APRA CPS 220 Risk Management

Australia

v2023

22 domains

23 controls

Australian Prudential Regulation Authority Prudential Standard CPS 220 sets out requirements for APRA-regulated entities to have an effective risk management framework, including the Board's responsibility for risk oversight, a Chief Risk Officer, and the 'three lines of defence' model. Applies to ADIs, insurers, and RSE licensees.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (22)

Assurance

1 controls

Controls in the Assurance domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-11	Internal Audit	Maintain an internal audit function that provides independent assurance over the design and operating effectiveness of t...

Attestation

1 controls

Controls in the Attestation domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-20	Declaration to APRA	Provide annual Board declaration to APRA on the institution's risk management framework, supported by adequate processes...

Board Oversight

2 controls

Controls in the Board Oversight domain of APRA CPS 220 Risk Management — 2 controls
Code	Title	Description
CPS220-02	Board Responsibility	The Board is ultimately responsible for the institution's risk management framework, its operating effectiveness, and a...
CPS220-03	Board Risk Committee	Establish a Board Risk Committee with independent directors, a clear charter, and direct access to the CRO and risk repo...

CRO

1 controls

Controls in the CRO domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-09	Chief Risk Officer	Appoint a Chief Risk Officer with sufficient independence, authority, seniority, access to the Board, and direct reporti...

Capital

1 controls

Controls in the Capital domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-15	ICAAP Linkage	Integrate the RMF with the Internal Capital Adequacy Assessment Process so capital reflects the institution's material r...

Change

1 controls

Controls in the Change domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-13	New and Material Changes	Assess risks of new and materially changed products, services, systems, or processes before implementation.

Culture

1 controls

Controls in the Culture domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-12	Risk Culture	Form a view of, monitor, and take action to address the risk culture and behaviors that may not align with desired risk...

Documentation

1 controls

Controls in the Documentation domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-23	Documentation and Records	Maintain documentation evidencing the design, approval, operation, and review of the risk management framework.

Governance

1 controls

Controls in the Governance domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-01	Application and Scope	Apply CPS 220 to APRA-regulated institutions including ADIs, general and life insurers, private health insurers, and RSE...

Group

1 controls

Controls in the Group domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-17	Group Risk Management	Address risks arising at group level including contagion, intra-group exposures, and risks from non-regulated members.

Operating Model

1 controls

Controls in the Operating Model domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-08	Three Lines of Accountability	Maintain clear delineation of responsibilities across business operations, the risk management function, and internal au...

Operational Risk

1 controls

Controls in the Operational Risk domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-22	Operational and Non-Financial Risk	Manage operational risk including people, process, system, and external event risks within the RMF and risk appetite.

RMF

1 controls

Controls in the RMF domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-04	Risk Management Framework	Maintain a Risk Management Framework comprising strategy, appetite, structure, policies, processes, people, systems, rep...

Regulator

1 controls

Controls in the Regulator domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-19	Notification to APRA	Notify APRA of material breaches, significant changes to the RMF, or matters that may affect the prudential standing of...

Reporting

1 controls

Controls in the Reporting domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-16	Risk Reporting	Provide timely, accurate, and complete risk reporting to senior management, the Board Risk Committee, and the Board.

Review

1 controls

Controls in the Review domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-18	Comprehensive Review	Conduct a comprehensive review of the appropriateness, effectiveness, and adequacy of the RMF at least every three years...

Risk Appetite

1 controls

Controls in the Risk Appetite domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-06	Risk Appetite Statement	Maintain a Board-approved Risk Appetite Statement covering nature and levels of risk willing to be accepted with measura...

Risk Function

1 controls

Controls in the Risk Function domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-10	Risk Management Function	Maintain a risk management function with adequate resources, skills, and independence from revenue-generating activities...

Risk Identification

1 controls

Controls in the Risk Identification domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-07	Material Risks Coverage	Identify and manage all material risks including credit, market, liquidity, insurance, operational, and strategic risks...

Strategy

1 controls

Controls in the Strategy domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-05	Risk Management Strategy	Document a Risk Management Strategy approved by the Board describing how each material risk is managed across the instit...

Stress Testing

1 controls

Controls in the Stress Testing domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-14	Stress Testing	Conduct stress testing aligned to material risks to support capital and liquidity planning and risk appetite assessment.

Third Party

1 controls

Controls in the Third Party domain of APRA CPS 220 Risk Management — 1 controls
Code	Title	Description
CPS220-21	Outsourcing and Service Provider Risk	Address risks from material outsourcing and service provider arrangements through due diligence, contracts, and ongoing...

Your Compliance Coverage

If you comply with APRA CPS 220 Risk Management, you already cover:

APRA SPS 220 Risk Management (Superannuation)

65%

15 controls mapped

Compare →

NIST SP 800-53 Rev 5

22%

5 controls mapped

Compare →

NIST Cybersecurity Framework 2.0

2 controls mapped

Compare →

See all 3 mapped frameworks ↓

Maps to 3 other frameworks

23 total controls

APRA SPS 220 Risk Management (Superannuation)

15 source controls mapped|17 target controls covered

65%

NIST SP 800-53 Rev 5

5 source controls mapped|4 target controls covered

22%

NIST Cybersecurity Framework 2.0

2 source controls mapped|2 target controls covered

Compare APRA CPS 220 Risk Management with APRA SPS 220 Risk Management (Superannuation)

Frequently Asked Questions

What is APRA CPS 220 Risk Management?

APRA CPS 220 Risk Management is a compliance framework from Australia with 22 domains and 23 controls. Australian Prudential Regulation Authority Prudential Standard CPS 220 sets out requirements for APRA-regulated entities to have an effective risk management framework, including the Board's responsibility for risk oversight, a Chief Risk Officer, and the 'three lines of defence' model. Applies to ADIs, insurers, and RSE licensees. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does APRA CPS 220 Risk Management have?

APRA CPS 220 Risk Management has 23 controls organised across 22 domains. The largest domains are Board Oversight (2 controls), Assurance (1 controls), Attestation (1 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does APRA CPS 220 Risk Management map to?

APRA CPS 220 Risk Management maps to 3 other compliance frameworks. The top mapping partners are APRA SPS 220 Risk Management (Superannuation) (65% coverage), NIST SP 800-53 Rev 5 (22% coverage), NIST Cybersecurity Framework 2.0 (9% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with APRA CPS 220 Risk Management compliance?

Start your APRA CPS 220 Risk Management compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about APRA CPS 220 Risk Management requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 23 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.

Get Started Free →

Free forever — no credit card required