JANA and ASFA release new draft guidance note on implementation of operational risk prudential standard
JANA and the Association of Superannuation Funds of Australia (ASFA) have released a draft guidance note on how to best implement the new prudential standard CPS 230 Operational Risk Management Standard.
The note was drafted with the help of a broad working group of asset owners, managers and consultants and is intended to support consistent practices across the industry.
ASFA will consult its membership on the note, ahead of the standard coming into effect on 1 July 2025.
“Strengthening operational due diligence is critical for the stability and integrity of our industry. This updated guidance provides a clear roadmap for superannuation funds and investment managers to meet the evolving regulatory landscape and enhance their risk management frameworks to the benefit of everyday Australians,” Mary Delahunty, Chief Executive Officer of ASFA, said.
Key Changes to Guidance Note
CPS 230 requires APRA-regulated entities to assess and prepare for service disruptions from external providers, including investment managers, and strengthen their operational resilience to ensure business continuity.
“CPS 230 marks a significant shift in operational resilience, and this draft framework is designed to support consistent and practical risk management practices across both APRA-regulated and non-regulated entities,” Jo Leaper, Head of Operational Consulting at JANA said.
In the new draft guidance note, JANA and ASFA proposed a series of key updates, including:
- Regulatory alignment: Updates to align with CPS 230 and also CPS 234 Information Security, reinforcing a strong, enterprise-wide risk management culture.
- Investment manager operational due diligence review process: Encouraging investment managers to engage independent specialists for operational due diligence reviews, helping to lift industry standards, support consistency in assessments, and promote greater transparency.
- Enhanced guidance: Providing detailed guidance for independent reviewers and asset owners who self-service.
- Expanded review criteria: A more comprehensive set of criteria covering governance, personnel, IT security, ESG factors, business continuity, and data governance to align with CPS 230.
- Updated format: The new format is designed to enable review of enterprise and investment strategy alongside CPS 230 requirements.
- Regular reviews and updates: Recommendations for continuous improvement and alignment with evolving industry standards.
- Emphasis on transparency and independence: Encouragement of independent and specialised assessments to strengthen due diligence effectiveness.
CPS 230 was originally going to commence on 1 January 2024, but after concerns raised by the industry during consultation, APRA delayed the start until 1 July 2025 and included a further one-year transition to July 2026 to allow entities time to review contracts with existing service providers.
In 2023, Leaper penned an article to explain operational due diligence in Australia was then still relatively immature and that CPS 230 would mean a significant shift in how asset owners thought about managing these risks. But she also pointed out that the preparatory work for implementing the new prudential standard had helped set a baseline for the industry.
__________
[i3] Insights is the official educational bulletin of the Investment Innovation Institute [i3]. It covers major trends and innovations in institutional investing, providing independent and thought-provoking content about pension funds, insurance companies and sovereign wealth funds across the globe.