APRA CPS 220 Risk Management Framework: The Complete Compliance Guide for ADIs

APRA Prudential Standard CPS 220 (Risk Management) is the foundational standard that underpins every other prudential requirement your ADI must meet. While CPS 230 gets the headlines and CPS 234 drives urgent cyber spend, CPS 220 is the standard that defines how your institution identifies, measures, monitors, and controls risk across the entire business. Get CPS 220 wrong, and every other standard falls apart.

This guide breaks down the full CPS 220 framework, explains what APRA expects in practice, and highlights the gaps that trip up even well-resourced compliance teams.

What Is CPS 220 and Who Does It Apply To?

CPS 220 establishes the minimum requirements for a Risk Management Framework (RMF) that all APRA-regulated entities must maintain. It was last substantially updated in July 2023 and applies to:

• Authorised Deposit-taking Institutions (ADIs) - banks, building societies, credit unions
• General insurers regulated under the Insurance Act 1973
• Life insurers regulated under the Life Insurance Act 1995
• Registrable Superannuation Entity (RSE) licensees (with some modifications under SPS 220)
• Private health insurers regulated under the Private Health Insurance (Prudential Supervision) Act 2015

For ADIs specifically, CPS 220 is the standard that APRA assessors use as their starting point when evaluating your overall prudential health. It is the connective tissue between governance (CPS 510), operational resilience (CPS 230), information security (CPS 234), and capital adequacy (APS 110).

Key point: CPS 220 is not just a documentation exercise. APRA expects the RMF to be a living, operational document that drives day-to-day decision-making - not a policy that sits on a shelf between audits.

Risk Management Framework Requirements

At the core of CPS 220 is the requirement for every APRA-regulated entity to establish, maintain, and implement a comprehensive Risk Management Framework. The RMF must cover all material risks the entity faces, including credit risk, market risk, liquidity risk, operational risk, insurance risk, and strategic risk.

Board Oversight and Accountability

CPS 220 places ultimate responsibility for the RMF squarely on the board of directors. This is not a delegable obligation. Specifically, the board must:

• Approve the RMF and review it at least annually, or whenever there is a material change in the entity's risk profile
• Approve the Risk Appetite Statement (RAS) and ensure it is consistent with the entity's business strategy, capital plan, and financial plan
• Satisfy itself that the RMF is being effectively implemented and that the entity's risk profile is within the board-approved risk appetite
• Ensure adequate resources are allocated to risk management, including qualified personnel and appropriate systems
• Oversee the appointment of a Chief Risk Officer (CRO) or equivalent with sufficient authority and independence

Since the commencement of the Financial Accountability Regime (FAR) in March 2024, board-level accountability for the RMF has real teeth. Accountable persons can face personal consequences - including deferred remuneration clawback and disqualification - for failures in risk management oversight.

Risk Management Strategy

The RMF must include a documented risk management strategy that covers:

• The entity's approach to managing each material risk category
• The systems, policies, processes, and controls for identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating risk
• The roles and responsibilities of the board, senior management, risk management function, internal audit, and business units
• Reporting and escalation procedures, including breach reporting and APRA notification triggers
• The process for regular review and update of the RMF itself

The Three Lines of Defence

APRA expects CPS 220 compliance to be structured around the three lines of defence model, although the standard does not prescribe this exact terminology. In practice, APRA assessors evaluate whether your entity has:

1. First line - Business units and operational management. These are the risk owners. They are responsible for identifying, assessing, and managing risks within their areas. They must operate within the risk appetite and comply with risk policies and limits set by the board and risk function.
2. Second line - Risk management function (including the CRO). This function sets the risk framework, develops risk policies, provides risk oversight and challenge, monitors risk exposures and limit compliance, and reports to the board. CPS 220 requires this function to be independent from revenue-generating activities and to have direct access to the board and board risk committee.
3. Third line - Internal audit. Provides independent assurance that the RMF is effective, that risk policies are being followed, and that the first and second lines are operating as designed. CPS 220 requires internal audit to periodically review the RMF and report findings directly to the board audit committee.

