations after entering into the arrangement. APRA may require an APRA-regulated entity to review and strengthen internal controls or processes where APRA considers there to be heightened prudential risks in such circumstances.
Operational risk controls
An APRA-regulated entity must design, implement and embed internal controls to mitigate its operational risks in line with its risk appetite and meet its compliance obligations.
An APRA-regulated entity must regularly monitor, review and test controls for design and operating effectiveness, the frequency of which must be commensurate with the materiality of the risks being controlled. The results of testing must be reported to senior management and any gaps or deficiencies in the control environment must be rectified in a timely manner.
An APRA-regulated entity must remediate material weaknesses in its operational risk management, including control gaps, weaknesses and failures. This remediation must be supported by clear accountabilities and assurance and address the root causes of weaknesses in a timely manner. An APRA-regulated entity must include identified control gaps, weaknesses and failures in its operational risk profile until such matters are remediated.
Operational risk incidents
An APRA-regulated entity must ensure that operational risk incidents and near misses are identified, escalated, recorded and addressed in a timely manner. An APRA-regulated entity must take incidents and near misses into account in its assessment of its operational risk profile and control effectiveness in a timely manner.
An APRA-regulated entity must notify APRA as soon as possible, and not later than 72 hours, after becoming aware of an operational risk incident that it determines to be likely to have a material financial impact or a material impact on the ability of the entity to maintain its critical operations.
[11]
A notification of an information security incident reported under CPS 234 does not need to be separately reported under the notification requirements of this Prudential Standard.
Business continuity
An APRA-regulated entity must:
define, identify and maintain a register of its critical operations;
take reasonable steps to minimise the likelihood and impact of disruptions to its critical operations;
maintain a credible BCP that sets out how it would maintain its critical operations within tolerance levels through disruptions, including disaster recovery planning for critical information assets;
[12]
An entity may have a number of BCPs. A BCP may include separate crisis management plans and disaster recovery plans.
activate its BCP if needed in the event of a disruption; and
return to normal operations promptly after a disruption is over.
Critical operations and tolerance levels
Critical operations are processes undertaken by an APRA-regulated entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on its depositors, policyholders, beneficiaries or other customers, or its role in the financial system.
An APRA-regulated entity must, at a minimum, classify the following business operations as critical operations, unless it can justify otherwise:
for an ADI: payments, deposit-taking and management, custody, settlements and clearing;
for an insurer (general, life, private health): claims processing;
for an : investment management and fund administration; and
RSE licensee
RSE licensee has the meaning given in subsection 10(1) of the SIS Act.
for all APRA-regulated entities: customer enquiries and the systems and infrastructure needed to support critical operations.
APRA may require an APRA-regulated entity, or a class of APRA-regulated entities, to classify a business operation as a critical operation.
For each critical operation, an APRA-regulated entity must establish tolerance levels for:
the maximum period of time the entity would tolerate a disruption to the operation;
the maximum extent of data loss the entity would accept as a result of a disruption; and
minimum service levels the entity would maintain while operating under alternative arrangements during a disruption.
APRA may require an APRA-regulated entity to review and change its tolerance levels for a critical operation. APRA may set tolerance levels for an APRA-regulated entity, or a class of APRA-regulated entities, where it identifies a heightened risk or material weakness.
Business continuity plan
An APRA-regulated entity’s BCP must include:
the register of critical operations and associated tolerance levels;
triggers to identify a disruption and prompt activation of the plan, and arrangements to direct resources in the event of activation;
actions it would take to maintain its critical operations within tolerance levels through disruptions;
an assessment of the execution risks, required resources, preparatory measures, including key internal and external dependencies needed to support the effective implementation of the BCP actions; and
a communications strategy to support execution of the plan.
An APRA-regulated entity must maintain the capabilities required to execute the BCP, including access to people, resources and technology. An APRA-regulated entity must monitor compliance with its tolerance levels and report any failure to meet tolerance levels, together with a remediation plan, to the Board.
[13]
Capabilities required to execute the BCP may be maintained within the APRA-regulated entity or via an agreement with another party. For the avoidance of doubt, such agreements with other parties must meet the requirements for management of service providers arrangements in this Prudential Standard.
An APRA-regulated entity must notify APRA as soon as possible, and not later than 24 hours after, if it has suffered a disruption to a critical operation outside tolerance. The notification must cover the nature of the disruption, the action taken, the likely impact on the entity’s business operations and the timeframe for returning to normal operations.
Testing and review
An APRA-regulated entity must have a systematic testing program for its BCP that covers all critical operations and includes an annual business continuity exercise. The program must test the effectiveness of the entity’s BCP and its ability to meet tolerance levels in a range of severe but plausible scenarios.
The testing program must be tailored to the material risks of the APRA-regulated entity and include a range of severe but plausible scenarios, including disruptions to services provided by material service providers and scenarios where contingency arrangements are required. APRA may require the inclusion of an APRA-determined scenario in a business continuity exercise for an APRA-regulated entity, or a class of APRA-regulated entities.
An APRA-regulated entity must update, as necessary, its BCP on an annual basis to reflect any changes in legal or organisational structure, business mix, strategy or risk profile or for shortcomings identified as a result of the review and testing of the BCP.
