New prudential standard CPS 230 now in force

CPS 230 Operational Risk Management aims to ensure that APRA-regulated entities are resilient to operational risks and disruptions.

It requires entities to effectively manage their operational risks, maintain their critical operations through disruptions, and manage the risks arising from service providers.

Under the key requirements of the standard, APRA-regulated entities must:

• Identify, assess and manage their operational risks, with effective internal controls, monitoring and remediation.
• Be able to continue to deliver their critical operations within tolerance levels through severe disruptions, with a credible business continuity plan.
• Effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements and robust monitoring.

It is this final area that will have likely impact on financial advisers, particularly risk advisers, as more stringent requirements for insurers flow through to firms dealing with them.

APRA member Therese McCarthy Hockey noted that CPS 230 requires entities to identify their own operational vulnerabilities and have plans to mitigate them while also having a detailed level of understanding and mitigation planning in relation to their most critical third-party service providers.

“This will require an entirely new mindset about where the boundaries of responsibility sit,” Hockey said.

In the lead-up to 1 July, Complii chief executive Alison Sarich told ifa that risk advisers will be “subject to a more rigorous and comprehensive approach to manage operational risk management within their firms”.

“Unfortunately, this may potentially lead to increased costs and complexities within a firm, and this cost/complexity may potentially be passed down to an adviser,” Sarich said.

The CEO explained that these changes could also impact how insurers exchange information. In addition to being asked to provide further details about their own controls, the new standards will require entities to “have a better understanding of their operational risk profile and will also impact service provider arrangements”.

Similarly, Risk Hub founder Marc Fabris said that while the new standard “rightly raises the bar” for institutions, the role of advisers remains a “blind spot in many roadmaps”.

“The danger is that systems get locked down or reworked without factoring in adviser workflows – creating new friction rather than solving existing risk,” Fabris said.

“Many practices are still evolving their digital maturity. If we want the industry to meet the intent of CPS 230, we need insurers to work in partnership with advisers – helping modernise workflows and data handling without just tightening the gate.”