CPS 220 Risk Management: Governance, Risk Appetite, and Assurance

Regulatory risk advisory
Written By OCG

Understanding CPS220

CPS 220 Risk Management sets core expectations for how APRA-regulated institutions govern risk. It requires a clear risk management framework (RMF), a board-approved risk appetite statement (RAS), defined roles (board, risk committee, CRO, business), robust risk controls and monitoring, independent assurance, and management information (MI) that enables timely, informed decisions across the three lines of defence.

Why CPS 220 Matters

CPS 220 underpins everything from credit, market and liquidity to operational, cyber, conduct and third-party risks. Strong execution improves resilience, regulatory confidence, and customer outcomes, and reduces the chance of remediation, breaches and supervisory intervention. It also links naturally to CPS 230 (operational resilience), CPS 234 (information security), product governance and complaints/IDR.

Key implications for firms include:

  • A fit-for-purpose RAS with quantitative limits and qualitative statements.

  • End-to-end RMF covering identification, assessment, control, monitoring and reporting.

  • Independent, risk-based assurance and clear escalation thresholds.

  • Actionable MI and dashboards that surface emerging risks, trends and breaches.

  • Culture and accountability that make risk ownership real in the first line.

Key Challenges Facing Firms

  • Translating policy into practical controls and unambiguous accountabilities.

  • Building an RAS that genuinely constrains risk-taking and guides decisions.

  • Integrating non-financial risks (operational, cyber, conduct, third-party) with financial risk views.

  • Producing decision-useful MI (leading indicators, thresholds, triggers) rather than static reports.

  • Demonstrating an effective assurance map and closing findings promptly.

  • Keeping frameworks current as products, partners and regulations evolve.

How OCG Can Help

Oceanic Consulting Group (OCG) helps institutions turn CPS 220 from policy into practical, defensible practice.

Our services include:

  • RMF & RAS design/uplift with measurable limits and clear tolerances.

  • Role clarity & operating model across board, risk committee, CRO and the business.

  • Control libraries & KRIs, breach/issue management and escalation pathways.

  • MI & dashboarding that provides a single, decision-useful view of risk.

  • Assurance & audit coordination, closure tracking and evidence packs.

  • Linkage to CPS 230/234 and broader conduct/product governance so frameworks work as a whole.

FAQs

What is a Risk Appetite Statement (RAS)?
It defines the types and levels of risk an institution is willing to accept in pursuit of its objectives, with metrics and limits to guide decisions.

How should MI support CPS 220?
By providing timely, accurate and comparable measures (including KRIs and breaches) with clear ownership, thresholds and actions.

How does CPS 220 relate to CPS 230 and CPS 234?
CPS 220 provides the risk-governance spine; CPS 230 and CPS 234 set specific expectations for operational resilience and information security that should align to the RMF and RAS.

Strengthen Your CPS 220 Risk Management Programme

Work with OCG’s Risk Governance Specialists

Embed risk governance that’s clear, measurable and defensible. Contact OCG to refine your RMF and RAS, uplift controls and MI, and align assurance so you meet CPS 220 expectations and improve decision-making across the business.

Speak with OCG’s Risk Advisory team today

Learn more from our thought leadership articles and updates

OCG
Previous

CPS 511 Remuneration: Aligning Incentives with Risk and Conduct
Next

Mandatory Climate Reporting in Australia: ISSB-Aligned Disclosures for Financial Services