APRA’s new Operational Risk Management Prudential Standard, CPS 230, which was recently finalised and will come into effect on 1 July 2025 is driving considerable focus across banking, superannuation and insurance.
APRA have made their expectations clear…
The standard codifies APRA’s expectations about how regulated entities will understand their critical operations, manage their operational risks, and maintain the capability to deal with disruption. The standard also underlines a necessary shift in mindset for these organisations – requiring them to think about their operations from end-to-end, and not just within their organisational boundaries, but also considering key suppliers.
In her recent speech (APRA Member Therese McCarthy Hockey – GRC2023 | APRA), APRA member Therese McCarthy-Hockey has turned up the heat on APRA’s expectations around CPS 230. This speech underlined some key points that every APRA regulated entity will need to consider closely over the coming months.
She underlined the need for Financial Institutions to recognise the integral role they play, co-ordinating a complex chain of process, people, and technology across a range of separate commercial entities to service their customers.
APRA have also made it clear that they are not prepared for a re-run of the challenges that regulated entities have had with establishing and embedding compliance with the recently introduced Information Security Standard CPS 234. Even four years after coming into effect, gaps remain in many organisations capability to demonstrate their unquestionably strong technology controls.
The timeline to July 2025 may appear to be significant, but the volume of work that will need be undertaken should not be underestimated. In particular because of the nature of operational risk and resilience – which permeate across the entire organisation. This is magnified by the need to engage and negotiate with key suppliers to ensure the end-to-end organisation is robust.
Demonstrating that you have a clear understanding of the gap to meeting CPS 230’s requirements sustainably and a robust plan to close those gaps will not be enough. APRA will be looking for progress being made, and lessons learned.
So.. how to respond
Much has been made of APRA turning up the heat on regulated entities in meeting their CPS 230 requirements now, including through the referencing of the 1995 movie “Heat” starring Al Pacino.
While APRA are turning up the heat, regulated entities are better advised to look four years down the track in Al Pacino’s career when planning their response, and ensure they are building resilience inch by inch.
When CPS 230 was released for consultation, my early view was that, like many regulatory pressures, there were two paths to compliance.
One path was to seek to understand how the requirements of the standard can be built into the organisation, how sustainable compliance with the standard can become a part of the way the organisation operates. Simply put, build resilience into your day-to-day operations, piece by piece, from the bottom up. Inch by inch.
The other was to wait and meet a minimum baseline on the due date. This was the approach that many organisations took to CPS 234, looking to bolt-on rather than build in.
I believe the first path is still open to organisations, but those who have not yet taken significant steps to understanding their gap in both capabilities and mindset, and closing that gap, have only a short window available to them to start if they wish to take the first path.
What are the challenges, and where are organisations today?
In our work, we have been able to talk with many APRA regulated entities about their progress towards CPS 230. We see three main cohorts emerging:
- Firstly, a small number of organisations (maybe up to 15%) are well underway with their CPS 230 efforts. A clear case for change is defined, agreed and work has commenced in earnest.
- Secondly, we see a majority of organisations (maybe around 70%) who have done some work, gap analysis, a plan perhaps, but have yet to commence the next phase of work in earnest. These organisations are at risk of coming off the path to sustainable compliance if further material progress is not made soon.
- Finally, a small group of organisations (around 15% again) where very little progress has been made. These organisations can get on the path to sustainable compliance, but must quickly regain lost ground.
We know that CPS 230 presents a range of technical and organisational challenge for regulated entities, and the work to meet the challenge will be significant.
Get in touch today with the team at Battleground to help you understand how you can make the necessary progress, inch by inch.