
Banking, Insurance, Life Insurance, Health Insurance and Superannuation (prudential standard) determination No. 2 of 2023
Prudential Standard CPS 230 Operational Risk Management
Banking Act 1959
Insurance Act 1973
Life Insurance Act 1995
Private Health Insurance (Prudential Supervision) Act 2015
Superannuation Industry (Supervision) Act 1993
I, John Lonsdale, a delegate of APRA:
(a) under subsections 11AF(3) of the Banking Act, 32(4) of the Insurance Act, and 230A(5) of the Life Insurance Act, REVOKE Banking, Insurance and Life Insurance (prudential standard) determination No. 6 of 2016 including Prudential Standard CPS 231 Outsourcing made under that determination;
(b) under subsections 11AF(3) of the Banking Act, 32(4) of the Insurance Act, and 230A(5) of the Life Insurance Act, REVOKE Banking, Insurance and Life Insurance (prudential standard) determination No. 7 of 2016 including Prudential Standard CPS 232 Business Continuity Management made under that determination;
(c) under subsection 92(5) of the PHIPS Act, REVOKE Health Insurance (prudential standard) determination No. 4 of 2015, including Prudential Standard HPS 231 Outsourcing made under that determination;
(d) under subsection 34C(6) of the SIS Act, REVOKE Superannuation (prudential standard) determination No. 3 of 2012 including, Prudential Standard SPS 231 Outsourcing made under that determination, and Superannuation (prudential standard) determination No. 4 of 2012 including Prudential Standard SPS 232 Business Continuity Management made under that determination;
(e) under subsection 11AF(1) of the Banking Act, DETERMINE the prudential standard which applies to all ADIs and authorised banking NOHCs;
(f) under subsection 32(1) of the Insurance Act, DETERMINE the prudential standard which applies to all general insurers and authorised insurance NOHCs and subsidiaries of general insurers and authorised insurance NOHCs;
(g) under subsection 230A(1) of the Life Insurance Act, DETERMINE the prudential standard which applies to all life companies, including friendly societies, and registered NOHCs;
(h) under subsection 92(1) of the PHIPS Act, DETERMINE the prudential standard which applies to all private health insurers; and
(i) under subsection 34C(1) of the SIS Act, DETERMINE the prudential standard which applies to all RSE licensees.
This instrument commences on 1 July 2025.
Date: 11 September 2023
John Lonsdale
Chair
APRA
Interpretation
In this Determination:
ADI has the meaning given in section 5 of the Banking Act.
APRA means the Australian Prudential Regulation Authority.
authorised banking NOHC has the meaning given to the expression authorised NOHC in section 5 of the Banking Act.
authorised insurance NOHC has the meaning given to the expression authorised NOHC in subsection 3(1) of the Insurance Act.
friendly society has the meaning given in section 16C of the Life Insurance Act.
general insurer has the meaning given in section 11 of the Insurance Act.
life company has the meaning given in the Schedule to the Life Insurance Act.
private health insurer has the meaning given in section 4 of the PHIPS Act.
registered NOHC has the meaning given in the Schedule to the Life Insurance Act.
RSE licensee has the meaning given in subsection 10(1) of the SIS Act.
the Banking Act means the Banking Act 1959.
the Insurance Act means the Insurance Act 1973.
the Life Insurance Act means the Life Insurance Act 1995.
the PHIPS Act means the Private Health Insurance (Prudential Supervision) Act 2015.
the prudential standard means Prudential Standard CPS 230 Operational Risk Management in the form set out in the Schedule.
the SIS Act means the Superannuation Industry (Supervision) Act 1993.
Schedule
Prudential Standard CPS 230 Operational Risk Management comprises the document commencing on the following page.
1. This Prudential Standard is made under:
(a) section 11AF of the Banking Act 1959 (Banking Act);
(b) section 32 of the Insurance Act 1973 (Insurance Act);
(c) section 230A of the Life Insurance Act 1995 (Life Insurance Act);
(d) section 92 of the Private Health Insurance (Prudential Supervision) Act 2015 (PHIPS Act); and
(e) section 34C of the Superannuation Industry (Supervision) Act 1993 (SIS Act).
