Streamlining CPS 230 compliance: How CPS 230-tailored software can help 

Last updated August 2023.

On 17th July 2023, APRA released the final version of Prudential Standard CPS 230 Operational Risk Management, a new standard that consolidates five existing Prudential Standards covering outsourcing and business continuity planning across banking, insurance and superannuation. CPS 230 will introduce new requirements and enhance existing requirements across three key areas:

  1. Operational risk management, with APRA expecting entities to demonstrate clear management of operational risks; documentation of processes and resources needed to deliver critical operations including people technology and service provider; and regular scenario analysis, risk profiling and assessments.
  2. Business continuity planning (BCP), with entities clearly identifying critical operations, establishing acceptable tolerance levels (e.g. maximum period of disruption), and maintaining and testing their BCPs regularly.
  3. Service provider management, with APRA expecting entities to identify material service providers and maintain robust policy and procedures for managing service provider risk, including identification of fourth parties. Entities should work with their service providers to manage fourth-party risks. Entities must notify APRA of any new and changed arrangements with material service providers.

CPS 230 compliance will impact entities differently
Entities with sufficient scale, such as the “big four” banks, will undoubtedly have some advantage in complying to CPS 230. They typical already have a higher level of maturity in process, risk, BCP and supplier management from years of investment, and they have the tools and internal expertise to meet the new requirements.

For many regional and customer-owned banks, medium-sized insurance companies and superannuation funds, CPS 230 presents a significant challenge. Their size, maturity and access to resources make complying to CPS 230 a more onerous task compared to their larger peers. For some entities, the commercial viability of operating under this prudential standard is uncertain.

How CPS 230 software could help
Software designed specifically for CPS 230 would help entities comply to the standard faster and more cost effectively. This is especially so when compared to approaches involving traditional documents or cobbling a solution together using disparate systems. Purpose-built software would support capturing, understanding, monitoring and reporting in operational risk, business continuity planning and service provider management out-of-the-box.

Importantly, CPS 230 software would enable entities to go beyond a shallow assessment of requirements and provide increased assurance that they are compliant. In designing our CPS 230 software, we think that it should support:

  1. Capture of information that provides increased assurance of compliance
  2. Ongoing management of compliance and help address gaps
  3. Auditing and reporting to APRA

These features would cover all three areas of CPS 230: Operational risk management, business continuity planning, and service provider management.

An information model to support strong CPS 230 compliance
A key feature of CPS 230 software is a purpose-built information model that helps entities capture, understand and report on:

  • the entity’s CPS 230 obligations
  • processes that make up the entity’s critical operations
  • resources such as technology, information, people, facilities and suppliers (third- and fourth-party)
  • business continuity plans
  • associated operational risks and controls
  • people who are accountable and responsible
  • and, importantly, the interdependencies between all the above.

This information model provides entities with a fit-for-purpose framework for complying to CPS 230. Capturing information using this model brings depth to the entity’s compliance regime and provides a level of assurance that could not be achieved with documents. Supported by an easy-to-use user interface, the software enables entities to capture the necessary information to become compliant quickly, as well as reduces the risk of non-compliance on an ongoing basis.

Workflows and visualisation to support ongoing CPS 230 management
CPS 230 software has a combination of features that reduces the costs and effort required to maintain CPS 230 compliance.

Dashboards, such as visual heatmaps, would show the coverage of risks, controls, accountable persons and service providers across critical operations. Any gaps in compliance, such as a BCP test or a service provider assessment that has lapsed, would be flagged for attention.

The software has workflows and notifications to support managing changes (for example, version control), reviews and approvals. A record of changes and approvals is stored for auditing purposes. Automated notifications support periodic review of information and testing of BCPs, helping the entity ensure that compliance is maintained at any point of time.

Historical snapshots and information packages for auditing
Purpose-built software enables entities to prove to internal and external auditors that they were compliant at any point in the past. It provides a snapshot of the processes, resources, assessments, BCPs and supplier arrangements that were in place at that point of time. A package of all the relevant information could compiled and packaged on demand and in a few clicks. The preparation involved in responding to an audit is significantly reduced as a result.

The software would also have features that support entities in reporting to APRA. For example, it would help create information packages for any new agreements or changes with material services providers. It also keeps a record of what was reported to APRA, who approved it for release, and how the information has changed over time.

Holocentric and Three6 are co-designing a CPS 230 solution
Holocentric and Three6 are collaborating to develop innovative solutions to reduce the cost of addressing and maintaining CPS 230 compliance. With our combined financial services, compliance, and software expertise, we understand the challenges you face. Our software solution streamlines CPS230 compliance, saving you time, effort, and money.

Similar articles