Introduction to APRA Prudential Standards
APRA (Australian Prudential Regulation Authority) sets standards to ensure the stability of Australia's financial system. CPS 220, 230, and 234 form a critical triad that financial institutions must implement to manage risk effectively. While they overlap and interconnect, each standard has distinct objectives and requirements.
Comparison of the Three Standards
Enterprise-wide risk management governance and framework. Establishes the overall risk management structure and accountability.
To ensure APRA-regulated entities have a sound risk management framework appropriate to their size, business mix, and complexity.
- Board accountability for risk management
- Risk Management Framework (RMF)
- Risk Appetite Statement (RAS)
- Clear roles (Three Lines of Defence)
- Chief Risk Officer (CRO) appointment
- Risk culture assessment and monitoring
Board of Directors, CRO, Senior Management, Risk Committee
Operational risk and resilience - ensuring critical operations can continue during severe disruptions.
To strengthen operational risk management and ensure entities can continue to deliver critical operations through disruptions.
- Identify critical operations
- Set impact tolerances
- Test operational resilience
- Manage third-party risks
- Business continuity planning
- Incident management framework
Chief Operations Officer, Business Continuity Team, Third-Party Managers, IT Operations
Information security as a subset of operational risk - specifically protecting information assets.
To ensure information security is maintained to protect information assets and support sound risk management.
- Information security capability
- Information asset identification
- Security controls implementation
- Incident response planning
- Third-party information security
- 72-hour incident notification to APRA
Chief Information Security Officer (CISO), IT Security Team, Data Protection Officer
How the Standards Connect and Interact
These standards don't operate in isolation. They form a hierarchical and interconnected framework:
Establishes the overall risk management framework, governance, and culture. Provides the "umbrella" under which CPS 230 and 234 operate.
Example: The Board's risk appetite (CPS 220) determines how much operational risk (CPS 230) and cyber risk (CPS 234) the entity can tolerate.
Applies the risk management framework to operational risks. Focuses on ensuring critical operations continue during disruptions.
Example: A cyber attack is a "severe but plausible disruption" that CPS 230 requires testing for. The controls to prevent it come from CPS 234.
Provides specific controls for information security risks (a subset of operational risks). Implements the technical safeguards needed for resilience.
Example: Multi-factor authentication and Data Loss Prevention (DLP) controls (CPS 234) help achieve operational resilience goals (CPS 230) within the risk appetite (CPS 220).
CPS 220 says: "You must have a robust risk governance framework."
CPS 230 says: "Within that framework, you must prove you can keep critical services running through major disruptions."
CPS 234 says: "Since many disruptions will be cyber-related, you must have strong information security controls and response plans."
Key Requirements Comparison Table
| Requirement Category | CPS 220 (Risk Management) | CPS 230 (Operational Risk) | CPS 234 (Information Security) |
|---|---|---|---|
| Governance & Accountability | Board accountable for RMF; CRO appointment | Accountability for operational resilience | Board oversees information security strategy |
| Framework & Approach | Enterprise-wide Risk Management Framework | Operational risk management; Business continuity | Information security framework; Security controls |
| Risk Assessment | Risk appetite statement; Risk identification | Identify critical operations; Set impact tolerances | Information asset identification; Security assessments |
| Testing & Validation | Risk culture assessment; Framework review | Resilience testing with severe scenarios | Security testing; Vulnerability assessments |
| Third-Party Management | Part of overall risk management | Extend operational resilience to material providers | Ensure third-party information security controls |
| Incident Management | Part of overall risk framework | Operational incident management framework | Information security incident response; 72-hour APRA notification |
| Reporting & Monitoring | Regular risk reporting to Board | Monitor critical operations; Report on resilience | Monitor security controls; Report security incidents |
Practical Implications for Financial Institutions
Example: Managing SharePoint for PII Data (from your ISO 31000 assessment)
Action: Include SharePoint PII risks in the Risk Management Framework. The Board sets risk appetite for data breaches.
Deliverable: Risk Appetite Statement defining acceptable PII exposure levels.
Action: Classify PII data handling as a critical operation. Set impact tolerances (e.g., "PII data cannot be unavailable for more than 4 hours").
Deliverable: Business continuity plan for SharePoint PII repositories.
Action: Implement DLP, encryption, access controls for SharePoint PII data. Establish incident response plan.
Deliverable: Technical security controls; 72-hour incident notification process.
CPS 220 is the FOUNDATION: It's about governance, framework, and culture. It answers "Who is accountable?" and "What's our risk appetite?"
CPS 230 is the APPLICATION: It's about operational resilience. It answers "Can we keep running during a crisis?" and "How do we manage third-party risks?"
CPS 234 is the SPECIALIZATION: It's about cyber security controls. It answers "How do we protect our data?" and "How do we respond to security incidents?"
The Bottom Line: While CPS 220 sets the rules of the game, CPS 230 ensures you can keep playing during a storm, and CPS 234 provides the protective gear against cyber threats.