Application and commencement
2. This Prudential Standard applies to all APRA-regulated entities defined as:
(a) authorised deposit-taking institutions (ADIs), including foreign ADIs, and non-operating holding companies authorised under the Banking Act (authorised banking NOHCs);
(b) general insurers, including Category C insurers, non-operating holding companies authorised under the Insurance Act (authorised insurance NOHCs) and parent entities of Level 2 insurance groups;
(c) life companies, including friendly societies, eligible foreign life insurance companies (EFLICs) and registered NOHCs;
(d) private health insurers registered under the PHIPS Act; and
(e) registrable superannuation entity licensees (RSE licensees) under the SIS Act in respect of their business operations.
3. The obligations imposed by this Prudential Standard on, or in relation to, a foreign ADI, a Category C insurer and an EFLIC apply only in relation to the Australian branch operations of that entity.
4. Where an APRA-regulated entity is the Head of a group, it must comply with a requirement of this Prudential Standard:
(a) in its capacity as an APRA-regulated entity;
(b) by ensuring that the requirement is applied appropriately throughout the group, including in relation to entities that are not APRA-regulated; and
(c) on a group basis.
5. In applying the requirements of this Prudential Standard on a group basis, references to an APRA-regulated entity are to be read as ‘Head of a group’ and references to entity are to be read as ‘group’.
6. This Prudential Standard commences on 1 July 2025.
7. Where an APRA-regulated entity has pre-existing contractual arrangements in place with a service provider, the requirements in this Prudential Standard will apply in relation to those arrangements from the earlier of the next renewal date of the contract with the service provider or 1 July 2026.
Interpretation
8. Terms that are defined in Prudential Standard APS 001 Definitions, Prudential Standard GPS 001 Definitions, Prudential Standard LPS 001 Definitions, Prudential Standard HPS 001 Definitions or Prudential Standard 3PS 001 Definitions appear in bold the first time they are used in this Prudential Standard.
9. In this Prudential Standard, unless the contrary intention appears, a reference to an Act, Regulation or Prudential Standard is a reference to the Act, Regulation or Prudential Standard as in force from time to time.
10. Where this Prudential Standard provides for APRA to exercise a power or discretion, the power or discretion is to be exercised in writing.
Adjustments and exclusions
11. APRA may adjust or exclude a specific prudential requirement in this Prudential Standard in relation to an APRA-regulated entity.[4]
12. An APRA-regulated entity must:
(a) effectively manage its operational risks, and set and maintain appropriate standards for conduct and compliance;
(b) maintain its critical operations within tolerance levels through severe disruptions; and
(c) manage the risks associated with the use of service providers.
13. An APRA-regulated entity must identify, assess and manage operational risks that may result from inadequate or failed internal processes or systems, the actions or inactions of people or external drivers and events. Operational risk is inherent in all products, activities, processes and systems.
14. An APRA-regulated entity must, to the extent practicable, prevent disruption to critical operations, adapt processes and systems to continue to operate within tolerance levels in the event of a disruption and return to normal operations promptly once a disruption is over.
15. An APRA-regulated entity must not rely on a service provider unless it can ensure that in doing so it can continue to meet its prudential obligations in full and effectively manage the associated risks.
Risk management framework
16. As part of its risk management framework required under Prudential Standard CPS 220 Risk Management (CPS 220) and Prudential Standard SPS 220 Risk Management (SPS 220), an APRA-regulated entity must develop and maintain:
(a) governance arrangements for the oversight of operational risk;
(b) an assessment of its operational risk profile, with a defined risk appetite supported by indicators, limits and tolerance levels;
(c) internal controls that are designed and operating effectively for the management of operational risks;
(d) appropriate monitoring, analysis and reporting of operational risks and escalation processes for operational incidents and events;
(e) business continuity plan(s) (BCPs) that set out how the entity would identify, manage and respond to a disruption within tolerance levels and are regularly tested with severe but plausible scenarios; and
(f) processes for the management of service provider arrangements.
17. As part of the required reviews of the risk management framework under CPS 220 and SPS 220, an APRA-regulated entity must review its operational risk management. The reviews must cover those aspects of operational risk management set out in paragraph 16.
18. Operational risk management must be integrated into an APRA-regulated entity’s overall risk management framework and processes. Business continuity planning must be consistent with, and not conflict or undermine, an APRA-regulated entity’s recovery and exit planning.
