Why should risk advisers care about CPS 230?

Life insurers – and every other APRA-regulated entity – have until 1 July 2025 to comply with Prudential Standard CPS 230 Operational Risk Management (CPS 230), which is a new standard that marks a significant step-up in how regulated entities manage operational risk, business continuity and oversight of third-party providers.

According to Risk Hub founder Marc Fabris, while financial advisers may not be “directly regulated” under CPS 230, the second-order impacts are “substantial”.

This is particularly true for risk insurance advice, Fabris said, with advisers in this space routinely engaging with “insurer platforms, quoting systems and sensitive client data like medical history, income details and personal risk profiles”.

“This isn’t just an institutional issue. It’s a practical one – and advisers need to be part of the conversation,” he said.

Unfortunately, he added, while the new standard “rightly raises the bar” for institutions, the role of advisers remains a “blind spot in many roadmaps”.

“The danger is that systems get locked down or reworked without factoring in adviser workflows – creating new friction rather than solving existing risk,” Fabris said.

“Many practices are still evolving their digital maturity. If we want the industry to meet the intent of CPS 230, we need insurers to work in partnership with advisers – helping modernise workflows and data handling without just tightening the gate.”

The standard, originally released in July 2023, rolls together exiting standards on outsourcing business continuity and operational risk into a unified framework.

It could see portal access getting much tighter, with stronger, clearer control over access to client data, as well as the possibility of limitations on secondary users or outsourced admin staff.

There is also likely to be changes to how information is exchanged, Fabris said, with CPS 230 putting pressure on insurers to clean up manual movement of client data.

Similarly, advisers could be asked some questions about their controls as insurers seek to “shore up their own risk management”.

For financial advisers, especially those working in risk insurance, it’s wise to stay aligned with these standards, Fabris added.

“If your business relies on APRA-regulated providers or third-party platforms, understanding CPS 230 will help you improve your own resilience, demonstrate good practice and align with rising industry expectations,” he said.

The Cyber Collective founder Fraser Jack said the CPS 230 deadline provides the perfect opportunity for advice firms to “tighten the ship” around cyber security.

“Security in small advice practices is still hit and miss. Shared logins, weak password hygiene, no onboarding/offboarding process – it’s common and it’s risky,” Jack said.

“CPS 230 should be a wake-up call – not just for institutions, but for advisers too. The data they hold is deeply personal. Health history, income, family structure – it’s a treasure trove if mishandled.

“What’s needed isn’t just tech – it’s training, process and culture change. Even basic habits like knowing who has access to what, and when, can dramatically reduce risk.”

Fabris added that firms should use the deadline to review operational risk controls, strengthen business continuity plans and revisit third-party arrangements to ensure they align with best practice under CPS 230.

“This is a real opportunity to clean up long-standing pain points: shared logins, poor access controls, clunky document uploads. But it only works if advisers are at the table,” he said.