Having a proactive stance to implementing CPS 230 and harnessing technologies that will streamline compliance can have a transformative impact on your organisation. Tools that address aspects of CPS 230 by definition improve the effectiveness of risk management and reduce risk exposure. Holocentric has developed and is currently optimising a platform specifically for the operational risk management requirements of CPS 230, to help entities comply to the new standards faster, and more cost effectively.

This guide is first-and-foremost a roadmap to how CPS 230 will impact your organisation. At the tail end, we outline how we’d love to help.

With CPS 230 coming into effect in July 2025, banks, insurance companies, and superannuation providers have a significant task ahead to ensure compliance across operational risk management. Our position is that seeing CPS 230 as a burden is counterproductive. Operational risks cost organisations tens of billions in losses every year, and enhancing risk mitigation and avoidance means further reducing costs in the long term.

The broad

Let’s start with the good news. APRA had intended to enforce CPS 230 from January 2024, but has since pushed the start date back to July 1, 2025. This means financial organisations have enough time — not only to implement changes that will address the requirements — but to do it properly.

The new regulations will impact almost all entities that fall under 5 categories: 1) authorised deposit taking institutions, 2) general insurers, 3) life companies, 4) private health insurers, and 5) registrable superannuation entities.

In short, CPS 230 will mandate that all entities that fall within the above categories must 1) develop and maintain risk management frameworks, 2) enhance Board governance, accountability and oversight, 3) assess and control operational risks, 4) improve business continuity management and 5) uplift arrangements with service providers.

Chair of APRA John Lonsdale highlights that these changes are necessary in light of the significant risks that arise when significant controls are not in place:

“The need for APRA’s new standard has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches. This new standard will ensure that regulated entities set and test controls and maintain robust business continuity plans to respond if disruptions do occur.”

The timeline for implementation is:

• July 2023       APRA releases final CPS 230
• July 2024       Material service providers / critical operations identified
• Q4 2024         Entities positioned to set tolerance levels
• 1 July 2025    CPS 230 comes into effect
• 1 July 2026    Transition ends for existing contracts with service providers

Given the above timeline and the significance of the changes involved, entities are well advised to begin getting their ducks in a row as soon as possible.

The nitty gritty

CPS 230 consolidates five existing Prudential Standards covering outsourcing and business continuity planning across banking, insurance and superannuation. CPS 230 will introduce new requirements and enhance existing requirements across three core areas:

Entities must effectively manage operational risks, and set and maintain appropriate standards for conduct and compliance. Operational risks include (but are not limited to) legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk, and change management risk.

You’ll need to demonstrate:

• clear management of operational risks
• documentation of processes and resources needed to deliver critical operations, including people, technology, and service provider(s)
• regular scenario analysis, risk profiling and assessments

Entities must clearly identify critical operations, establish acceptable tolerance levels (e.g. maximum period of disruption), and maintain and test BCPs regularly. 

You’ll need to demonstrate: 

• a register of critical operations (including reasonable steps to minimise the likelihood and impact of disruptions to critical operations) 
• a credible BCP that sets out how the entity would maintain its critical operations within tolerance levels through disruptions, including disaster recovery planning for critical information assets; 
• an ability to activate BCP if needed in the event of a disruption; and 
• an ability to return to normal operations promptly after a disruption is over.

Entities must maintain a comprehensive service provider management policy. The policy must cover how the entity will identify material service providers and manage service provider arrangements, including the management of material risks associated with the arrangements. Entities must notify APRA of any new and changed arrangements with material service providers.

You’ll need to demonstrate:

• a policy approach to entering into, monitoring, substituting and exiting agreements with material service providers;
• a policy for managing the risks associated with material service providers
• a policy for managing the risks associated with any fourth parties that material service providers rely on to deliver a critical operation to the APRA-regulated entity.

There is a common trifecta across all categories:

Process. i.e. specific policies and guidelines must be put in place, including accountability assigned.
Documentation. i.e. all processes are complete, accurate and sufficiently detailed to support risk management e.g. identification of risks, scenario anlaysis, etc.
Monitoring. i.e. processes and documentation must be regularly reviewed, updated and supplied to APRA on an ongoing basis.

Operational, or non-financial, risks should not be taken lightly. Such risks have led to an average of A$36.7 billion of losses in financial institutions globally per annum since 2016 (See Cornwell, 2023). As Allen Berger [et al.] have analysed at length, operational risk is far more systemic than often thought, and the problems are exacerbating in line with increased risk of cyber attacks, the impacts of the COVID-19 pandemic, and global climate change (for more on this, see https://www.rba.gov.au/ publications/fsr/2022/oct/australian-financial-system.html). Since widespread financial institution losses can impose significant negative externalities on the economy and overall household wealth (as the GFC clearly demonstrated), operational risk needs to be understood as a potential catalyst for far-reaching consequences.

