APRA SPS 220 Risk Management (Superannuation)

Australia

v2023

15 domains

35 controls

Australian Prudential Regulation Authority Prudential Standard SPS 220 sets out risk management requirements specifically for RSE licensees (superannuation trustees). It requires RSE licensees to maintain a Board-approved risk management framework covering material risks to the business operations and to the interests of beneficiaries.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (15)

Assurance

1 controls

Controls in the Assurance domain of APRA SPS 220 Risk Management (Superannuation) — 1 controls
Code	Title	Description
SPS220-46	Comprehensive Review of RMF	A comprehensive review of the RMF must be conducted at least every three years by an operationally independent party.

Audit

1 controls

Controls in the Audit domain of APRA SPS 220 Risk Management (Superannuation) — 1 controls
Code	Title	Description
SPS220-48	Internal Audit of RMF	Internal audit must regularly review the design and effectiveness of the RMF.

Board and Senior Management

3 controls

Controls in the Board and Senior Management domain of APRA SPS 220 Risk Management (Superannuation) — 3 controls
Code	Title	Description
SPS220-14	Member Best Financial Interests	Risk management must support the duty to act in the best financial interests of beneficiaries.
SPS220-15	Senior Management Responsibility	Senior management responsible for implementing the risk management framework
SPS220-16	Risk Management Function	Establish a risk management function with appropriate authority and independence

Business Continuity

1 controls

Controls in the Business Continuity domain of APRA SPS 220 Risk Management (Superannuation) — 1 controls
Code	Title	Description
SPS220-50	Business Continuity Management	Business continuity arrangements must align with CPS 230 critical operations requirements.

Governance

7 controls

Controls in the Governance domain of APRA SPS 220 Risk Management (Superannuation) — 7 controls
Code	Title	Description
SPS220-13	Board Risk Responsibility	The Board of an RSE licensee is ultimately responsible for the risk management framework.
SPS220-14	Member Best Financial Interests	Risk management must support the duty to act in the best financial interests of beneficiaries.
SPS220-33	Risk Culture	The RSE licensee must establish and maintain an appropriate risk culture.
SPS220-37	Three Lines Model	Clear separation of risk management roles across first line operational management, second line risk and compliance, and...
SPS220-52	Conflicts Management	Conflicts of interest must be identified, recorded, and managed in member best financial interests.
SPS220-54	Fit and Proper	Responsible persons must meet fit and proper requirements per SPS 520.
SPS220-56	Whistleblower Arrangements	Whistleblower protections and arrangements must support risk identification and reporting.

Insurance

1 controls

Controls in the Insurance domain of APRA SPS 220 Risk Management (Superannuation) — 1 controls
Code	Title	Description
SPS220-27	Insurance Risk Management	Insurance risks in superannuation must be managed including counterparty and benefit design risk.

Investment

1 controls

Controls in the Investment domain of APRA SPS 220 Risk Management (Superannuation) — 1 controls
Code	Title	Description
SPS220-25	Investment Risk Management	Investment risk must be managed in line with the Investment Governance Framework and SPS 530.

Operational

1 controls

Controls in the Operational domain of APRA SPS 220 Risk Management (Superannuation) — 1 controls
Code	Title	Description
SPS220-29	Operational Risk Management	Operational risks must be managed consistent with the CPS 230 framework.

Reporting

2 controls

Controls in the Reporting domain of APRA SPS 220 Risk Management (Superannuation) — 2 controls
Code	Title	Description
SPS220-42	Risk Reporting to Board	Comprehensive risk reporting must be provided to the Board on a regular basis.
SPS220-44	Material Risk Event Reporting	Material risk events must be reported to APRA in line with prudential reporting requirements.

Review and Reporting

3 controls

Controls in the Review and Reporting domain of APRA SPS 220 Risk Management (Superannuation) — 3 controls
Code	Title	Description
SPS220-27	Insurance Risk Management	Insurance risks in superannuation must be managed including counterparty and benefit design risk.
SPS220-28	Risk Management Declaration	Provide annual risk management declaration to APRA
SPS220-29	Operational Risk Management	Operational risks must be managed consistent with the CPS 230 framework.

Risk Categories

4 controls

Controls in the Risk Categories domain of APRA SPS 220 Risk Management (Superannuation) — 4 controls
Code	Title	Description
SPS220-23	Material Risks Identification	All material risks must be identified including investment, operational, insurance, strategic, and outsourcing risks.
SPS220-24	Insurance Risk	Manage insurance risk for any insurance benefits offered by RSE licensee
SPS220-25	Investment Risk Management	Investment risk must be managed in line with the Investment Governance Framework and SPS 530.
SPS220-26	Strategic and Concentration Risk	Manage strategic risk and concentration risk across portfolios

Risk Management

4 controls

Controls in the Risk Management domain of APRA SPS 220 Risk Management (Superannuation) — 4 controls
Code	Title	Description
SPS220-17	Risk Management Framework	The RSE licensee must maintain a documented risk management framework covering all material risks.
SPS220-19	Risk Appetite Statement	A risk appetite statement must articulate the level of risk the RSE licensee is willing to accept.
SPS220-23	Material Risks Identification	All material risks must be identified including investment, operational, insurance, strategic, and outsourcing risks.
SPS220-40	Stress Testing	The RSE licensee must conduct stress testing for material risks including liquidity, investment, and operational scenari...

