The Australian Prudential Regulation Authority (APRA) has finalised Prudential Standard CPS 230 (Operational Risk Management) (CPS 230) following a year-long industry consultation. The new prudential standard commences on 1 July 2025 and applies to all APRA-regulated entities, encompassing banks, insurers (general, life and health) and registrable superannuation entity licensees. This article focuses on the implications for insurers.
What is CPS 230?
CPS 230 is a new prudential standard aimed at ensuring that APRA regulated entities are resilient to operational risks and disruptions and that such risks are appropriately managed. APRA wants to ensure that entities:
- identify and manage their operational risks;
- effectively respond to severe business disruptions and minimise such impacts on a variety of stakeholders (eg. insurance policyholders); and
- have comprehensive policies in place to manage risks from the use of any third party service providers and monitor such arrangements on an ongoing basis.
Upon commencement, CPS 230 will replace CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management), including their equivalents for superannuation (SPS 231 and SPS 232) and health insurance (HPS 231).
Operational risk is a key focus area for regulators globally. In the European Union, the Digital Operational Resilience Act (DORA) has been enacted for similar purposes, and the UK also has recently introduced an operational resilience regime for insurers (read more below). CPS 230 will require insurers to make significant changes to their governance and compliance frameworks, as well as contracting arrangements.
Roles and responsibilities of the board of directors
The board of an insurer is ultimately accountable for oversight of operational risk management, business continuity and management of service provider arrangements. It must also ensure that the regulated-entity sets clear roles and responsibilities for senior managers for managing operational risks.
The board must also:
- oversee the entity’s operational risk management and assess the effectiveness of key controls in maintaining its operational risk profile within risk appetite;
- approve the Business Continuity Plan(s) (BCP) and tolerance levels for disruptions to critical operations;
- review results of testing and oversee the execution of any findings;
- approve the service provider management policy; and
- review risk and performance reporting on material service providers.
Operational risk management
Senior management are required to manage all operational risks (including legal, regulatory, conduct or technology risks) for all business operations. Specifically, insurers must:
- identify and assess the impact of its business and strategic decisions;
- design, implement, and embed internal controls to mitigate operational risks in line with its risk appetite;and
- ensure that operational risk incidents and ‘near misses’ are identified and addressed effectively.
Business continuity and ‘critical operations’
Insurers are also required to take steps to minimise the likelihood and impact of disruptions to critical operations. In doing so, insurers are required to identify all critical operations and ensure they are provided within set ‘tolerance levels’. Insurers must establish tolerance levels establishing the maximum duration of disruption, data loss and minimum service levels for alternative arrangements that the insurer will accept. Insurers are required to notify APRA as soon as posible (and in any event within 24 hours).
Insurers are also required to maintain a business continuity plan that details how it will maintain its critical operations during a disruption.
A ‘critical operation’ is a process undertaken by the insurer or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on policyholders or other customers. Insurers must at a minimum classify claims processing and customer enquiries, together with systems and infrastructure needed to support these functions, as critical operations.
Management of service provider arrangements
CPS 230 requires all insurers to ensure that the risks associated with ‘material service providers’ are effectively managed. To do so, an entity must identify all its material service providers and manage the risks arising out of such arrangements. This is likely to be an extensive exercise, particularly since service providers may now also encompass insurance broker distribution arrangements. It will also require insurers to manage risks associated with ‘fourth parties’, being parties that material service providers rely on to deliver a critical operation to the insurer.
A ’material service provider’ is a provider on which the entity relies on to undertake a critical operation or that exposes the insurer to material operational risk. Insurers must at a minimum classify underwriting, claims management, insurance brokerage and reinsurance as material service providers unless the insurer can justify otherwise.
Insurers must submit a register of material service providers to APRA annually. CPS 230 also provides that specific things that must be done before entering an agreement with a material service provider or materially altering an existing arrangement (eg. due diligence and assessing the risks that could arise from reliance on a service provider).
What should insurers do to prepare for CPS 230?
While CPS 230 does not commence until 1 July 2025, preparation will involve significant changes to insurers’ internal operations and frameworks. Accordingly, insurers should start preparing now.
APRA has set out a pro-active implementation timeline in its Response Paper, setting outs its expectation for insurers to identify material service providers and critical operations by mid 2024.
Where there are existing contractual arrangements in place with service providers, CPS 230 will apply from the earlier of the next renewal date or 1 July 2026.
APRA has also published a draft Prudential Practice Guide. Consultation has now closed and industry is now awaiting APRA’s finalised guidance.
Timeline by APRA
Learnings from DORA and the UK operational resilience regime
In the UK, an operational resilience regime for insurers began to apply on 31 March 2022 (alongside an equivalent regime for banks), following a one-year implementation period. The EU’s DORA, which will take effect in January 2025, also introduces similar requirements, although it applies more broadly to several other sectors in addition to insurance and focusses specifically on IT services rather than encompassing other ‘critical’ services.
There are some useful lessons learned from firms’ experiences so far of implementing the UK regime that could be helpful when preparing for CPS 230. One such learning is the importance of identifying the key service provider – this requires a firm to fully understand its own business dependencies and can in some cases be less obvious than the firm might expect. Operational resilience will also need to be considered holistically, with all relevant stakeholders and skill sets being considered – for example, there will be important roles for legal, compliance, risk management, procurement, IT and the business itself.
In addition, firms should note that operational resilience may need to be approached on a group basis. Many insurance companies are within corporate groups where services may be procured centrally or via an affiliate (often with chains of contracts which add an extra layer of complexity), policies may be defined at group level, and groups may seek to try to apply a common standard or at least to approach local requirements in a standardised way. Whilst this is not easy to navigate, there are ways of achieving it, to a certain extent at least.
To prepare, insurers could consider:
- Global implementation: Insurers with global operations may want to harmonise their approach to operational resilience as much as possible, as regulators around the world implement similar requirements.
- Board and senior management awareness: As the board of directors is ultimately responsible for managing operational risk, officers need to be aware of their increased remit under CPS 230.Senior management should also be given specific responsibilities to manage operational risk management. Insurers should also ensure that members of their board and senior management are aware of the new requirements under CPS 230.
- Updating business continuity plan: Insurers should review and update their BCP to capture critical operations and the associated requirements under CPS 230.
- Management of service providers and ‘fourth parties’: While APRA has supervisory powers under the current Prudential Standard CPS 231 (Outsourcing) (CPS 231), its remit is significantly broader under CPS 230. The definition of ‘material service providers’ captures a greater number of entities because it is not limited to outsourced activities. CPS 230 also prescribes greater due diligence requirements on service providers, including on service providers down the chain (called a ‘fourth party’). Accordingly, insurers may have to invest significantly to uplift governance and compliance processes in order to comply with CPS 231.
Implementation of CPS 230 will be a significant exercise and also overlap with the implementation of the Financial Accountability Regime (see our article). Insurers should take the opportunity to review governance frameworks and operating models holistically to ensure they are prepared for the future.