Stringent APRA standard CPS 230 expects operational resilience

By 1 July 2025, insurers and all other entities regulated by the Australian Prudential Regulation Authority (APRA) must be ready to comply with CPS 230, a prudential standard designed to strengthen operational resilience.

CPS 230 will replace several existing standards and consolidate requirements for managing operational risk, including outsourcing and business continuity management. It calls for robust systems in place to ensure the effective management of operational risks.

“The new standard sets some significant expectations,” says Lizzi Long, general manager for Sales, Data Centre and Business Continuity at Interactive, an IT company that specialises in enhancing efficiency and productivity.

“The strong emphasis on operational risk management calls for a detailed, proactive approach to understanding and managing risks.

"Senior management and boards will not only be responsible for setting tolerance levels for disruptions but also for staying hands-on to maintain operations during crises. Another key focus is managing third-party risks, so insurers need to ensure their vendor relationships are solid, reliable and fully compliant.”

Disruptions to businesses increase

Rody Posthuma, lead partner, Asia-Pacific Financial Services, Technology Risk, at EY, sees CPS 230 as a response to the escalating frequency and intensity of disruptions.

“As organisations increasingly rely on technology and external partners, disruptions can have severe consequences for customers — for example, they might not be able to access funds for life-saving medication,” he says.

“The new standard shifts the emphasis from rapid recovery to maintaining a minimum level of service for customers during disruptions, prioritising their needs even when dealing with third-party service providers. The requirement reflects a global push for enhanced safety and stability in the sector.”

The first step to meeting CPS 230 standards involves gaining a clear picture of the current risk landscape.

“That means identifying critical areas such as IT systems, operational processes and key personnel dependencies,” says Long.

Understanding tolerance levels

Insurers also need to establish their own tolerance levels.

“Insurers must determine the maximum acceptable level of disruption before it significantly affects customers or the business itself,” says Posthuma.

“This involves identifying the thresholds that, if crossed, could lead to material adverse impacts on clients, the organisation or the broader financial system.”

He advises insurers to use scenario analysis to simulate severe operational risks and gauge their potential impact.

“This process helps test resilience, pinpoint areas for new or improved controls and develop effective mitigation strategies,” he says.

“The focus is on maintaining service continuity within these tolerance levels rather than merely prioritising the rapid restoration of individual functions.”

Managing operations in the moment

It follows that business continuity plans (BCPs) will need to evolve from simple recovery strategies to dynamic, in-the-moment operational continuity.

“Insurers will need to shift their focus from ‘getting back to normal’ to ‘staying operational’ even in the midst of disruptions,” says Long.

“This means having comprehensive, regularly updated plans that clearly define roles across all levels and involve senior management in real-time decision-making.”

BCPs must evolve to recover entire value chains rather than just isolated operations.

“This transformation requires a broader scope, defined disruption tolerance levels and systematic testing of critical operations,” says Posthuma.

“Relying on recovery time objectives alone won't cut it. BCPs must adapt to ensure resilience in today's interconnected world.”

Monitoring supply chains

If they are to keep up with CPS 230’s emphasis on third-party risk management, insurers must establish robust vendor management practices.

“This means setting clear expectations with vendors and formalising these through well-defined contracts,” says Long.

“Insurers can also use technology tools to monitor their supply chains, set up regular performance checks and run audits on critical vendors to verify they meet CPS 230 standards.

"Regular communication with vendors and including contractual clauses that require compliance with APRA’s guidelines can help mitigate risks related to third-party providers.”

Posthuma sees a challenge in gaining transparency, especially when dealing with unregulated entities.

“For larger organisations, formal assurance reports, such as system and organisation controls [SOC] or SOC reports, may become more common,” he says.

“To ensure compliance across the entire portfolio, insurers should maintain a service provider register to help identify and update the list and manage the associated risks.

"They should also formalise all arrangements with legally binding contracts, outlining performance expectations, risk management and compliance requirements. From there, regular due diligence, audits and scenario testing can evaluate service providers' ongoing performance and compliance.”

Proactive compliance

Long believes ongoing compliance with CPS 230 will require a proactive, structured approach.

“Staying in close communication with APRA, and staying updated on any regulatory changes, will also be essential,” she says.

Posthuma advises insurers to treat CPS 230 compliance as a comprehensive, organisation-wide endeavour.

“Collaboration across departments is vital, with a focus on steady progress rather than immediate perfection, as compliance will be an ongoing journey,” he says. “It’s vital that you treat this as a dedicated project, separate from daily operations.

“The 2025 deadline necessitates a concentrated effort, not an attempt to simultaneously optimise all processes. The initial goal should be to lay a strong compliance foundation, followed by continuous improvement and streamlining systems in the subsequent phases.”

More than just a checklist, CPS 230 could be seen as an opportunity for insurers to build a culture of resilience.

“Taking these new guidelines seriously will not only enhance compliance but also lead to stronger customer trust and a more adaptable business overall,” says Long.

“If insurers use CPS 230 as a framework to continually assess and improve their resilience strategies, they’ll be better positioned to handle whatever challenges come their way in the future.”