3 minute read
CPS230 Update: CPG 230 and non-SFI implications
APRA released CPG 230 on the 13th of June 2024. This updated guidance outlines some key changes to the timing of certain elements and supervisory regime for the standard.
In summary, non-SFIs will have an additional 12 months (to July 2026) to meet certain BCP obligations, and the supervisory regime will be ‘light touch’ for a number of years.
Hooray, I hear you say. And rightly so. Some of us get a bit longer (non-SFI entities) and all of us get a lighter regulatory inquisition – unless, of course, we have a major disruption.
So, what can we practically do about this?
Warning, I’ll be talking in CPS 230 code. But hopefully 27b is familiar to many
– if not, reach out as I’d love to take you through all the jargon.
27B and 34 are still day 1 requirements (and so is 42)
Not all of CPS 230 is delayed, and two key provisions remain as Day 1 for non-SFIs.
The following are the need to maintain:
- a comprehensive operational risk profile across critical operations (27b / connect the dots)
- identify critical operations and tolerances
- take reasonable steps to maintain operations within those tolerances (34).
Finally, para 42 has not been delayed (just 40,41,43,44,45 and 46)
So, rumours of the delay of critical operations tolerances for non-SFIs may be overstated.
Parallel processes are hard
APRA has allowed an additional year to run on C/SPS 232 BCP requirements for non-SFIs.
Maintaining critical operations tolerances with C/SPS 232 BCP in parallel is going to be messy. Not saying it can’t be done. But it will need careful planning to avoid confusion in a crisis. Which plan do we use? What are we worried about?
Given that we still have to meet para 42 and notify what we‘re doing about critical operation tolerance breaches anyway… there isn’t really much benefit.
Resilience vs Regulation
Regulation is a minimum standard. Resilience is about maintaining the ability to keep going in the face of disruption. Keep focused on resilience!
Key actions you can take now
- Think hard about whether you want to use the additional 12 months for BCP. And if you do, have a clear plan for any real disruption in the parallel processing period – because if you have disruption outside tolerance the supervisory light touch will, I’d imagine, become a bit heavier…
- Use any additional time you may have to get a really solid and connected data model and plans for disruption (if significant GRC change was in the too hard basket because of time, maybe re-open that thought process)
- Keep the focus on resilience – with critical operations at the core…
To find what you really need to know to be CPS230 ready speak to Battleground today.
Related articles
2 minute video …
6 minute read …
6 minute read …