19. Where APRA considers that an APRA-regulated entity’s operational risk management has material weaknesses, APRA may:
(a) require an independent review of the entity’s operational risk management;
(b) require the entity to develop a remediation program;
(c) require the entity to hold additional capital, as relevant;
(d) impose conditions on the entity’s licence; and
(e) take other actions required in the supervision of this Prudential Standard.
Roles and responsibilities
20. The Board of an APRA-regulated entity is ultimately accountable for oversight of an entity’s operational risk management. This includes business continuity and the management of service provider arrangements.[8]
21. The Board must ensure that the APRA-regulated entity sets clear roles and responsibilities for senior managers for operational risk management, including business continuity and the management of service provider arrangements.
22. The Board must:
(a) oversee operational risk management and the effectiveness of key internal controls in maintaining the entity’s operational risk profile within risk appetite. The Board must be provided with regular updates on the APRA-regulated entity’s operational risk profile and ensure senior management takes action as required to address any areas of concern;
(b) approve the BCP and tolerance levels for disruptions to critical operations, review the results of testing and oversee the execution of any findings; and
(c) approve the service provider management policy, and review risk and performance reporting on material service providers.
23. Senior management of an APRA-regulated entity must provide clear and comprehensive information to the Board on the expected impacts on the entity’s critical operations when the Board is making decisions that could affect the resilience of critical operations.
Operational risk management
24. An APRA-regulated entity must manage its full range of operational risks, including but not limited to legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. Senior management are responsible for operational risk management across the end-to-end process for all business operations.
25. An APRA-regulated entity must maintain appropriate and sound information and information technology (IT) capability to meet its current and projected business requirements and to support its critical operations and risk management. In managing technology risks, an APRA-regulated entity must monitor the age and health of its information assets and meet the requirements for information security in Prudential Standard CPS 234 Information Security (CPS 234).
Operational risk profile and assessment
26. An APRA-regulated entity must assess the impact of its business and strategic decisions on its operational risk profile and operational resilience, as part of its business and strategic planning processes. This must include an assessment of the impact of new products, services, geographies and technologies on its operational risk profile.
27. An APRA-regulated entity must maintain a comprehensive assessment of its operational risk profile. As part of this, an APRA-regulated entity must:
(a) maintain appropriate and effective information systems to monitor operational risk, compile and analyse operational risk data and facilitate reporting to the Board and senior management;
(b) identify and document the processes and resources needed to deliver critical operations, including people, technology, information, facilities and service providers, the interdependencies across them, and the associated risks, obligations, key data and controls; and
(c) undertake scenario analysis to identify and assess the potential impact of severe operational risk events, test its operational resilience and identify the need for new or amended controls and other mitigation strategies.
28. An APRA-regulated entity must conduct a comprehensive risk assessment before providing a material service to another party, to ensure that the APRA-regulated entity is able to continue to meet its prudential obligations after entering into the arrangement. APRA may require an APRA-regulated entity to review and strengthen internal controls or processes where APRA considers there to be heightened prudential risks in such circumstances.
Operational risk controls
29. An APRA-regulated entity must design, implement and embed internal controls to mitigate its operational risks in line with its risk appetite and meet its compliance obligations.
30. An APRA-regulated entity must regularly monitor, review and test controls for design and operating effectiveness, the frequency of which must be commensurate with the materiality of the risks being controlled. The results of testing must be reported to senior management and any gaps or deficiencies in the control environment must be rectified in a timely manner.
31. An APRA-regulated entity must remediate material weaknesses in its operational risk management, including control gaps, weaknesses and failures. This remediation must be supported by clear accountabilities and assurance and address the root causes of weaknesses in a timely manner. An APRA-regulated entity must include identified control gaps, weaknesses and failures in its operational risk profile until such matters are remediated.
Operational risk incidents
32. An APRA-regulated entity must ensure that operational risk incidents and near misses are identified, escalated, recorded and addressed in a timely manner. An APRA-regulated entity must take incidents and near misses into account in its assessment of its operational risk profile and control effectiveness in a timely manner.
33. An APRA-regulated entity must notify APRA as soon as possible, and not later than 72 hours, after becoming aware of an operational risk incident that it determines to be likely to have a material financial impact or a material impact on the ability of the entity to maintain its critical operations.
