CPS230: prepare for APRA's incoming operational risk management standard by refreshing outsourcing processes and contracts

Operational risk comes in many forms. An APRA-regulated entity not only needs to manage the risks that may arise in critical operational processes, but also needs to manage risks arising from the third and "fourth" parties that are involved in the performance of those processes. APRA's CPS230 refreshes the standards applicable to the management of operational risk by an APRA-regulated entity with specific standards applicable to the introduction of risks from outsourcing arrangements. The new standards warrant a close examination and potentially a refresh of existing procurement processes and outsourcing contracts.

What is CPS230 and what have we seen so far?

APRA-regulated entities will be familiar with CPS231/SPS231 Outsourcing. Effective 1 July 2025, CPS230 Operational Risk Management will replace CPS231/SPS231 (as well as CPS232/SPS232 Business Continuity Management) and establish new operational risk standards for APRA-regulated entities.

In response, regulated entities have been refreshing their template service agreements to ensure the updated CPS230 contracting requirements are addressed in those agreements, developing CPS230-specific schedules and undertaking variations or early renewals for the purpose of updating the terms of their material service provider arrangements.

What are the key requirements of CPS230 specific to outsourcing?

An APRA-regulated entity must:

• as part of its risk management framework, develop and maintain a comprehensive service provider management policy;
• have its board approve the entity’s service provider management policy and review reporting on its material service providers;
• maintain a register of its material service providers and submit that register to APRA on an annual basis;
• undertake appropriate due diligence before entering into material service provider arrangements, and during the course of those engagements, ensure it manages operational risk, can execute on its business continuity plan and can conduct an orderly exit from the arrangement if needed;
• have a formal agreement governing those material service provider engagements, which agreement must include particular terms, at a minimum;
• monitor, and ensure senior management receives reporting on, the outsourcing arrangement and regularly assess the service provider's performance against agreed service levels, the effectiveness of risk management controls and compliance with the agreement governing those services;
• notify APRA before entering into or materially changing a material service provider arrangement or entering into an offshoring arrangement; and
• meet general risk management requirements, such as:
  • monitoring, reviewing and testing, and remediating any identified material weaknesses identified in, the above operational risk controls; and
  • addressing incidents and near misses; and
  • notifying APRA as soon as possible (and within 72 hours) of an incident that will have certain material impacts.

When do the outsourcing requirements take effect?

CPS230 commences on 1 July 2025. A key requirement of the standard is to include certain terms in agreements covering material service provider arrangements. Pre-existing contracts already in effect are not required to comply until the earlier of their next renewal date of that contract or 1 July 2026.

What are "fourth parties" and how are they now covered?

"Fourth parties" are the parties that a service provider engaged by an APRA-regulated entity relies on in delivering its services (essentially, a subcontractor). CPS230 acknowledges that an APRA-regulated entity can be exposed to operational risk from fourth parties in the same way as its third party service providers.

An entity must have an approach to managing fourth party risks and those processes must be documented in its service provider management policy. The prudential practice guide also indicates that fourth parties should be listed on an entity's register of material service providers.