The white noise associated with APRA Prudential Standard CPS 230 in connection with material service providers has tended to distract from the benefits of CPS 230.
It should be remembered that CPS 230 includes an amalgamation of 2 existing prudential standards:
- CPS 231 Outsourcing; and
- CPS 232 Business continuity management
With effect from July 2025, outsourcing and business continuity management for general insurers will be governed by CPS 230.
CPS 230 requirements only apply to General Insurers who are authorised by APRA under section 12 of the Insurance Act. However, CPS 230 and the asssociated Prudential Practice Guide CPG 230 (PPG CPG 230) provides very useful guidance and information for anyone operating a business in general insurance including Underwriting Agencies, TPAs, Insurance Brokers and service providers.
It should be remembered that holders of an AFS Licence must have adequate risk management systems. Business continuity and outsourcing is a critical part of risk management.
Process mapping material business processes
APRA expects that, in implementing CPS 230, a prudent general insurer would start with the identification of its critical operations. A general insurer would (see paragraph 2 PPG CPG 230):
a) identify its critical operations (note that claims processing is a deemed critical business operation for an insurer however any other critical operation must also be identified);
b) set tolerance levels for disruption of these critical operations; and
c) identify the processes and resources needed to deliver these critical operations, including material service providers.
Identification of critical (or material) business operations is a very sensible starting point.
Business continuity steps
As mentioned, business continuity not only applies to general insurers and is relevant for Underwriting Agencies, TPAs, Insurance brokers and anyone providing general insurance products or services.
Here are some simple steps to get you started:
- Identify, at an enterprise level, material business activitiessuch as distribution, underwriting, claims, broking, complaints, information management, marketing etc
- for each of the material business activities, map out the end-to-end, 5-10 key sub-activitiesthat combined, enable the material business activity to be delivered. As an example, think about the end-to-end process for claims: FNOL, assessment, claim decision etc
- consider each of the sub-activities in terms of people, IT, process, outsourcing & information (collectively resources). This provides a matrix of sub-activities x resourcesneeded to deliver your material business activities. This information alone provides very useful insights into managing your business and business risks.
- Consider the tolerance level for each of the sub-activities in the event of a disruption to any of the identified resources. Tolerances should be set based on (refer PPG 230 paragraph 32):
– the impact on customers and other stakeholders of a disruption;
– the financial and reputational impact on your business from a prolonged or material disruption;
– the financial and reputational impact on the broader financial system, including any flow-on effects or contagion;
– legal or regulatory requirements; and
– recovery objectives.
- Factors to consider when setting tolerances include (refer Table 4 PPG CPG 230): (i) the maximum allowable disruption period; (ii) the minimum data loss tolerated; and (iii) the minimum level of services to be restored
- consider key controls and contingency plans in respect of each sub-activity, and the resources needed to deliver those sub-activities.
- the above steps will enable you to adopt an approach that include measures to minimise the immediate impact of a disruption; activate contingency arrangements; and facilitate the recovery of critical operations. This becomes the basis for your Business Continuity Plan (BCP).
- It is also important that you test your BCP, update it annually or as soon as possible after a material change to your operations and audit the BCP
- If you identify that a service provider is used as a resource in providing any of the sub-activities, it is necessary to monitor and manage your service providers and any 4th party provider (refer paragraphs 50 – 56 of PPG CPG 230)
Using APRA Prudential Standards as a base for adopting sound risk management practices
CPS 230 applies to APRA regulated general insurers, however all AFS Licensees in general insurance can benefit from the CPS and CPG guidance provided by APRA especially in respect of managing operational risk , outsourcing, business continuity and service providers.
The key is to adopt the APRA principles and tailor them (scale-down) to the nature, scale and complexity of your business.