With the deadline for CPS 230 fast approaching, APRA-regulated entities, including super funds, will need to ensure they are prepared for the requirements outlined in the regulation.
In this article, we focus on the key themes of the CPS 230 regulation, provide a summary of the progress made by super funds to date and key areas that need to be considered to ensure compliance.
Key Themes of CPS 230
The CPS 230 regulation centers on operational risk management, which encompasses a broad range of risks including legal, regulatory, compliance, conduct, technology, data and change management. Below is a summary of the key themes:
- Accountability: Boards will have ultimate accountability for the continuity of critical operations, including the oversight of material third parties. Senior management also plays a key role by ensuring the Board has sufficient reporting and may even have delegated responsibility.
- Governance: Having a robust governance framework in place, with clear roles and responsibilities, as well as strong monitoring and oversight will be essential to effectively identifying and managing operational risks and potential disruptions.
- Understanding: Regulated entities must understand their critical operations, as well as the key processes and resources (across people, technology, information, facilities and service providers) that support them. They will also need to understand the entity’s operational risk profile and define the tolerance levels for potential disruptions.
- Proactivity: In addition to robust controls and stringent business continuity plans being in place, it is imperative that these are proactively tested. Business Continuity Plans should be tested using severe but plausible scenarios to ensure that they are effective and to close any potential gaps.
What Are Funds Doing to Prepare?
Super funds operate in a complex environment with interconnected risks and an often intricate network of third parties. This, combined with the fact that the regulator wants entities to take a proactive approach, has led many super funds begin taking steps to meet CPS 230 requirements, including:
- Process & Resource Mapping: Detailed mapping of operational flows to identify risk points, especially those involving third-party providers.
- Operational Risk Assessments: Using tools and frameworks to evaluate the likelihood and impact of risks, from data breaches to system failures.
- System Upgrades: Investing in advanced risk management systems that provide real-time exposure data, along with improved cybersecurity and IT infrastructure.
How do supers make sure they are compliant by the deadline?
With the impending deadline, it is imperative that super funds act to ensure compliance with CPS 230 regulations. There are a number of activities that the regulator expects to be undertaken prior to the 1 July 2025 deadline (and in some cases sooner) which include (but are not limited to):
- Defining critical operations and their potential impact on clients and the market
- Setting disruption tolerance levels
- Mapping processes and resources (including material service providers) that underpin critical operations
- Adapting existing business continuity plans to align with critical operations
- Designing and implementing a robust operating model that supports the effective identification and management of key operational risks
- Defining and implementing a scenario testing approach
- Implementing a material service provider policy
While adhering to the regulations may seem daunting, it is imperative for super funds to take a practical approach and ensure that any mitigants are proportionate to their business. It is also vital to assess what activities have already been undertaken to date to see what can be leveraged and identify any quick wins to minimize risk e.g. reducing reliance on Excel. Having a clear implementation plan in place will also support in prioritizing the most critical elements of the regulation.
No matter where you are in your CPS 230 journey, our local Australia team would be pleased to support you, please contact us here.
About the Authors
Harry Coombes
Partner
Harry Coombes is a Partner based in Melbourne. He leads advisory and implementation work for asset owners, investment managers, and service providers in Australia.
James Turnbull
Partner
James Turnbull, a Sydney-based Partner, oversees consulting and execution projects for asset owners, investment managers, and service providers.
Nancy Wallace
Manager
Nancy Wallace is a Manager in Alpha’s APAC team and has experience of supporting Asset and Wealth Managers on all aspects of the delivery of Operational Resilience regulation in the UK.
