How to achieve APRA CPS 230 compliance with Gatekeeper

APRA CPS 230 is the Prudential Standard for Operational Risk Management. It aims to ensure that APRA-regulated entities manage operational risks effectively, maintain critical operations during disruptions, and meet compliance obligations.

What is APRA CPS 230?

Its scope covers a range of operational risks, including legal, regulatory, compliance, conduct, technology, data, and change management.

APRA CPS 230 impacts vendor-facing teams such as Procurement, Vendor Management, and Legal by necessitating the effective management of operational risks and disruptions - including those arising from service providers.

It requires these teams to identify, assess, and manage risks that may result from inadequate or failed internal processes or systems, actions or inactions of people, or external drivers and events.

Teams must ensure they can meet prudential obligations while relying on a service provider, and remediate any material weaknesses in operational risk management promptly. This includes developing and maintaining governance arrangements for the oversight of operational risk.

Teams must have a system in place to manage contracts across their entire lifecycle. This includes having a clear process for contract review and approval and having a system for tracking and monitoring contract performance.

This can be achieved through the use of digital tools that provide complete visibility of vendors and contracts. That’s where we advocate the use of a Vendor & Contract Lifecycle Management (VCLM) platform like Gatekeeper.

In this article, I’m going to give you a breakdown of how you can be APRA CPS 230 compliant with a VCLM approach.

 

Key Objectives of APRA CPS 230

The key requirements of CPS 230 are that an APRA-regulated entity must:

• Identify, assess and manage its operational risks, and maintain appropriate standards for conduct and compliance with effective internal controls, monitoring and remediation
• Be able to continue to deliver its critical operations within tolerance levels through severe disruptions, with a credible business continuity plan
• Effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements and robust monitoring.

Your business needs to have everything in order by 1 July 2025 to comply with the new regulation.

APRA CPS 230 Compliance Requirements for Vendor-Facing Teams

APRA CPS 230 imposes several requirements on vendors and service providers:

1. Contracts with service providers must include mandatory clauses related to risk management, contingency plans, and security measures.
2. APRA-regulated entities must not rely on a service provider unless they can ensure its compliance with their prudential obligations and manage associated risks effectively.
3. Detailed vendor reporting is required, with a focus on incident management and third-party risk management.
4. Entities must develop governance arrangements for the oversight of operational risk and processes for the management of service provider arrangements.
5. Existing contracts with service providers must meet these requirements from the next renewal date or by 1st July 2026.
6. A clear and complete description of services, service level descriptions, and data protection provisions must be included in contracts.
7. APRA-regulated entities must also maintain a register of information on their ICT contracts and distinguish between those supporting critical functions and those that do not.

Consequences of Non-Compliance with APRA CPS 230

Where APRA considers that an APRA-regulated entity’s operational risk management has material weaknesses, it may:

• Require an independent review of the entity’s operational risk management approach
• Require the entity to develop a remediation program
• Require the entity to hold additional capital, as relevant
• Impose conditions on the entity’s licence
• Take any other actions required in the supervision of CPS 230.

The Board of your business is ultimately accountable for the oversight of an entity’s operational risk management but senior management is responsible for it across the end-to-end process for all business operations.

If you can’t prove compliance, APRA has the authority to impose significant financial penalties and sanctions on the business including infringement notices, directions to cease specific activities, and licence suspensions.

You need a platform and processes in place that can simplify your compliance efforts.

We’ll now break down how our vendor and contract lifecycle management platform can support your compliance efforts.

We’ll go a step further and break down how you address this with your existing vendors and their contracts, and then for new vendors.

Contract Compliance for APRA CPS 230

Existing Vendors and Contracts

All your existing vendor contracts should be in your contract repository, linked to a specific vendor. You’ll now have to carry out checks across all of your vendor contracts to ensure that your contracts contain provisions around the following:

1. A clear and complete description of services, service level descriptions, and data protection provisions
2. Risk management provisions
3. Contingency plans and their management
4. Security measures
5. Audit requirements

You’ll be able to access every vendor contract via the contract record, where you’ll find your “master” contract. Any additional contract documents will be found in the files area, and you can click the eyeball to see them.

