Operational Resilience & Critical Third Parties

APRA CPS 230 Operational Risk Management Alignment Pack

APRA Prudential Standard CPS 230 Operational Risk Management

APRA Prudential Standard CPS 230, effective 1 July 2025 (with transitional arrangements for service provider arrangements until 1 July 2026), consolidates and substantially uplifts operational risk management expectations for all APRA-regulated entities — ADIs, general and life insurers, private health insurers, and RSE licensees. CPS 230 supersedes CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management), introducing three integrated pillars: operational risk management, business continuity, and management of service provider arrangements. The Standard is unambiguous that the Board is ultimately accountable for operational risk management and must approve the entity's operational risk profile, tolerance levels, business continuity plan, and service provider management policy. A central innovation is the requirement to identify 'critical operations' — processes which, if disrupted beyond tolerance levels, would have a material adverse impact on depositors, policyholders, beneficiaries, or financial system stability — and establish quantitative tolerance levels expressed as maximum disruption duration, maximum data loss, and minimum service levels. APRA's supervisory approach, articulated in CPG 230 (Prudential Practice Guide), emphasises end-to-end mapping including upstream and downstream dependencies, scenario testing under severe-but-plausible conditions, and rigorous management of material service providers including the so-called 'fourth parties'. APRA has signalled intensive thematic review activity through 2025-26, with deep-dive reviews of critical operations identification, tolerance level calibration, and material service provider registers expected.

EU DORA Digital Operational Resilience Alignment Pack

Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector

The Digital Operational Resilience Act (DORA), which became fully applicable on 17 January 2025, establishes a unified, directly-binding ICT risk management regime across all EU regulated financial entities — banks, insurers, investment firms, CCPs, trading venues, crypto-asset service providers, and crowdfunding platforms. DORA elevates ICT risk from an operational sub-discipline to a board-level prudential concern, requiring management bodies to bear ultimate responsibility for ICT risk management frameworks, approve digital operational resilience strategies, and allocate appropriate budget. The Regulation is supplemented by a suite of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) developed jointly by the ESAs, covering ICT risk management tools, incident classification, threat-led penetration testing (TLPT), and third-party risk management. A defining feature is the Oversight Framework for Critical ICT Third-Party Service Providers (CTPPs), under which the ESAs designate and directly supervise systemically important providers — including hyperscale cloud platforms — with powers to issue recommendations, conduct on-site inspections, and impose periodic penalty payments. Supervisory expectations centre on: demonstrable board engagement; granular mapping of ICT assets supporting critical or important functions; rigorous contractual provisions with ICT third parties using the mandatory Register of Information; severity-tiered incident classification with 4-hour initial notification for major incidents; and triennial advanced TLPT for significant institutions. Non-compliance carries reputational, supervisory, and pecuniary consequences, with national competent authorities empowered to impose administrative penalties calibrated to firm size and breach severity.

Regulatory Enforcement Intensity — APAC vs UK Banking Operational Resilience FY2024

This benchmark compares enforcement intensity around operational resilience and third-party risk failures across APRA (Australia), MAS (Singapore), and the PRA/FCA (UK) for FY2024. The UK leads materially in monetary penalty volume, reflecting the post-March 2025 self-assessment deadline under PS6/21 and the FCA's willingness to use Principle 11 and SYSC 15A breaches as enforcement hooks following high-profile outages. APRA's CPS 230 came into force 1 July 2025, so FY2024 enforcement was dominated by precursor actions under CPS 234 (information security) and intensified prudential reviews of Big Four operational risk capital overlays. MAS, by contrast, relies more heavily on private supervisory letters and reprimands than headline fines — its enforcement intensity per supervised entity is structurally lower but its rate of formal Technology Risk Management notices increased ~35% YoY. Practitioners should read the divergence as stylistic rather than substantive: all three regulators are converging on the same expectations (impact tolerance setting, critical third-party mapping, scenario testing), but the UK's enforcement-led model produces visible deterrence costs while APAC regulators front-load supervisory dialogue. CROs operating multi-jurisdictionally should expect APRA enforcement intensity to rise sharply through FY2025 as CPS 230 self-assessments are reviewed, narrowing the gap with the PRA. Capital add-ons, not fines, will be the dominant APAC enforcement currency.