AU: CPS 220 Risk Management
|
|
| Regulator |
APRA |
| Jurisdiction |
AU |
| Status |
live |
| Applicability |
Platform |
APRA Prudential Standard CPS 220 Risk Management applies to all APRA-regulated entities including
ADIs. It requires a sound risk management framework underpinned by board-approved governance: a
Risk Management Strategy (RMS), a Risk Appetite Statement (RAS), and an Internal Capital Adequacy
Assessment Process (ICAAP). The board must attest annually that the risk management framework is
operating effectively. CPS 220 is the foundation standard — all other prudential risk standards
(CPS 230, CPS 234, APS 110, APS 210) operate within the framework it establishes.
The risk management platform (MOD-150) is the primary platform control under CPS 220. It computes
the RAF dashboard continuously, auto-populates the operational risk register, and produces the
board risk report automatically. The stress testing engine (MOD-034) provides the ICAAP and
capital stress test data. Board approval of the RMS, RAS, and ICAAP, and the annual board
attestation, are institutional obligations.
Compliance register
This register maps every material obligation under the standard to the platform control or
institutional process that satisfies it. It is the static traceability layer for the Totara
compliance report — dynamic data (module build status, test evidence, control test dates) is
overlaid at runtime.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — training programmes, board governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
Part 2 — Risk management framework
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Para 15 |
Establish and maintain a Risk Management Strategy (RMS) — board-approved; reviewed at least annually |
🏛 Institutional |
OPS-004 |
RMS is a board-approved governance document. MOD-150 (CALC) provides the RAF dashboard data that informs the RMS review; the strategy document itself is institutional. |
🔨 |
| Para 16 |
Board-approved Risk Appetite Statement (RAS) — quantified risk appetite thresholds by risk domain |
🏛 Institutional |
OPS-004 |
RAS is a board document. MOD-150 (CALC) continuously computes actual risk against RAS thresholds and alerts the CRO and Board Risk Committee on breach; the RAS thresholds are configuration inputs to MOD-150. |
🔨 |
| Para 17 |
Three lines of defence model — documented and operating effectively |
📊 Evidenced |
OPS-004 |
MOD-047 (LOG) — first-line agent actions logged; MOD-048 (LOG) — second-line system decisions logged; MOD-151 (LOG) — risk cases available to third line; MOD-063 (LOG) — all communications logged. Role separation enforced at MOD-044 (GATE). |
🔨 |
| Para 18 |
Independent risk management function — CRO independent from business lines, reports to board risk committee |
🏛 Institutional |
OPS-004 |
CRO reporting line and independence are governance matters. Platform has no role. |
— |
| Para 19 |
Risk reporting — regular risk reports to board and senior management |
🤖 Automated |
OPS-004 |
MOD-150 (AUTO) — board risk report generated automatically from risk platform data; no manual assembly; RAF dashboard continuously computed and available to board at any time |
🔨 |
| Para 20 |
Risk appetite monitoring — ongoing monitoring of actual risk against RAS thresholds |
🤖 Automated |
OPS-004 |
MOD-150 (CALC) — RAF dashboard is continuously computed from SD06 outputs; RAF threshold breach auto-alerts the CRO and Board Risk Committee chair with no manual trigger required |
🔨 |
Part 3 — ICAAP and stress testing
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Para 21 |
Annual Internal Capital Adequacy Assessment Process (ICAAP) — board-approved; covers all material risks |
🤖 Automated |
OPS-004 |
MOD-034 (CALC) — stress testing engine provides the quantitative capital stress test section of the ICAAP; scenario inputs, model version, and results all logged; MOD-150 (CALC) — operational risk register provides the risk inventory section |
🔨 |
| Para 22 |
Stress testing programme — at least annual; covers credit, liquidity, market, and operational risk |
🤖 Automated |
OPS-004 |
MOD-034 (CALC) — stress scenario engine executes at least annual and ad hoc scenarios; covers all risk types; outputs structured for ICAAP integration |
🔨 |
| Para 23 |
ICAAP must be submitted to APRA on request |
🏛 Institutional |
OPS-004 |
ICAAP submission is a CFO / CRO process. MOD-034 and MOD-150 provide the quantitative sections; the document and submission are institutional. |
— |
| Para 24 |
Board attestation — annual attestation that the risk management framework is operating effectively |
🏛 Institutional |
OPS-004 |
Annual attestation is a governance process. MOD-150 provides the data that supports the attestation; the sign-off is institutional. |
— |
| Obligation |
Owner |
Platform evidence input |
| Board approval of Risk Management Strategy (annual) |
Board |
MOD-150 RAF dashboard provides data inputs for the review |
| Board approval of Risk Appetite Statement (annual or on material change) |
Board |
MOD-150 provides current RAS threshold monitoring data |
| CRO appointment and independence from business lines |
Board |
Structural governance — platform has no role |
| Annual ICAAP document preparation and board approval |
CFO / CRO |
MOD-034 provides stress test data; MOD-150 provides risk register; narrative and document are institutional |
| Annual board attestation to APRA |
Board |
MOD-150 provides supporting evidence; attestation is institutional |
| APRA submission of RMS and ICAAP on request |
Chief Compliance Officer / CFO |
MOD-036 and MOD-034 provide data packages; submission is institutional |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| Risk management framework |
6 |
2 |
1 |
3 |
0 |
| ICAAP and stress testing |
4 |
2 |
0 |
2 |
0 |
| Total |
10 |
4 (40%) |
1 (10%) |
5 (50%) |
0 (0%) |
The platform automates the data-intensive obligations (RAF monitoring, stress testing, board
risk reporting) while the governance obligations (RMS, RAS, ICAAP board approval, annual
attestation) are institutional. All attributed modules are currently build_status: Not started.
| Policy |
Title |
| OPS-004 |
Operational Risk Policy |
See D08 Governance & Accountability and D09 Operational Resilience for the related risk domains.
Official documentation
Policies referencing this standard
- DT-005 — Model Risk Management Policy
- DT-013 — Model Validation & Audit Policy
Compiled 2026-05-22 from source/entities/regulations/au-cps-220.yaml