Either way, you can use AI to search the contract to review quickly whether or not the contract contains CPS 230-compliant clauses.

CPS 230 Custom Data Section Creation

To track all of this in Gatekeeper, we could create an APRA CPS 230 custom data point to assess each contract's compliance level. I’ve gone for these as an example here:

CPS 230 Custom Data Dropdown Status Creation

• CPS 230 Compliant
• CPS 230 Partial Compliance
• CPS 230 Non-Compliant

CPS 230 Compliance Status in the Vendor Record

This is important because we can use this data point to report via “Saved Views” (one of my favourite Gatekeeper features) and pull partial and non-compliant contracts into a contract amendment workflow.

Contract amendment workflow

We can then create an APRA CPS 230-specific contract amendment workflow using our Best Practice Workflows and trigger the relevant contracts onto this card to begin the contract amendment process without vendors.

New Vendors and Contracts

For new vendor contracts, it’s straightforward. You can make use of the contract review best practice workflow to carry out your:

• Review
• Negotiation
• Approvals
• Signature
• Storage

As you review the contract, you can use the custom data point you’ve already created to signal the compliance level pre- and post-negotiation. This will force compliance; if any contract is anything less than compliant, you can prevent it from moving forward.

Safeguard compliance with Gatekeeper workflows

APRA-regulated entities must not rely on a service provider unless they can ensure compliance with their prudential obligations.

This is where being an APrA-regulated entity gets difficult as we need evidence that we’re actually showing the reviews and due diligence we’re carrying out on our vendors (service providers).

As part of your APRA compliance obligations, you’ll need to show that:

• You have comprehensive risk management frameworks in place and your vendors are not impacting your defined tolerance levels negatively.
• You have effective and strong governance throughout your organisation.
• You have defined internal and external audit requirements that will look at every part of your organisation, including your supply chain.
• You have plans in place to manage your outsourced functions and you have business continuity plans in place.

All of these can be impacted significantly by the vendors you choose. So the easiest way to gather this information is to carry out effective due diligence of every vendor. You can do this by using the vendor onboarding best practice workflow and creating a set of questions specific to CPS 230 to cover your compliance requirements.

If you want to report on this data, you’ll need to utilise custom data to create this (like we did with that contract compliance point).

Detailed Vendor Reporting for CPS 230

You’ll now have to report on two key areas which are:

• Incident management
• Third-party risk management

For Incident Management:

The Risk Module within Gatekeeper is the best place to track potential and current incidents. Ideally, you can preempt any potential incidents and build risk mitigations in collaboration with your vendors.

Gatekeeper's Risk Module

As part of your vendor onboarding process, you can ensure you get up-to-date copies of:

• Insurance Documents
• Risk Management Plans
• Business Continuity Plans
• Disaster Recovery Plans
• Penetration Tests
• And anything else of relevance.

For each of these, we will use the File Expiration Best Practice Workflow to notify that the vendor needs to update their documentation and your team can review their updated positions, either rejecting them or approving them throughout the life of the vendor relationship.

For new vendors, you’ll need to ensure that your processes are capturing this information, and it would be beneficial to create a phase dedicated to risk capture and mitigation.

For existing vendors, you may need to get additional information from your vendors.

For Third-Party Risk Management

We can use the Risk Register again, but I’ll take this further by utilising Gatekeeper’s Market IQ Suite. With this, we can review and continuously monitor our vendors for credit, cyber, and OFAC risks 24/7/365. What’s great is that if we notice a downward trajectory in credit or cyber health, we can use automated workflows to kick-start a risk mitigation process.

From a reporting angle, all of this data is available in Saved Views, and a more detailed breakdown of risk history is available on each individual vendor record.

Every Vendor Management and Legal team understands the importance of oversight and effective processes to monitor risks and manage contracts.

If you haven’t already, ensure that you build out a clear vendor risk and contracting policy to satisfy this requirement. This might be a section within a wider piece that covers organisational risk (ideal), or your wider procurement process.

You can then ensure that the key requirements are built into your vendor and contract workflows to ensure you’ve covered everything.

Existing contracts with service providers must meet these requirements from the next renewal date or by 1st July 2026.

