As the financial services industry prepares for the implementation of CPS 230, APRA's new Operational Risk Management Prudential Standard, a group of investment managers and industry leaders gathered for events in Sydney and Melbourne focused on operational resilience. Hosted by EY and in partnership with AlphaCert and AustralianSuper, the session offered practical insights, peer comparisons, and a look at the challenges and opportunities surrounding CPS 230.
More than just a compliance update, CPS 230 represents a fundamental shift in how the financial services industry manages operational risk, third-party dependencies, and business continuity. While APRA's spotlight is currently on regulated entities, the ripple effects are being felt across the broader ecosystem, including non-APRA regulated firms that are classified as Material Service Providers (MSPs). This includes investment managers with superannuation funds as clients.
Operational resilience is a strategic imperative, not just a compliance exercise
Participants agreed that operational resilience is no longer just the remit of risk or compliance teams. It requires organisation-wide coordination, from front-line teams right up to the board.
Hanny Hassan, Technology Risk and Advisory Partner at EY, highlighted that the three pillars of CPS 230 are: operational risk management, business continuity management, and third-party risk management. He noted the importance of shifting from a siloed, functional view to an end-to-end understanding of critical processes, especially those impacting customer outcomes.
Third and fourth-party risk is under the microscope
Third-party management emerged as perhaps the most complex aspect of CPS 230 implementation. The standard calls for robust oversight of MSPs, but the panellists participants noted significant gaps in current approaches, especially the need for a coherent view who their MSPs rely on further down the value chain.
Gehan Ranasinghe, Manager, Operational Due Diligence at AustralianSuper, shared that they are expecting their material service to embed their external vendors into their BCP and DR testing cycles.
For investment managers who serve as third parties to superannuation funds and rely on their own service providers, this creates a particularly complex compliance landscape.
Hasan pointed out there's a "competitive advantage for suppliers to APRA-regulated entities" who can demonstrate strong compliance—something forward-thinking firms should take note of.
Evolution, not revolution
The audience at both interactive panels were largely made up of non-APRA regulated service providers, mostly representing investment managers. When polled about their progress, the majority of the audiences at both events indicated they are "partially progressed". Given CPS 230 takes effect on 1 July 2025, it's concerning that a third of attendees said they had given only "limited consideration" to the introduction of CPS 230. This raises questions about whether their APRA-regulated clients haven't engaged with them yet, or whether they simply haven't responded to the challenge.
Figure 1: How far progressed are you in considering CPS 230 implications for your organisation?
Those further along in their journey see CPS 230 implementation as "evolution rather than revolution." They shared that mapping end-to-end processes had been instrumental in identifying vulnerabilities and resilience requirements. Many noted they already had substantial controls in place that aligned with CPS 230, requiring integration rather than wholesale change.
Practical considerations
The panels surfaced several practical considerations for investment managers:
When asked about their biggest challenges, many attendees raised resourcing issues. For smaller investment managers, CPS 230 preparation is putting a real strain on their businesses.
Figure 2: What aspects of CPS 230 do you see as representing the biggest challenge for your organisation?
Mark MacLeod, GM Australia at AlphaCert (a MSP), shared their experience of preparing for CPS 230. He echoed the resourcing concerns, noting they're a small organisation that's been actively engaged with their APRA-regulated clients. He emphasised that merely saying "yes, we can do these things" will no longer suffice, and that clients want to see the evidence at a standard suitable for their requirements. MacLeod also stressed the role of technology in supporting CPS 230 compliance and the importance of having a robust technology stack.
1 July 2025 and beyond
From the results of audience polling, many investment managers still have quite a bit of work ahead.
Figure 3: From here, what do you think your immediate next steps would be?
But compliance isn't the finish line. The panel addressed concerns about transitioning CPS 230 from a project to business-as-usual. "What confidence do you have that it won't fall in a heap once the project winds up?" captured this sentiment perfectly, with Hassan emphasising that true operational resilience requires embedding practices throughout the organisation and sustaining them beyond initial implementation.
CPS 230 programs must be designed to respond to organisational change and evolving client and regulatory expectations.
As investment managers finalise their CPS 230 implementation ahead of the compliance deadline, the interactive panel underscored that success requires more than technical solutions. Organisations need to embrace a holistic approach to operational resilience that spans risk management, third-party oversight, and customer impact consideration—ultimately transforming how the industry thinks about maintaining critical operations in the face of disruption.
Talk to us about how AlphaCert can support your CPS 230 readiness.