APRA Prudential Standard CPS 230 (Operational Risk Management) and the corresponding APRA draft Prudential Practice Guide CPG 230 are designed to strengthen the management of operational risk in the Banking, Insurance and Superannuation industries. The changes come on the back of Royal Commission observations regarding the importance of oversight of non-financial risks in these industries.
The aims of CPS 230 are to
APRA CPS 230 applies from 1 July 2025 or at the next renewal date of existing service providers. APRA CPG 230 is a set of good practice expectations from APRA but are not enforceable.
In the case of service provider oversight, compliance with CPS 230 will require at least:
Continue reading to see each required CPS 230 process and how HyperGRC™ can help.
Under CPS 230, recordkeeping of the organisation structure and processes and assessment of their criticality within a GRC is essential, as is establishing process ownership, service levels, and resilience requirements for those processes.
Records of data assets maintained in the GRC should capture interdependencies across various sectors and have documented owners.
Similarly, IT asset records, including relationships between IT service and IT assets, should be maintained in the GRC.
According to CPS 230, registers must be maintained in the GRC for service providers involved in critical processes and for the 4th parties they rely on. Each service provider must be tiered and segmented. Initial and ongoing assessment of these third and fourth parties is also required.
RISK EXPRESS® workflows and ML/AI bots developed within HyperGRC™ can automate this process giving cyber certainty.
CPG 230 recommends control assurance, taking into consideration linked issues and incidents. Control assurance will require control test plans, and potentially site visits.
HyperGRC™ contains all the required control frameworks and in-built as well as custom control assessment questionnaires that you need to be CPS 230 compliant. Control assurance can be automated using RISK EXPRESS® workflows, and more and more components of the audit and assessment process can be automated using the ML/AI bots in our GRC as their capabilities increase over time.
Today, our GRC can workflow security testing, risk and control evidence management, internal and external control report reviews, control maturity determination, and more. HyperGRC™ can also convert between frameworks for reporting, aggregate control assessment, and streamline the risk determination process.
CPS 230 has risk management process obligations that need to be demonstrated in order to comply.
CPS 230 and CPG 230 emphasise the recording of IT services in a GRC, with a focus on correlating risks from multiple third-party dependencies on a single fourth party, and documenting interdependencies across various components.
With HyperGRC™ you can manage IT service records including IT service ownership and contact details, as well as record technology, data, hosting and support service provider relationships.
With HyperGRC™ you can also manage IT service records including IT service ownership and contact details, and record technology, data, hosting and support service provider relationships.
You can also add your own custom fields to the included good practice risk and issues registers that have documented owners (including third party owners) as recommended in CPG 230. Under CPS 230 these registers need to include incidents and near misses as future risks.
CPS 230 requires the formal management of risks including end-of-life or end-of-support technology risk. HyperGRC™ implements the full risk management process, including detailed risk treatments, which can be workflow enabled, integrated into IT service management systems and include automated follow ups.
CPG 230 recommends that risk treatments consider both tactical (or temporary) controls until a strategic solution is implemented, as well as the strategic (or final) solution. It also recommends actions include timing, costs, leading indicators, and a linkage to the service risk profile.
CPS 230 requires the Board to set clear roles and responsibilities for senior management oversight over BCP and third-party risk management. This will involve creating cyber risk profiles at the IT service, business process, business unit and organisation / service provider level and monitoring them within a GRC platform.
CPS 230 also requires the Board to review risk and performance reports on material service providers, and for senior management to obtain periodic reporting on service provider performance, control effectiveness and contractual compliance.
CPS 230 requires the management of service risk, geographic location risk, concentration risk, and 4th party risk within a GRC.
CPG 230 further recommends assessment of the risk of performing business services in-house compared with outsourcing, the assessment of country and region risk, supplier risk, concentration risk, and reputation risk.
With a full relational organisational risk management and cyber risk management data model, HyperGRC™ can deliver a large number of dashboards and reports “out of the box”, or with minimal configuration.
HyperGRC™ integration, workflows, and ML/AI bots give certainty over the ability to develop the necessary cyber metrics, KCIs, KRIs, as well a continuous control monitoring necessary to comply with CPS 230.
CPS 230 requires detailed assessment of risk scenarios.
Under CPS 230, it is vital to aggregate IT service risks across business processes, business units, and service providers. Third party comparisons also need to be conducted.
CPS 230 mandates scenario-based threat, risk, and control assessment, and CPG 230 recommends these encompass all significant and conceivable operational risk events.
CyberQUANT™ is the risk quantification engine in our GRC. It uses multiple models like Open FAIR to measure cyber risk and optimise cyber investments.
You can use the engine to define risk scenarios, quantify the risk using Open FAIR or your own algorithms, calculate ROI of baskets of control changes and monitor risk buy-down.
Automating compliance for regulations such as CPS 230 and CPG 230 using a GRC platform like HyperGRC™ involves multiple steps and integration points. Here’s a comprehensive approach:
Data Integration:
Mapping & Configuration:
AI & Machine Learning:
Automated Reporting:
Continuous Monitoring:
Scenario Analysis:
Notification Systems:
Feedback Loop:
Document Management:
Automated Remediation:
Periodic Training:
Audit Trail:
Stakeholder Collaboration:
Remember, while automation can greatly assist in ensuring compliance, human oversight is still necessary to interpret results, make judgments, and handle complex scenarios that might be beyond the scope of the automation.
Press Release HyperGRC™ Revolutionising the Cyber Landscape with the World First Composable GRC Platform HyperGRC™ offers a composable architecture and...
Most people feel overwhelmed trying to keep up with the increasing cyber threat.
We have AI-enabled automation tools, training and people to help build cyber risk expertise;
So you can feel confident, save time, and focus on growing your business.
MYRISK MANAGEMENT PTY LTD
ABN 659328720
Level 4, 11-17 York Street, Sydney NSW 2000
P: +61 2 9158 3888
E: support@myrisk.io
Copyright 2024. MyRISK, HyperGRC, CyberBLUE, CyberQUANT, CyberDESK, CyberCOMPOSER, RISK EXPRESS, MyGRC and RESITEK are registered trademarks, trademarks and business names of MyRISK Management Pty Ltd and/or affiliates. All Rights Reserved.
Stone & Chalk
Level 4, 11-17 York St
Sydney NSW