In short, all of your contracts from this date onwards need to be CPS 230 compliant. So you’ll need to build compliance checks into your contract renewal process. For any contract that is going to be renewed, you’ll need to make sure that everything else we’ve covered up to now is included.

We can do this by utilising our renewal process to review contracts and negotiate the required changes with the vendor to become compliant.

A clear and complete description of services, service level descriptions, and data protection provisions must be included in contracts.

For Existing Vendors

We’ll review every contract using AI to ensure that we’ve got a clear description in place. This will usually be found in the schedules, a Statement of Work, Data Processing Agreements, or a dedicated section of Service Level Agreements.

We can use the Contract Record AI Summary in the Contract Record to get a sense of what each contract is about. If it isn’t pulling through, it’s likely the contract doesn’t have a clear description and needs work.

For any contract that isn’t compliant, much like we did with the earlier specific clauses, we will need to use the Contract Amendment Best Practice Workflow with our vendors to make these changes.

For New Vendors

This can be captured as part of your contract review phase. A useful tip would be to build this into your contract playbook and link to it within your guidance notes in your contract review phase. Additionally, you could create a checklist that is required to be completed before you can move the card onto a new phase.

APRA-regulated entities must also maintain a register of information on their ICT contracts and distinguish between those supporting critical functions and those that do not.

We can capture this information using that data point “Category” for our contracts.

We’ll create two categories here:

• ICT - Critical
• ICT - Standard

Create categories within Gatekeeper

For new vendor contracts, you can capture this information during the contract review phase and include any guidance around categorising vendor contracts in the workflow.

You’ll need to:

1. Assess the current categorisation model
2. Move existing vendors into one of these two (or whatever categories work for you)
3. Document this (Gatekeeper will do this via history in your repository or you could build a categorisation workflow to assist)
4. Build a “Saved View” for your ICT - Critical Vendors.
   
   

Build a saved view within Gatekeeper

Your APRA CPS 230 Compliance Checklist

Now that we’ve given you a deep dive into how you can achieve CPS 230 compliance with Gatekeeper, it’s time to step back and review everything you need to develop and maintain:

Governance Arrangements for Oversight of Operational Risk

• Establish clear governance structures within your organisation for the oversight of operational risks, including those associated with vendors.
• Define roles and responsibilities for managing and overseeing operational risks across the procurement process.
• Ensure senior management and relevant stakeholders are involved in the oversight of operational risks.

Assessment of Operational Risk Profile

• Regularly assess the operational risk profile of your organisation, including risks introduced by vendors.
• Develop a clear risk appetite statement that includes considerations for vendor-related risks, supported by specific indicators and limits.
• Implement a process to assess the operational risk of potential and existing vendors as part of the procurement process.

Internal Controls for Management of Operational Risks

• Design and implement internal controls to manage operational risks, including those related to vendor engagements.
• Ensure there are controls in place for the selection, onboarding, and ongoing management of vendors.
• Conduct regular reviews and tests of these internal controls to ensure they are effective and address new or evolving risks.

Monitoring, Analysis, and Reporting of Operational Risks

• Set up mechanisms for ongoing monitoring and analysis of operational risks, including those associated with vendors.
• Develop a framework for reporting operational risks and incidents, both internally and to relevant external parties (including APRA, as required).
• Create escalation processes for significant operational incidents or events, ensuring timely management and resolution.

Business Continuity Plans (BCPs)

• Develop and maintain business continuity plans that address how your organisation, including its critical vendor relationships, will manage and respond to disruptions.
• Ensure these plans are tested regularly with scenarios that are severe but plausible, including those affecting key vendors.
• Review and update your BCPs to reflect changes in your operational environment or vendor landscape.

Management of Service Provider Arrangements

• Implement processes for the thorough selection and management of service providers, with a focus on operational risk implications.
• Regularly assess and monitor the operational risks associated with third-party service providers.
• Ensure contractual agreements with vendors clearly outline operational risk management expectations, responsibilities, and reporting requirements.

Using a VCLM platform will streamline and simplify all of the above - giving you the total visibility and complete control you need to safeguard your business and prove APRA CPS 230 compliance.

If this sounds like something your business needs, get in touch with our team to see how we can help.