4 minute read
APRA regulated organisations are required to submit a register of material service providers (MSPs) annually by CPS230 Operational Risk Management. The first submission is due October 1 2025, marking the largest collection of non-financial risk data by the regulator.
In September 2025 Battleground ran a voluntary benchmarking exercise to help clients and the broader community to understand how their submission compared to peers. This article summarises the observations from the benchmark and follow up discussions.
The aim of the benchmark was simple, answer these two questions:
- What, if any, data quality issues are in my submission?
- How does my data compare to peers?
26 organisations participated across superannuation, banking, and insurance.
Participants ranged in size and sophistication; from six significant financial institutions through to some of the smaller niche players.
There’s no right or wrong
CPS230 is a brand new standard, making this submission the first formal interaction with the regulator for many. As such there remains a lot of interpretation and learning for us all. We saw in the variety of interpretations that there is no definitive right or wrong for a lot of the information provided. The north star is being able to demonstrate to APRA that the choices made work for your business. All our conversations with participants focused on justifications rooted in business operations.
…except in data quality
Data quality is the one area closest to clear right and wrong. A little data cleaning goes a long way to avoid a request from APRA to resubmit.
Three areas stood out in our sample:
- correct understanding of the organisation submitting the form
- correct classification of the organisation type
- finding an ABN or LEI for every MSP
Double checking how APRA expects your return to be submitted is crucial. For example we encouraged superannuation participants to ensure they entered their RSE and not fund ABN, and participants with a mix of business lines were encouraged to confirm whether they classify as a group or whether they should submit separate registers per entity.
The regulator will likely be extremely strong on complete ABNs or LEIs in the list of MSPs as it needs unique identifiers to assess concentration risk. So we encouraged all participants to double efforts in finding ABNs or LEIs to limit the chance of receiving a follow-up email.
Materiality
Plenty of discussion was held over definitions of materiality, particularly the role of material arrangements. It is only material arrangements with material service providers that are captured by CPS230. Not all arrangements will be material. CPS230 is intended to capture those arrangements where an entity relies on a service provider to undertake a critical operation, or the arrangement introduces material operational risk. The assessment of reliance is key to the two step approach to defining materiality.
Granularity
The benchmark demonstrated significant variance in critical operations (COs) and their sub-types. Again, there is no definitive right or wrong but we helped participants articulate how the choices made work for their business. Roughly a third of participants excluded a stand-alone Systems and Infrastructure CO. Most of these participants had assessed that Systems and Infrastructure is inherent within all COs and therefore not standalone. Recommendations were made to justify how this decision improves CPS230 implementation.
Tolerance maturity
Tolerances were the least mature of the data elements captured in the submissions. We guided a lot of conversations in this area towards continuous improvement as the CPS230 embeds in FY26. Tolerance statements for minimum service levels were particularly varied. Some described tolerances but many missed key elements. Some absolutely didn’t describe tolerances, rather workarounds and plan B. We plan to deep dive into tolerance statements in the coming months.
Feedback
Participants were engaged, appreciative, and motivated to act on the benchmarking results. They valued the opportunity for further discussion and clarification, and are keen to ensure their data and interpretations align with best practices and regulatory expectations. Many asked if Battleground will repeat the exercise annually.
Get involved
The deep dive into tolerance statements will be accompanied by a look at concentration risk of MSPs. Keep your eyes peeled for those.
Though the deadline for submission to APRA has passed, there’s still time to participate. Reach out to below to discuss how to get involved. It is still worth understanding how your submission compares to peers and where the regulator could ask follow up questions.
You still have time to prepare justifications based on business operations. Also we expect to repeat this benchmark next year.
