Comply with APRA CPS 220 (Risk Management)
APRA-regulated entities must have a comprehensive risk management framework.
Who must comply
APRA-regulated entities (ADIs, insurers, super trustees).
What triggers it
Being APRA-regulated.
When due
Continuous; annual board attestation.
Evidence required
RMF, board approval, risk appetite statement, risk register, BCM, attestation.
Max penalty
APRA enforcement actions including capital, licence conditions
Summary
CPS 220 requires APRA-regulated entities to maintain a Board-approved Risk Management Framework covering: risk appetite, risk culture, three lines of defence, risk register, business continuity, and material risks. Annual board attestation.
Enforced by
Industries
Topics
Related obligations
- CWLTHComply with APRA CPS 234 (Information Security)APRA-regulated entities must maintain information security capability commensurate with the size and extent of threats.
- CWLTHComply with APRA CPS 230 (Operational Risk Management)APRA-regulated entities must manage operational risk including a comprehensive third-party / outsourcing register from 1 July 2025.
- CWLTHAdopt and maintain a Critical Infrastructure Risk Management Program (CIRMP)Covered critical infrastructure entities must adopt a CIRMP addressing cyber, physical, personnel, and supply-chain hazards.
Frequently asked questions
- Who must comply with APRA CPS 220 (Risk Management)?
- APRA-regulated entities (ADIs, insurers, super trustees).
- What triggers APRA CPS 220 (Risk Management)?
- Being APRA-regulated.
- When is APRA CPS 220 (Risk Management) due?
- Continuous; annual board attestation.
- What is the maximum penalty for APRA CPS 220 (Risk Management)?
- APRA enforcement actions including capital, licence conditions
- What evidence is required for APRA CPS 220 (Risk Management)?
- RMF, board approval, risk appetite statement, risk register, BCM, attestation.
Source: https://apra.gov.au/risk-management. Rules Mate is not a law firm. Always verify against the live regulator source before acting.