Request a Demo

Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.
Request a Demo

Meet Noggin

An integrated resilience workspace that seamlessly integrates 10 core solutions into one, easy-to-use software platform.

Business Continuity
Business Continuity
Operational Resilience
Operational Resilience
Crisis Communications
Crisis Communications
operational risk management
Operational Risk Management
Crisis & Incident Management
Crisis & Incident Management
Third-Party Risk Management
Third-Party Risk Management
Emergency Management
Emergency Management
WHS-hard hat
Safety Management
Investigations and Case Management
Investigations & Case Management
Security - padlock
Security Management

The Noggin Platform

The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.

Learn More

Industries

Explore Noggin's integrated resilience software, purpose-built for any industry.

Aviation
Aviation & Airports
Construction
Construction
Counter Terrorism
Counter-Terrorism
Care Services
Care Services
Education
Education
Financial Services
Financial Services
Healthcare
Healthcare & Hospitals
Manufacturing
Manufacturing
Mining Oil & Gas
Mining, Oil & Gas
Government
Public Safety & Government
Retail & Hospitality
Retail & Hospitality
Technology
Technology
Transportation
Transportation
Utilities
Utilities
Venues & Entertainment
Venues & Entertainment
Resilience Management Buyers Guide - Thumbnail
A Resilience Management Software Buyer's Guide
Access the Guide

Who We Are

The world’s leading platform for integrated safety & security management.

Learn More

APRA CPS 230 is Final: Here’s what you should know

An independent statutory authority, the Australian Prudential Regulation Authority (APRA) supervises financial and related institutions across the banking, insurance, and superannuation sectors. As the failure of just one of its regulated institutions can undermine the stability of the financial system entirely, APRA is obliged to maintain a low incidence of failure.

That’s historically meant interventions in business continuity, information security, and outsourcing policy – but not operational risk management. In July of 2023, though, that changed.

APRA sets an operational risk management standard

What happened? APRA released for consultation a new prudential standard, CPS 230, designed to strengthen the management of operational risk in the banking, insurance, and superannuation industries.

Since then, the standard has gone into force. It’s now set to officially commence 1 July 2025. As a result, APRA will now be setting out minimum standards for managing operational risk, including updated requirements for business continuity and service provider management.

What you should know about APRA CPS 230

So, what’s happening?

Well, the purpose of the latest prudential standard is to ensure that regulated entities remain resilient to operational risks and disruptions, to maintain critical operations through disruptions, and manage risks arising from service providers.

Relevant threats, here, include the full range of operational risks, consisting of but not limited to legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk, reputational risk, and change management risk.

To avoid such risks, APRA mandates regulated entities maintain appropriate and sound information and information-technology infrastructure to meet current and projected business requirements and support critical operations and risk management.

How? APRA’s requirements include:

  • Identify, assess, and manage operational risks, with effective internal controls, monitoring, and remediation
  • Be able to continue to deliver critical operations within tolerance levels through severe disruptions, with a credible business continuity plan (BCP)
  • Effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements, and robust monitoring

APRA CPS 230 roles and responsibilities

Who, then, is tasked with ensuring compliance? That would be the entity’s Board. For purposes of compliance, the Board will be considered accountable for the oversight of operational risk management, as well as business continuity, and the management of service provider arrangements.

As a result, the Board has its work cut out for it. Per the Standard, the Board will have to ensure that the entity sets clear roles and responsibilities for senior managers as it relates to operational risk management.

Those senior managers, in turn, will be responsible for operational risk management on a day-to-day basis, across end-to-end processes for all business operations. Nevertheless, senior managers will have to provide information to the Board on the expected impacts on the entity’s critical operations when the Board must make decisions affecting the resilience of said operations.

Further Board responsibilities include:

  • Oversee operational risk management and the effectiveness of key internal controls in maintaining the entity’s operational risk profile within risk appetite. The Board must be provided with regular updates on the APRA-regulated entity’s operational risk profile and ensure senior management takes action as required to address any areas of concern
  • Approve the BCP and tolerance levels for disruptions to critical operations, review the results of testing and oversee the execution of any findings
  • Approve the service provider management policy, and review risk and performance reporting on material service providers

Of course, those only scratch the surface of entity requirements. What else should financial entities know about APRA CPS 230 to ensure they meet the 2025 compliance date, download our Introductory Guide to APRA CPS 230: Operational Risk Management.

 

New call-to-action 

About this Article

The Author