Business continuity
34. An APRA-regulated entity must:
(a) define, identify and maintain a register of its critical operations;
(b) take reasonable steps to minimise the likelihood and impact of disruptions to its critical operations;
(c) maintain a credible BCP that sets out how it would maintain its critical operations within tolerance levels through disruptions, including disaster recovery planning for critical information assets;
(d) activate its BCP if needed in the event of a disruption; and
(e) return to normal operations promptly after a disruption is over.
Critical operations and tolerance levels
35. Critical operations are processes undertaken by an APRA-regulated entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on its depositors, policyholders, beneficiaries or other customers, or its role in the financial system.
36. An APRA-regulated entity must, at a minimum, classify the following business operations as critical operations, unless it can justify otherwise:
(a) for an ADI: payments, deposit-taking and management, custody, settlements and clearing;
(b) for an insurer (general, life, private health): claims processing;
(c) for an RSE licensee: investment management and fund administration; and
(d) for all APRA-regulated entities: customer enquiries and the systems and infrastructure needed to support critical operations.
37. APRA may require an APRA-regulated entity, or a class of APRA-regulated entities, to classify a business operation as a critical operation.
38. For each critical operation, an APRA-regulated entity must establish tolerance levels for:
(a) the maximum period of time the entity would tolerate a disruption to the operation;
(b) the maximum extent of data loss the entity would accept as a result of a disruption; and
(c) minimum service levels the entity would maintain while operating under alternative arrangements during a disruption.
39. APRA may require an APRA-regulated entity to review and change its tolerance levels for a critical operation. APRA may set tolerance levels for an APRA-regulated entity, or a class of APRA-regulated entities, where it identifies a heightened risk or material weakness.
Business continuity plan
40. An APRA-regulated entity’s BCP must include:
(a) the register of critical operations and associated tolerance levels;
(b) triggers to identify a disruption and prompt activation of the plan, and arrangements to direct resources in the event of activation;
(c) actions it would take to maintain its critical operations within tolerance levels through disruptions;
(d) an assessment of the execution risks, required resources, preparatory measures, including key internal and external dependencies needed to support the effective implementation of the BCP actions; and
(e) a communications strategy to support execution of the plan.
41. An APRA-regulated entity must maintain the capabilities required to execute the BCP, including access to people, resources and technology. An APRA-regulated entity must monitor compliance with its tolerance levels and report any failure to meet tolerance levels, together with a remediation plan, to the Board.
42. An APRA-regulated entity must notify APRA as soon as possible, and not later than 24 hours after, if it has suffered a disruption to a critical operation outside tolerance. The notification must cover the nature of the disruption, the action taken, the likely impact on the entity’s business operations and the timeframe for returning to normal operations.
Testing and review
43. An APRA-regulated entity must have a systematic testing program for its BCP that covers all critical operations and includes an annual business continuity exercise. The program must test the effectiveness of the entity’s BCP and its ability to meet tolerance levels in a range of severe but plausible scenarios.
44. The testing program must be tailored to the material risks of the APRA-regulated entity and include a range of severe but plausible scenarios, including disruptions to services provided by material service providers and scenarios where contingency arrangements are required. APRA may require the inclusion of an APRA-determined scenario in a business continuity exercise for an APRA-regulated entity, or a class of APRA-regulated entities.
45. An APRA-regulated entity must update, as necessary, its BCP on an annual basis to reflect any changes in legal or organisational structure, business mix, strategy or risk profile or for shortcomings identified as a result of the review and testing of the BCP.
46. An APRA-regulated entity’s internal audit function must periodically review the entity’s BCP and provide assurance to the Board that the BCP sets out a credible plan for how the entity would maintain its critical operations within tolerance levels through severe disruptions and that testing procedures are adequate and have been conducted satisfactorily.
47. An APRA-regulated entity must maintain a comprehensive service provider management policy. The policy must cover how the entity will identify material service providers and manage service provider arrangements, including the management of material risks associated with the arrangements.
48. The policy must include:
(a) the entity’s approach to entering into, monitoring, substituting and exiting agreements with material service providers;
(b) the entity’s approach to managing the risks associated with material service providers; and
(c) the entity’s approach to managing the risks associated with any fourth parties that material service providers rely on to deliver a critical operation to the APRA-regulated entity.
