APRA CPS 220 Risk Management: the framework explained

What CPS 220 is

APRA’s Prudential Standard CPS 220 (Risk Management) establishes the requirements for risk management governance, the risk-management framework and risk-management strategy at APRA-regulated entities. These requirements are designed to ensure entities effectively manage their risks.

The standard applies to ADIs (banks, credit unions, building societies) and insurers (general, life, private health). It is intended to complement other standards within APRA’s prudential framework.

CPS 220 operates in conjunction with CPS 510 (Governance), CPS 511 (Remuneration), CPS 230 (Operational Risk) CPS 230 readiness scorer and CPS 234 (Information Security) to provide a comprehensive approach to prudential risk management.

Core requirements

The framework requires entities to establish and maintain a board-approved risk management framework. This framework must be kept up to date and address the material risks faced by the entity. A key component is a Risk Appetite Statement (RAS), which defines the types and level of risk the entity is prepared to accept in order to achieve its strategic objectives.

A board-approved business plan must be developed and maintained, ensuring it is aligned with the Risk Appetite Statement. To support effective risk management, entities must establish a designated Risk Management Function. This function needs to possess appropriate independence, status, and resources to fulfil its responsibilities.

To provide assurance regarding the effectiveness of the risk management framework, an Internal Audit Function must be in place. This function requires appropriate independence to test both the design and operation of the risk management framework.

Board and senior-officer accountability

The Standard places ultimate responsibility for the risk-management framework and the Risk Appetite Statement with the board. This signifies that the board owns the framework and is accountable for its effectiveness. Directors should regularly review the framework’s performance and ensure it aligns with the organisation’s objectives. director duties self-check

The CEO is accountable for ensuring the risk-management framework is embedded within the organisation’s day-to-day operations. This includes fostering a culture of risk awareness and ensuring that risk management practices are consistently applied across all business activities. The Chief Risk Officer leads the Risk Management Function and typically reports to the board, either directly or through a board risk committee, providing oversight and challenge.

Material breaches of the risk-management framework trigger reporting obligations. These must be reported to APRA, alongside any other reporting requirements mandated by the Standard and other relevant legislation.

How CPS 220 interacts with CPS 230 and CPS 510

CPS 220 establishes the overarching risk management standard for APRA-regulated entities. CPS 230 provides a more detailed framework for operational risk and resilience, and is designed to operate within the broader architecture defined by CPS 220. This means that operational risk management practices must align with, and be consistent with, the principles and requirements outlined in CPS 220.

CPS 510 complements both CPS 220 and CPS 230 by addressing the governance arrangements necessary to support effective risk management and operational resilience. This includes considerations around board composition, committee structures, and the assessment of the fitness and propriety of individuals.

APRA expects regulated entities to implement an integrated framework that addresses all three standards. The intention is to avoid a fragmented approach to compliance, recognising that risk management, operational resilience, and governance are interconnected and mutually reinforcing.