An APRA-regulated entity’s internal audit function must periodically review the entity’s BCP and provide assurance to the Board that the BCP sets out a credible plan for how the entity would maintain its critical operations within tolerance levels through severe disruptions and that testing procedures are adequate and have been conducted satisfactorily.
Management of service provider arrangements
An APRA-regulated entity must maintain a comprehensive service provider management policy. The policy must cover how the entity will identify material service providers and manage service provider arrangements, including the management of material risks associated with the arrangements.
The policy must include:
the entity’s approach to entering into, monitoring, substituting and exiting agreements with material service providers;
the entity’s approach to managing the risks associated with material service providers; and
the entity’s approach to managing the risks associated with any fourth parties that material service providers rely on to deliver a critical operation to the APRA-regulated entity.
[14]
A fourth party is a party that a service provider relies on in delivering services to an APRA-regulated entity.
Material service providers
An APRA-regulated entity must identify and maintain a register of its material service providers and manage the material risks associated with using these providers. Material service providers are those on which the entity relies to undertake a critical operation or that expose it to material operational risk. Material arrangements are those on which the entity relies to undertake a critical operation or that expose it to material operational risk.
[15]
A material service provider may be a third party, related party or connected entity. A service provider may be identified as material as a result of an individual arrangement or multiple arrangements with an APRA-regulated entity.
An APRA-regulated entity must, at a minimum, classify a provider of the following services as a material service provider, unless it can justify otherwise:
for an ADI: credit assessment, funding and liquidity management and mortgage brokerage;
for an insurer (general, life, private health): underwriting, claims management, insurance brokerage and reinsurance;
for an RSE licensee: fund administration, custodial services, investment management and arrangements with promoters and financial planners; and
for all APRA-regulated entities: risk management, core technology services and internal audit.
An APRA-regulated entity must submit its register of material service providers to APRA on an annual basis.
APRA may require an APRA-regulated entity, or a class of APRA-regulated entities, to classify a service provider, type of service provider or service provider arrangement as material.
Service provider agreements
Before entering into or materially modifying a material arrangement, an APRA-regulated entity must:
undertake appropriate due diligence, including an appropriate selection process and an assessment of the ability of the service provider to provide the service on an ongoing basis; and
assess the financial and non-financial risks from reliance on the service provider, including risks associated with geographic location or concentration of the service provider(s) or parties the service provider relies on in providing the service.
For all material arrangements, an APRA-regulated entity must maintain a formal legally binding agreement (formal agreement). The formal agreement must, at a minimum:
specify the services covered by the agreement and associated service levels;
set out the rights, responsibilities and expectations of each party to the agreement, including in relation to the ownership of assets, ownership and control of data, dispute resolution, audit access, liability and indemnity;
include provisions to ensure the ability of the entity to meet its legal and compliance obligations;
require notification by the service provider of its use of other material service providers that it materially relies upon in providing the service to the APRA-regulated entity through sub-contracting or other arrangements;
require the liability for any failure on the part of any sub-contractor to be the responsibility of the service provider;
include a force majeure provision indicating those parts of the contract that would continue in the case of a force majeure event; and
termination provisions including, but not limited to, the right to terminate both the arrangement in its entirety or parts of the arrangement. For an RSE licensee, termination provisions must include the ability for the RSE licensee to terminate the arrangement where to continue the arrangement would be inconsistent with the RSE licensee’s duty to act in the best financial interests of beneficiaries (refer to subsection 52(2)(c) of the SIS Act).
The formal agreement must also include provisions that:
allow APRA access to documentation, data and any other information related to the provision of the service;
allow APRA the right to conduct an on-site visit to the service provider; and
ensure the service provider agrees not to impede APRA in fulfilling its duties as prudential regulator.
For each material arrangement an APRA-regulated entity must:
identify and manage risks that could affect the ability of the service provider to provide the service on an ongoing basis;
identify and manage risks to the APRA-regulated entity that could result from the arrangement, such as step-in risk or contagion risk;
ensure it can execute its BCP if needed; and
ensure it can conduct an orderly exit from the arrangement if needed.
APRA may require an APRA-regulated entity to review and make changes to a service provider arrangement where it identifies heightened prudential concerns.
Monitoring, notifications and review
An APRA-regulated entity must monitor and ensure that senior management receive reporting on material arrangements commensurate with the nature and usage of the service. This monitoring must include a regular assessment of:
performance under the service agreement with reference to agreed service levels;
the effectiveness of controls to manage the risks associated with the use of the service provider; and
compliance of both parties with the service provider agreement.
An APRA-regulated entity must notify APRA:
as soon as possible and not more than 20 business days after entering into or materially changing an agreement for the provision of a service on which the entity relies to undertake a critical operation; and
prior to entering into any material offshoring arrangement, or when there is a significant change proposed to the arrangement, including in circumstances where data or personnel relevant to the service being provided will be located offshore.
[16]
Material offshoring arrangement means a material arrangement where the service provided is undertaken outside Australia. Offshoring includes arrangements where the service provider is incorporated in Australia, but the physical location of the service being provided is undertaken outside Australia. Offshoring does not include arrangements where the physical location of a service is performed within Australia, but the service provider is not incorporated in Australia.
An APRA-regulated entity’s internal audit function must review any proposed material arrangement involving the outsourcing of a critical operation. The internal audit function must regularly report to the Board or Board Audit Committee on compliance of such arrangements with the entity’s service provider management policy.