Material service providers
49. An APRA-regulated entity must identify and maintain a register of its material service providers and manage the material risks associated with using these providers. Material service providers are those on which the entity relies to undertake a critical operation or that expose it to material operational risk. Material arrangements are those on which the entity relies to undertake a critical operation or that expose it to material operational risk.
50. An APRA-regulated entity must, at a minimum, classify a provider of the following services as a material service provider, unless it can justify otherwise:
(a) for an ADI: credit assessment, funding and liquidity management and mortgage brokerage;
(b) for an insurer (general, life, private health): underwriting, claims management, insurance brokerage and reinsurance;
(c) for an RSE licensee: fund administration, custodial services, investment management and arrangements with promoters and financial planners; and
(d) for all APRA-regulated entities: risk management, core technology services and internal audit.
51. An APRA-regulated entity must submit its register of material service providers to APRA on an annual basis.
52. APRA may require an APRA-regulated entity, or a class of APRA-regulated entities, to classify a service provider, type of service provider or service provider arrangement as material.
Service provider agreements
53. Before entering into or materially modifying a material arrangement, an APRA-regulated entity must:
(a) undertake appropriate due diligence, including an appropriate selection process and an assessment of the ability of the service provider to provide the service on an ongoing basis; and
(b) assess the financial and non-financial risks from reliance on the service provider, including risks associated with geographic location or concentration of the service provider(s) or parties the service provider relies on in providing the service.
54. For all material arrangements, an APRA-regulated entity must maintain a formal legally binding agreement (formal agreement). The formal agreement must, at a minimum:
(a) specify the services covered by the agreement and associated service levels;
(b) set out the rights, responsibilities and expectations of each party to the agreement, including in relation to the ownership of assets, ownership and control of data, dispute resolution, audit access, liability and indemnity;
(c) include provisions to ensure the ability of the entity to meet its legal and compliance obligations;
(d) require notification by the service provider of its use of other material service providers that it materially relies upon in providing the service to the APRA-regulated entity through sub-contracting or other arrangements;
(e) require the liability for any failure on the part of any sub-contractor to be the responsibility of the service provider;
(f) include a force majeure provision indicating those parts of the contract that would continue in the case of a force majeure event; and
(g) termination provisions including, but not limited to, the right to terminate both the arrangement in its entirety or parts of the arrangement. For an RSE licensee, termination provisions must include the ability for the RSE licensee to terminate the arrangement where to continue the arrangement would be inconsistent with the RSE licensee’s duty to act in the best financial interests of beneficiaries (refer to subsection 52(2)(c) of the SIS Act).
55. The formal agreement must also include provisions that:
(a) allow APRA access to documentation, data and any other information related to the provision of the service;
(b) allow APRA the right to conduct an on-site visit to the service provider; and
(c) ensure the service provider agrees not to impede APRA in fulfilling its duties as prudential regulator.
56. For each material arrangement an APRA-regulated entity must:
(a) identify and manage risks that could affect the ability of the service provider to provide the service on an ongoing basis;
(b) identify and manage risks to the APRA-regulated entity that could result from the arrangement, such as step-in risk or contagion risk;
(c) ensure it can execute its BCP if needed; and
(d) ensure it can conduct an orderly exit from the arrangement if needed.
57. APRA may require an APRA-regulated entity to review and make changes to a service provider arrangement where it identifies heightened prudential concerns.
Monitoring, notifications and review
58. An APRA-regulated entity must monitor and ensure that senior management receive reporting on material arrangements commensurate with the nature and usage of the service. This monitoring must include a regular assessment of:
(a) performance under the service agreement with reference to agreed service levels;
(b) the effectiveness of controls to manage the risks associated with the use of the service provider; and
(c) compliance of both parties with the service provider agreement.
59. An APRA-regulated entity must notify APRA:
(a) as soon as possible and not more than 20 business days after entering into or materially changing an agreement for the provision of a service on which the entity relies to undertake a critical operation; and
(b) prior to entering into any material offshoring arrangement, or when there is a significant change proposed to the arrangement, including in circumstances where data or personnel relevant to the service being provided will be located offshore.
60. An APRA-regulated entity’s internal audit function must review any proposed material arrangement involving the outsourcing of a critical operation. The internal audit function must regularly report to the Board or Board Audit Committee on compliance of such arrangements with the entity’s service provider management policy.