APRA’s new Prudential Standard CPS 230 and why it matters to law firms

On 28 July 2023, APRA released for consultation a new Prudential Standard CPS 230, which sets out minimum standards for managing operational risk, including updated requirements for business continuity and service provider management.

The aim of this Prudential Standard is to ensure that all APRA-regulated entities are resilient to operational risks and disruptions. An APRA-regulated entity (entity) must effectively manage its operational risks, maintain its critical operations through disruptions, and manage the risks arising from service providers. Significantly, if your law firm provides services to an APRA-regulated entity, you need to understand the implications of your contractual obligations with your clients and what you will now be accountable for, to comply with CPS 230.

Summary of CPS 230

An APRA regulated entity must achieve the following outcomes:

1, What: effectively manage its operational risks and set and maintain appropriate standards for conduct and compliance.

How: identify, assess, and manage its operational risks, with effective internal controls, monitoring and remediation.

Likely impact: Entities and their law firms should already have:

  • an executive authorised statement of risk appetite, risk tolerance and risk capacity to provide the direction for the management of risk;

  • a risk management framework and guideline to identify, eliminate and minimise risks; and

  • an up-to-date list of operational risks with appropriate impact analysis and mitigations.

If any of these processes are not in place and embedded, and your law firm is a material service provider to an APRA-regulated entity, then there is a likelihood that your firm may fall short of the CPS 230 requirements, compromise your client relationship and is at risk of not being able to continue providing services to the client entity.

2, What: maintain its critical operations within tolerance levels through severe disruptions.

How be able to continue to deliver its critical operations within tolerance level through severe disruptions, with a credible Business Continuity Plan (BCP). 

Likely impact: More and more organisations are developing BCPs, as the impacts of disruptions (particularly cyber and climate related) become more obvious. Stakeholders, legislation, regulation, and insurers already drive the need for effective BCPs to be in place, but in many cases those BCPs are out-of-date documents that are incapable of enabling an organisation to deliver critical services in the event of a major disruption.

Organisations must now ensure that their BCPs are up to date, fit-for-purpose and capable of delivering the essential operations of the business during a crisis or major business continuity event.

A regulated entity must now identify and manage risks that could affect the ability of the service provider to provide the service on an ongoing basis, which indicates that such service providers must have an effective BCP in place.

If your law firm provides services to these entities, you must look at understanding the implications of contractual obligations these entities would need to impose for CPS 230 compliance. 

3, What: manage the risks associated with the use of service providers.

How: effectively manage the risks associated with service providers by having a comprehensive service provider management policy, formal agreements, and robust monitoring.

Likely impact If your organisation provides services to APRA-regulated entities, you should look at understanding the implications of contractual obligations these entities need to impose for CPS 230 compliance. This will involve detailed documentation and agreements on how your client will manage your contractual relationship with them. Your client will undertake due diligence, updated monitoring and internal reporting requirements and assess the financial and non-financial risks of relying on your firm.