But where there is risk, there is opportunity. 

On the one hand, mitigating operational risk via compliance with CPS 230 is a prudent step to avoiding loss (both internal and external). Simultaneously, making positive steps toward compliance effectively bolsters operational efficiency. Putting in place processes to avoid operational risks now not only means reducing costs in the long term — it means putting in place frameworks (processes, people and technologies) that support growth and innovation, that effectively facilitate better oversight of the business, and that future-proof against inevitable changes in regulation over the horizon. With this in mind, financial organisations would be well advised to shift from a reactive stance of mere box-checking to a proactive stance of setting in place new structures for better business processes overall.

CPS 230 is broad in scope, but it needs to be fastidiously customised in application. 

You will need to 1) identify critical processes 

Entities will be required to identify and document the processes and resources needed to deliver critical operations, including people, technology, information, facilities and service providers, the interdependencies across them, and the associated risks, obligations, key data, and controls. This work must establish clear lines of accountability for risks, obligations, key data and controls, as well as for potential issues or incidents that could arise. 

Note: importantly, this should include identifying end-to-end processes for operations that are not necessarily critical but nevertheless could expose an entity to material operational risk, such as distribution channels. 

Start by defining your core business processes (those that broadly create value for your customers and clients, stakeholders, and employees). You can use tools like scenario analysis, benchmarking, gap analysis, or SWOT analysis to compare your processes with best practices, standards, or competitors. Once your critical processes are mapped out, hierarchise them in line with your vision, mission, and values, as well as key performance indicators (KPIs) and targets. 

You will need to 2) ensure processes are complete, accurate and sufficiently detailed to support risk management e.g. identification of risks, scenario anlaysis, etc. 

Entities will be expected to hold and be able to provide clear documentation of the above critical processes. You can use tools like flowcharts, diagrams, or project management software to capture all relevant variables: steps, inputs, outputs, roles, and resources involved in each process. 

You will need to 3) ensure accessibility and updates 

Entities will be required to review all critical process maps for completeness and accuracy, and to keep them updated where there are changes in the business or risks. 

You will need to 4) integrate them with business continuity plans (BCPs). 

An entity’s Business Continuity Plans must set out how it would maintain its critical operations within tolerance levels through disruptions, including disaster recovery planning for critical information assets. In addition to holding the BCP, an entity is expected to activate its BCP if needed in the event of a disruption, and to return to normal operations promptly after a disruption is over. The BCP needs to clearly stipulate appropriate tolerance levels for critical operations (covering tolerance for time of disruption, data loss, and minimum service levels during disruption).

The Board 

The Board of an APRA-regulated entity is ultimately accountable for: 

• oversight of an entity’s operational risk management (including business continuity and the management of service provider arrangements); 
• ensuring that the APRA-regulated entity sets clear roles and responsibilities for Senior Managers for operational risk management;
• providing regular updates on the APRA-regulated entity’s operational risk profile; 
• ensuring senior management takes action as required to address any areas of concern 
• approving BCP and tolerance levels for disruptions to critical operations; 
• reviewing results of testing and the execution of findings; and 
• approving the service provider management policy, and reviewing risk and performance reporting on material arrangements. 

Senior Management 

Senior Management an APRA-regulated entity are ultimately accountable for: 

• integrating operational risk management across the end-to-end process for all business operations; 
• defining roles and responsibilities with respect to operational risk management for Senior Management across the entity; 
• setting granular tolerance levels and indicators that would be consistent with, and not undermine, the Board-approved levels; 
• approving elements of BCPs, provided they are consistent with, and aligned to, the overall BCP;
• ensuring the operational risk management framework operates effectively and is regularly updated. 

Staff and Teams

Staff and teams of an APRA-regulated entity are ultimately accountable for: 

• control testing that is monitored to ensure completion, with exceptions identified, escalated and remediated. Such testing would typically include the objectives, scope, approach, success criteria, frequency and roles and responsibilities for testing controls (to be conducted by staff and teams independent of those with operational responsibility for the controls being validated).

Roll-on effects 

CPS 230 is not set and forget; it will require consistent monitoring and refinement. Risks must be considered on a regular basis, appropriate controls must be put in place, together with robust management and monitoring. The roll-on effects are going to be increased managerial oversight, potential increases to staff costs and workloads, and the imperative for novel technologies to bridge the gap. In addition, appropriate due diligence is particularly enforced for crypto-assets, which are considered high risk. In short, CPS 230 poses significant implications not only in the short term, but in the long-term management of financial organisations.