Risk Management Framework

3 controls

Controls in the Risk Management Framework domain of APRA SPS 220 Risk Management (Superannuation) — 3 controls
Code	Title	Description
SPS220-17	Risk Management Framework	The RSE licensee must maintain a documented risk management framework covering all material risks.
SPS220-18	Scope of Framework	Framework must cover all material risks to the RSE licensee's business operations
SPS220-19	Risk Appetite Statement	A risk appetite statement must articulate the level of risk the RSE licensee is willing to accept.

Risk Management Strategy

2 controls

Controls in the Risk Management Strategy domain of APRA SPS 220 Risk Management (Superannuation) — 2 controls
Code	Title	Description
SPS220-20	Risk Management Strategy	Develop and maintain a risk management strategy describing risk management approach
SPS220-22	Risk Identification and Assessment	Identify, assess, manage, mitigate, and monitor all material risks

Third Party

1 controls

Controls in the Third Party domain of APRA SPS 220 Risk Management (Superannuation) — 1 controls
Code	Title	Description
SPS220-31	Outsourcing Risk Management	Outsourcing arrangements must be managed in line with SPS 231 and CPS 230 service provider requirements.

Your Compliance Coverage

If you comply with APRA SPS 220 Risk Management (Superannuation), you already cover:

APRA CPS 220 Risk Management

61%

17 controls mapped

Compare →

NIST SP 800-53 Rev 5

32%

9 controls mapped

Compare →

NIST Cybersecurity Framework 2.0

18%

5 controls mapped

Compare →

+ 81 more: APRA CPS 230 Operational Risk Management (14%), UK AI Regulation Framework (14%)

See all 84 mapped frameworks ↓

Maps to 84 other frameworks

28 total controls

APRA CPS 220 Risk Management

17 source controls mapped|15 target controls covered

61%

NIST SP 800-53 Rev 5

9 source controls mapped|10 target controls covered

32%

NIST Cybersecurity Framework 2.0

5 source controls mapped|6 target controls covered

18%

APRA CPS 230 Operational Risk Management

4 source controls mapped|4 target controls covered

14%

UK AI Regulation Framework

4 source controls mapped|1 target controls covered

14%

ICAO Annex 17 - Aviation Security (AVSEC)

4 source controls mapped|2 target controls covered

14%

NIST AI Risk Management Framework (AI RMF 1.0)

4 source controls mapped|5 target controls covered

14%

AML/CTF Act 2006 (Australia)

4 source controls mapped|2 target controls covered

14%

ISO 27005

4 source controls mapped|6 target controls covered

14%

ISO/IEC 23894:2023

4 source controls mapped|7 target controls covered

14%

ISO/IEC 27557:2022 - Organisational Privacy Risk Management

4 source controls mapped|7 target controls covered

14%

API 1164

4 source controls mapped|3 target controls covered

14%

Authorised Economic Operator (AEO) Programmes - Global Standards

4 source controls mapped|2 target controls covered

14%

ISO 31000

4 source controls mapped|6 target controls covered

14%

ISO 27019

4 source controls mapped|3 target controls covered

14%

Annex 11 to EU GMP - Computerised Systems

4 source controls mapped|1 target controls covered

14%

NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements

4 source controls mapped|3 target controls covered

14%

EASA Part-IS - Information Security in Aviation

4 source controls mapped|5 target controls covered

14%

AS9100D - Aerospace Quality Management System

4 source controls mapped|4 target controls covered

14%

ISO/IEC 27003:2017

4 source controls mapped|4 target controls covered

14%

FBI CJIS Security Policy

4 source controls mapped|2 target controls covered

14%

IEC 62443

4 source controls mapped|3 target controls covered

14%

AS9100D:2016 - Quality Management Systems for Aviation, Space, and Defence

4 source controls mapped|3 target controls covered

14%

NIST SP 1800-32

4 source controls mapped|3 target controls covered

14%

SSAE 18 - Attestation Standards (SOC Reporting)

4 source controls mapped|4 target controls covered

14%

Aged Care Quality Standards (Australia)

3 source controls mapped|1 target controls covered

11%

ISO 37000:2021 - Governance of Organizations

3 source controls mapped|2 target controls covered

11%

ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence

3 source controls mapped|1 target controls covered

11%

PCI P2PE

3 source controls mapped|3 target controls covered

11%

ISO 28001:2007 Supply Chain Security Management

3 source controls mapped|1 target controls covered

11%

BS 65000:2014 - Guidance on Organizational Resilience

3 source controls mapped|2 target controls covered

11%

APRA CPS 234

3 source controls mapped|3 target controls covered

11%

PCI SSF

3 source controls mapped|3 target controls covered

11%

IAIS Insurance Core Principles (ICPs)

3 source controls mapped|2 target controls covered

11%

IEC 62304:2015 Medical Device Software Lifecycle Processes

3 source controls mapped|3 target controls covered

11%

IEC 60601-1 - Medical Electrical Equipment Safety

3 source controls mapped|3 target controls covered

11%

PCI PIN Security

3 source controls mapped|3 target controls covered

11%

FFIEC IT Examination Handbook

3 source controls mapped|3 target controls covered

11%

FFIEC Cybersecurity Assessment Tool (CAT)

3 source controls mapped|2 target controls covered

11%

ISO/IEC 23837 - Security Requirements for Quantum Key Distribution

3 source controls mapped|2 target controls covered

11%

ISO 20400:2017 - Sustainable Procurement

3 source controls mapped|1 target controls covered

11%

ISO 22320:2018

3 source controls mapped|1 target controls covered

11%

ISO/IEC 38500:2024 - Governance of IT

3 source controls mapped|1 target controls covered

11%

ISO 31000:2018