In July 2022, APRA began consultations on the new draft Prudential Standard, CPS 230 Operational Risk Management (CPS 230). The new cross-industry standard consolidates five existing Prudential Standards on outsourcing (CPS/SPS/HPS 231) and business continuity management (CPS/SPS 232) across the banking, insurance, and superannuation industries. With the existing CPS 234 Information Security prudential standard, the two standards will form APRA’s proposed new operational resilience framework.
CPS 230 will introduce new requirements and will include enhancements to existing requirements, particularly with respect to the role of the Board and senior management. The proposed changes are opportune in timing given the change in not only the regulatory landscape, but the industry itself. In response to the emergence of new and heightened risks, and an increasing prevalence of what were previously considered black swan events, regulators and regulated entities alike have been prompted to sharpen their focus on strengthening organisational operational resiliency.
To support the development of the final standard and against a backdrop of an evolving regulatory landscape, Deloitte prepared the attached consultation response. Based on our ongoing and global experience in operational resiliency and risk management, the response explores key considerations including APRA’s shift to principles- and outcomes-based regulation and the rise of the financial services ecosystem.
Currently, the finalisation of CPS 230 is expected by early 2023 with implementation from 1 January 2024. Should you wish to further discuss our response or the draft standard, please get in contact with our team.