Risk assessments are more than just checkbox exercises; regulatory bodies want assessments backed by actual data, specific to the entity under assessment. Since APRA seeks to gain insights into the level of aggregated risk for each process, and to ensure risks are being managed responsibly, integrating multiple information sources (risk, suppliers, etc.) is a crucial step to ensuring diligent compliance for APRA, and a manageable workload internally.

Organisations should leverage internal operational and incident data to model how causal factors influence the probability of operational risk events. Where technology can be used to integrate real data back into the overall management system, this should be strongly considered, particularly where the costs of integration are less than a) the cost of failure to comply and b) the cost of ongoing, manual data mining.

Holocentric are collaborating with regulated entities to develop tailored features that streamline CPS 230 compliance and to help organisations meet the challenges of operational risk, reducing costs in the process.

The Holocentric dashboard is custom designed to streamline compliance, using visual heatmaps, demonstrating coverage of risks, controls, accountability and service providers across critical operations. The platform is powerful, intuitive, and designed to be used by various stakeholders simultaneously (up to and including all levels of staff), with custom access controls, the ability to map processes and workflows, while receiving notifications of management updates in real time.

Workflows are able to be visualised through multiple macro and micro lenses depending on preference and use case, including process maps, step-by-step modulation, RASCI views of aggregated responsibilities, and more. Users can access detailed work instructions, systems, tools and documents that are needed to complete processes, while process steps are amended, approved and notified by senior management. Significantly, the Holocentric dashboard is a powerful modelling tool, allowing teams to conduct regular scenario analysis with a few clicks, as well as risk profiling and assessments — not only demonstrating compliance externally, but reducing the workload for compliance internally.

Extensive research by the University of Melbourne — based on interviews of 22 Senior and General Managers in the four major Australian banks — has revealed that Australian banks find Business Process Compliance a significant hurdle, in large part due to a culture of ‘fail-fix’; of waiting for things to go wrong before significant change is implemented. Nigel Adams [et al.] describe this as a ‘tick-the-box’ culture, whereby ‘people mechanically follow a proces whether it is right or wrong to avoid blame.’ 

As with all significant changes to regulatory frameworks, organisations cannot be blamed for seeing CPS 230 as a hurdle to overcome, if not a burden to bear. But there is significant opportunity in meeting regulation in a proactive way that lays the groundwork of meeting future regulations, while optimising business processes right now. 

The way we see it, there are two broad mindsets around meeting CPS 230: 

Reactive: Short term. Manual. Sees regulation as tick boxes. 
Proactive: Long-term, data-driven, optimised and integrated across the organisation. 

A reactive stance to CPS 230 (and to compliance more generally) is unlikely to lead to internal benefits for entites trying to comply. By shifting toward a proactive stance in implementing change for CPS 230, financial organisations have a chance to instrumentalise business change for the long term.

In the eyes of APRA, unsurprisingly, entities need to be proactive in implementation: 

“We expect regulated entities to be proactive in preparing for implementation, rather than waiting until the last minute to get ready to meet the new requirements.” Mr Lonsdale said. 

But this isn’t quite enough. 

The most significant benefits to be realised from undergoing change to address CPS 230 are going to come from them being proactive not only in speed, but in approach. Instrumentalising long-term, optimised, integrated, data-driven change across the organisation can have transformative business effects. In the words of Adams [et al.], ‘banks must be able to see the complexity to chart a course to untangle the spaghetti.’ Meeting CPS 230 is crucial, but in this light it’s something of an ancillary benefit of effecting larger scale organisational change.

Our data to date shows the cost of managing ongoing compliance is up to 50% lower with Holocentric. 

Addressing compliance with Holocentric automatically unlocks additional savings. Our clients often start by addressing compliance and subsequently reap benefits in other areas. Using Holocentric’s platform, organisations have been able to: 

• Increase efficiency by 25% 
• Increase time to effectiveness for new starters
• Drive business continuity across posting cycles 
• Reduce costs of transformation by 10-30% 
• Reduce future process improvement costs and cycle time by 30-60% 

CPS 230 is mandatory. But it should be viewed as an opportunity; a benefit rather than a burden. Working with our clients, the team at Holocentric is helping facilitate a shift from a reactive toward a proactive stance on operational risk management. 

Please reach out to us for a demonstration of our software, and see how Holocentric can not only help streamline compliance to CPS 230, but reduce costs and drive efficiency throughout your organisation.

References 

• Adams, Nigel, and Augusto, Adriano, et al. ‘Why Do Banks Find Business Process Compliance So Challenging? An Australian Case Study.’ 2022.
• Cornwell, Bilson, Gepp, Stern, and Vanstone. ‘Modernising Operational Risk Management in Financial Institutions via Data-Driven Causal Factors Analysis: A Pre-Registered Study.’ Pacific-Basin Finance Journal (79, 2023). 
• Reserve Bank of Australia, Financial Stability Review – October 2022