ICYMI: The Australian Prudential Regulation Authority (APRA) has announced the final Prudential Standard CPS 230 Operational Risk Management, which is slated to become effective on July 1, 2025. CPS 230 was developed following an industry consultation that commenced in July 2022 with the primary goal of improving the management of operational risks in the financial sector.
Although the Australian financial services market has remained relatively isolated from the recent financial crises, it has faced a number of high-profile cyber incidents. CPS 230 aims to enhance the resilience of regulated financial entities, enabling them to withstand disruptions, whether they are related to cyber threats or other operational risks. To enhance operational risk management, CPS 230 extends previous regulations to cover 4th party providers (vendors' vendors).
Under these guidelines, APRA-regulated entities must set out to manage operational risks and maintain appropriate standards for conduct and compliance. The responsibility now lies with board members of organizations to effectively mitigate potential operational risk. Each regulated entity must define its risk appetite and tolerance levels and formulate plans to ensure they operate within these predefined limits. Notably, these requirements also apply to reputational risks arising from damage to public trust and confidence in a firm.
With the introduction of the new regulation, Australia has a unique opportunity to learn from the banking turmoil experienced in the first quarter of the year. With one of the primary causes of the failures being unmitigated operational risk, and reputational risks specifically, banks would be wise to become proactive regarding their management of these risks prior to the 2025 deadline.
Join The Discussion