Risk advisers should be 'preparing themselves' for CPS 230

The new financial year will see all APRA-regulated entities required to comply with Prudential Standard CPS 230 Operational Risk Management – or CPS 230 – a new standard that will change how these entities manage operation risk, business continuity and oversight of third-party providers.

While this new regulation is directed specifically at institutions operating under APRA’s rules, Complii chief executive Alison Sarich said that CPS 230 will also inadvertently impact financial advisers, particularly risk advisers through their work with life insurers.

“With CPS 230, advisers will be subject to a more rigorous and comprehensive approach to manage operational risk management within their firms. Unfortunately, this may potentially lead to increased costs and complexities within a firm, and this cost/complexity may potentially be passed down to an adviser,” Sarich told ifa.

The CEO explained that these changes could also impact how insurers exchange information. In addition to being asked to provide further details about their own controls, the new standards will require entities to “have a better understanding of their operational risk profile and will also impact service provider arrangements”.

As a result of these additional requirements, Sarich suggested that operational costs could see an increase.

“Firms can keep costs at bay, or increased minimally, by adopting cost effective technology like risk management systems to help manage a company’s risk appetite, obligations, changes and controls, and demonstrate an overall framework representing their business risks and management of those, which will keep processes and key person reliance manageable,” she said.

Although CPS 230 will see further regulations inadvertently placed on an already overregulated profession, Sarich said that it should have an overall positive impact on advisers’ clients by “strengthening the operational resilience of APRA-regulated financial institutions”.

This, she said, could lead to greater stability and reduced risk of disruptions with the ultimate goal of protecting customers and the wider financial system.

“This will involve considerable changes in how these institutions manage their operational risks, business continuity, and service provider agreements,” Sarich said.

As 1 July approaches, the CEO explained that relevant entities will be conducting thorough reviews of their current risk management plan, identifying and addressing any gaps, engaging with service providers to ensure compliance and developing comprehensive implementation plans in preparation.

“This should ultimately result in advisers preparing themselves and making adjustments in their own processes to pre-empt the changes,” Sarich said.

While it would be easy for advisers to overlook this given it isn’t directly impacting them, Risk Hub founder Marc Fabris told ifa last month that “this isn’t just an institutional issue … and advisers need to be part of the conversation”.

“If your business relies on APRA-regulated providers or third-party platforms, understanding CPS 230 will help you improve your own resilience, demonstrate good practice and align with rising industry expectations,” Fabris said at the time.