The Australian Prudential Regulation Authority (APRA) has released a guide that covers the new standard on Operational Risk Management - CPS 230. The standard came into force this month.

Although APRA’s standards are intended for companies operating in the Australian financial market, we think the standard and guide provide very good advice for most organisations that are concerned about their operational resilience.

The standard addresses the following:

The assessment and management of a wide range of operational risks, including legal, regulatory, compliance, conduct, technology, data and change management risks.

Business continuity and how organisations should identify time critical business activities and estimate their tolerance for having them unavailable. Importantly, the business continuity plan should document the recovery procedures and workarounds if any supporting resources (people, facilities and IT systems) become unavailable because of a disruption.
Development of a policy for dealing with material service providers. This policy should cover how to identify, manage and monitor the service providers that have a significant impact on the organisation’s operations. They should also evaluate the risks posed by these service providers, sign formal contracts with them, track their performance and carefully manage any major changes in their arrangements.

Managing outsourced IT services

We find that many organisations have outsourced large parts of their IT infrastructure to service providers and as a result they have often yielded management and control to others.

This makes it challenging for the CIO to ensure that the recoverability of IT systems meet the needs of the business. Some Software as a Service vendors will not warrant a Recovery Time Objective. Often, the outsourced system (and its data) only exists at one location, making it a single point of failure.

It is critical that business management identifies the time critical activities and their tolerance to disruption. These requirements should be communicated to IT management, so that the critical IT systems have the necessary resilience to support the business during disruptions.

CPS 230 outlines an excellent approach to achieve that!

News item, Newsletter, Regulatory CompliancePatricia Scheltus8 July 2025July, 2025

Sustainable Finance: Risks & Policy | London Bullion Market Association

London Bullion Market Association Webinar Sustainable Finance: Risks & Policy Dr Paul Fisher (Fellow, Cambridge University Institute for Sustainability Leadership) and Terry Heymann (CFO, World Gold Council) discussed what sustainability means and the importance of ESG.

Paul considered how we should think about the risks and opportunities sustainability presents to the financial sector, before looking at how regulators globally are responding to those risks.

Terry presented WGC’s findings on climate change, tracking gold’s carbon footprint through the supply chain, and considered how reducing this footprint can benefit the mining and investment industries.

WATCH NOW

News itemPatricia Scheltus31 July 20202020, July

Why are investors not pricing in climate-change risk? | The Economist

Companies are often quick to tout their green credentials. So are many of the sophisticated institutional investors who buy and sell their shares. Yet when it comes to pricing the risk of climate change, those investors may be falling short. New research suggests that the risk of climatic disasters such as floods, storms and wildfires are not reflected in the price of equities around the world. What is more, when disasters do occur, the fall in share prices is modest.

News itemPatricia Scheltus31 July 20202020, July

Industry backs calls for renewables to lead Australia back to prosperity | ABC News

News itemPatricia Scheltus30 July 20202020, July

1 in 3 procurement leaders: We're past the peak of coronavirus disruption | Supply Chain Drive

News itemPatricia Scheltus30 July 20202020, July, CV Supply Chain

Continuity in crisis: How to run effective business services during COVID-19 | Accenture

News itemPatricia Scheltus29 July 20202020, July, CV Supply Chain

Moving Past COVID-19: Risk Mitigation Strategies to Drive Supply Chain Resilience | Global Trade Magazine

News itemPatricia Scheltus29 July 20202020, July, CV Supply Chain

4 fixes for equipment supply chains before the next COVID-19 waves hit | WEF

News itemPatricia Scheltus28 July 20202020, July, CV Supply Chain

How to Teach Your Clients to Take a Dynamic Approach to Crisis Management Planning | Noggin

News itemPatricia Scheltus28 July 20202020, July

Canada’s brilliant move: linking Covid-19 support to TCFD reporting | XDI

News item, TCFD, ResiliencePatricia Scheltus27 July 20202020, July

Green Swan 2 - Climate change and Covid-19: reflections on efficiency versus resilience | BIS

News itemPatricia Scheltus27 July 2020CV Supply Chain, 2020, July

Creditors Start Asking Coastal Cities For Their Climate Plans | Bloomberg Environment

Financial credit rating institutions want answers from coastal cities about how they’re preparing for climate-change impacts like sea level rise and whether they can pay for their adaptation plans, the mayor of Honolulu said July 17.

News item, Emerging RisksPatricia Scheltus24 July 20192019, July

Climate Change - Awareness to Action | APRA

The survey found that a majority of regulated entities were taking steps to increase their understanding of the risk, including all authorised deposit-taking institutions (ADIs), general insurers and RSE licensees surveyed. One third of regulated entities viewed climate risks as material. A wide range of strategic opportunities has been identified. Climate risks are being integrated into risk management frameworks, and more sophisticated financial analysis of scenarios is gaining traction across a range of entities.

News itemPatricia Scheltus23 July 20192019, July

Information Security News | Trusted Impact

Trusted Impact is a leading security consultancy focused entirely on helping clients achieve their business objectives in the field of information security.

Their latest newsletter covers topics such as GDPR, City of Atlanta's ransomeware attack, Yahoo's million dollar fine and the Pageup data breach. Click here to download the newsletter, or here to view past newsletters and to subscribe.

News itemPatricia Scheltus2 July 2018July, 2018

Organizational risks that you should definitely be acting on | Continuity Central

It is easy for organizations to feel overwhelmed by the number and scale of the risks that are faced; but often the perception of the potential harm engendered by various risks is exaggerated. In this article Chris Butler lists the real risks that every organization needs to consider.

Did you know the world’s most dangerous animal is not a shark, or a bear, but is in fact a mosquito? What’s certain is that human perception of risk is notoriously flawed; often, the events that concern and outrage us the most are the least likely to happen.

From political and economic tremors to cyber threats, 2017 represents another minefield of risks for businesses. For organizations, forging a deepened understanding of both threats and risk factors is crucial for remaining robust, resilient, and most of all, ahead of the competition. Part of this involves separating the myths from reality. So, what then are the real risks to business today?

More

News itemPatricia Scheltus6 July 20172017, July

The standard addresses the following:

Managing outsourced IT services

CPS 230 outlines an excellent approach to achieve that!

Quick links

Solutions

Subscribe