3 Questions About CPS 230, the New Operational Resilience Standard

Aug 3, 2023

CPS 230, recently released by the Australia Prudential Regulation Authority (APRA), has gained prominence alongside similar standards aimed to promote operational resilience. Operational resilience refers to an organization’s capacity to withstand and adapt to operational disruptions (whether anticipated or unexpected) while ensuring continuity of critical functions. It has emerged as a vital framework for effectively managing risks and safeguarding business continuity despite adversity.

Regulators view cyber resilience as a crucial component of operational resilience. Just last week the Security and Exchange Commission (SEC) formalized new disclosure and governance rules related to cyber security. Under the new rules, public companies are now required to disclose material cyber breaches/incidents within four days of determining the impact, among other requirements.

In a recent webinar, Navigating Operational Resilience, SAI360 presented key drivers behind CPS 230 and new findings and market influences on operational resilience. Below are three key questions this webinar addressed.

1. What is the CPS 230 Framework?

CPS 230 was developed by APRA in response to a number of incidents in Australia’s financial sector. It provides a comprehensive framework for operational resilience by emphasizing risk identification, robust controls, and transparent reporting. CPS 230 takes into account a wide range of operational risks, including internal and external fraud, cybersecurity, business disruptions, and regulatory noncompliance.

The official standards were released in July 2023, but APRA extended the implementation deadline from January 1, 2024, to July 1, 2025. This extension grants organizations additional time to adequately prepare for the implementation of the standard.

The standards apply to financial institutions including banks, life insurance companies, and general insurance companies, among others. Even if a business or firm within a group structure is not directly regulated by APRA, if the head of the group is an APRA-regulated entity, controls and compliance requirements of the new standard will still be applied to those businesses.

2. What are CPS 230’s key challenges?

The implementation of CPS 230 presents challenges, notably accountability. APRA mandates senior management accountability, extending from the Board to executives. Mere compliance won’t suffice; evidence of demonstrable controls, assurance, and policy adherence is essential to avoid financial repercussions.

In addition, establishing a comprehensive internal controls program and understanding incident management, response, and recovery is important. Organizations will need robust continuity plans that are regularly tested, as well as access to sufficient resources for effective execution.

Finally, management of service providers has to be prioritized. Organizations must have a comprehensive understanding of vendors and how they impact services, including material service providers and those who deliver critical services. Policies and procedures must be well-defined and adhered to.

3. What are other key trends to know?

Outside of Australia and CPS 230, there are other developing international regulations and actions by regulators affecting how organizations will need to incorporate operational resilience. One notable example is that the SEC has identified Operational Resilience as a priority for the 2023 Exam schedule.

In 2021, the UK Financial Conduct Authority issued Operational Resilience Guidelines to aid firms in preventing, adapting to, responding to, recovering from, and learning from operational disruptions. In Europe, the Digital Operational Resilience Act (DORA) by the European Banking Authority shares these aims. These developments heighten expectations for regulated entities to enhance their incident response, business continuity, third-party risk management, and risk practices.

Regulators publish and audit these new standards for a reason. COVID-19 exposed fragile supply chains, impacting goods and financial returns. Natural disasters like wildfires, hurricanes, and flooding led businesses to relocate and seek alternative suppliers. Additionally, the emphasis on digital transformation and data management exposes companies to new risks if not addressed prudently.

Digital transformation has reshaped entire industries. In traditional banking, exemplified by the Silicon Valley Bank collapse, rapid fund withdrawals led to default and bankruptcy, revealing weak capital controls and necessitating regulatory oversight changes.

Moreover, Environmental, Social, and Governance (ESG) expectations have corporate executives identifying ways to reduce environmental harm, assess local community impact, and uphold social obligations to employees, stakeholders, and third-party relationships.

While these regulations drive investment and focus on operational resilience, they introduce challenges. In a rapidly changing global regulatory landscape with countless alerts weekly, organizations may struggle to manage these requirements independently.

This complexity goes beyond local regulations, including compliance with diverse environments like GDPR for EU resident data. Many large organizations still work in isolation, using manual processes. This underscores the need for integrated, efficient approaches.

Operational resilience matters beyond finance. Industries like energy, pharmaceuticals, and government, are also considered “critical infrastructure” and are facing their own escalating threats, requirements, guidance, and audits.