Published in partnership with Novigi.
The final version of APRA’s Prudential Practice Guide CPG 230 Operational Risk Management was released in June. With the standard and associated guidance now finalised, and the 1 July 2025 effective date looming, we’ve turned our minds to the data and technology impacts of APRA’s new operational risk management regime.
We refer below to “regulated entities” but it’s worth noting that all of this is also relevant to third parties that work with regulated entities.
For anyone who needs a refresher, the key objectives of CPS 230 are to (and we quote APRA here):
- Strengthen operational risk management.
- Improve business continuity planning.
- Enhance third-party risk management.
As a data and technology firm, we group the responses to these overarching goals into four categories:
- Systems and applications.
- Business intelligence and data analytics.
- Technology process and governance.
- Other stuff (not related to data and tech).
Systems and applications
Organisations subject to CPS 230 will need to ensure that they have systems in place to perform two key functions: risk management and service provider management. Fortunately, many of the solutions available on the market have modules that fulfil both purposes.
Essentially, APRA regulated entities should be looking for an appropriate system that includes the following capabilities:
- A comprehensive risk register.
- An asset register, preferably one that integrates with and actively discovers your IT ecosystem.
- Standard and certification management.
- Policy lifecycle management.
- Incident management.
- Third-party lifecycle management, including: onboarding, risk assessment, risk mitigation, reporting and monitoring, and offboarding.
- Third-party risk intelligence, like access to databases of existing risk assessments on service providers.
- Support for business continuity planning.
Such systems are often marketed as risk management information systems, integrated risk management systems, or GRC platforms. As with all system implementations, the configuration and proper integration of these tools into existing ecosystems will be crucial. Appropriate processes will need to be built around them to ensure that they actually serve their stated function and support compliance with CPS 230.
Business intelligence and data analytics
Putting aside our self-consciousness about the number of lists in this article, there are three ways in which business intelligence and data analytics can support compliance with CPS 230.
First is monitoring and gathering data from a range of sources that may be relevant to operational risk management, business continuity planning, and third-party risk management. CPS 230 refers to people, technology, information, facilities, and service providers — data relating all of these will need to be gathered and refreshed regularly.
Second is analysing this data to identify, assess, and develop mitigations and controls for operational risks.
Organisations subject to CPS 230 will need to be creative and proactive in their approach here. It does not take too much imagination to envision how analysis of data relating to insurance claims, social media sentiment, or employee turnover could uncover operational risks. Analysis of patterns in superannuation contributions could signal risks and issues at any number of points in the contributions process.
And finally, reporting on operational risk management, business continuity planning, and third-party risk management to executive management, boards, and APRA. Under CPS 230, APRA regulated entities will be required to report operational risk incidents that meet a materiality threshold to APRA within 72 hours. APRA will need to be notified within 24 hours if business continuity plans (BCPs) are activated.
Technology process and governance
CPS 230 necessitates the operation of several frameworks related to technology. In particular, regulated entities will need to take a framework approach to business continuity and third-party management.
The approach to business continuity planning revolves around the need to maintain a register of critical operations. For each of those critical operations, an organisation’s board will need to approve tolerance levels relating to downtime, data loss, and service levels.
Organisations will need to ensure that they have a systematic testing program in place for their BCP that covers all critical operations and a range of “severe but plausible” scenarios.
Regulated entities will also need a robust framework in place for the management of third parties. Ensuring that the risks associated with third parties are well understood and managed will involve the analysis of technology risks.
Service providers and vendors will need to undergo assessments to ensure they are adhering to best practices in cyber security — compliance with CPS 234 is a minimum, but organisations would do well to insist their partners surpass this.
A comprehensive technology due diligence process should become part of any technology procurement process. There’s also the matter of keeping record of service providers. APRA released a material service provider register template in October, to assist regulated entities with this reporting.
Other stuff
There are, of course, elements of operational risk management that are not directly related to data and technology, that our colleagues with more diverse interests would object to us dismissing as “other stuff”. As is often the case, data and technology will play an important role in CPS 230 compliance but are not the whole story.
That said, going beyond mere compliance will hinge on the more creative and proactive measures organisations can take enabled by data analysis. If organisation can get this right, CPS 230 could be a potential opportunity to run safer and stabler operations, rather than simply a box-ticking exercise.
Kevin Fernandez is general manager of market strategy and propositions for Novigi.