Risk Appetite and Tolerance Levels

The Risk Appetite Statement (RAS) is one of the most scrutinised elements of CPS 220 compliance. APRA expects the RAS to be far more than a generic statement about being "risk-aware." It must be:

• Specific and measurable - with quantitative metrics and limits for each material risk category (e.g., maximum probability of default thresholds, VaR limits, liquidity coverage ratios, maximum acceptable operational loss)
• Linked to strategy - the RAS must demonstrably connect to the entity's business plan and strategic objectives
• Cascaded through the organisation - risk appetite must be translated into risk limits and tolerances at the business unit, product, and transaction level
• Dynamic - updated when the entity's risk profile, strategy, or external environment changes materially

APRA distinguishes between risk appetite (the aggregate level and types of risk the board is willing to assume) and risk tolerance (the specific maximum risk the entity is prepared to bear for each risk category). CPS 220 requires both to be articulated clearly.

Common RAS Failures

Based on APRA supervisory findings and thematic reviews, the most common RAS deficiencies include:

• Risk appetite statements that are too vague to be operationally useful (e.g., "we have a moderate risk appetite for credit risk")
• No clear link between stated risk appetite and actual risk limits or business decisions
• RAS metrics that are lagging indicators only, with no forward-looking or early-warning measures
• Board approval of the RAS as a compliance exercise rather than a genuine strategic discussion
• No documented process for what happens when risk tolerances are breached

Stress Testing and Scenario Analysis

CPS 220 requires APRA-regulated entities to conduct regular stress testing and scenario analysis as part of the RMF. This is not optional and is not limited to large ADIs - all entities must have a stress testing program proportionate to their size, complexity, and risk profile.

What APRA Expects

• Regular stress tests covering all material risk categories, not just credit risk. This includes market risk, liquidity risk, operational risk, and concentration risk.
• Severe but plausible scenarios - APRA uses this phrase frequently and expects entities to go beyond historical worst-case. Scenarios should include geopolitical disruption, simultaneous multi-risk events, and emerging risks like climate transition.
• Reverse stress testing - identifying the scenarios that would cause the entity to fail or breach minimum capital requirements, then assessing the likelihood of those scenarios.
• Board involvement - the board must review and challenge stress test results, and stress testing must inform the entity's capital planning and risk appetite calibration.
• Documentation - methodology, assumptions, results, and management actions must all be documented and available for APRA review.

Scenario Analysis in Practice

APRA has been pushing entities toward more sophisticated scenario analysis since 2023. The regulator's Climate Vulnerability Assessment and the 2024 operational resilience thematic review both set expectations for multi-factor scenario design. A compliant stress testing program should include:

• Macroeconomic scenarios - recession, stagflation, property market downturn, unemployment spike
• Operational scenarios - major IT failure, data breach, key service provider failure, pandemic (now required post-COVID)
• Climate scenarios - both physical risk (flooding, bushfire) and transition risk (carbon policy changes, asset repricing)
• Combined scenarios - APRA increasingly expects entities to model correlated stress events (e.g., interest rate shock + property downturn + unemployment increase)

ICAAP Integration with CPS 220

The Internal Capital Adequacy Assessment Process (ICAAP) is where CPS 220 meets the capital adequacy framework under APS 110. APRA expects the ICAAP to be directly informed by the RMF and risk appetite - they are not separate compliance exercises.

How CPS 220 Feeds ICAAP

• Risk identification from the RMF drives the list of risks that must be capitalised in the ICAAP
• Risk appetite limits determine the capital buffers needed to absorb losses within tolerance
• Stress test results must be used to calibrate capital adequacy under adverse conditions (APS 110 requires this explicitly)
• Operational risk assessment under CPS 220/CPS 230 must inform the operational risk capital charge

APRA has been clear that a weak RMF leads to a weak ICAAP, and a weak ICAAP can result in additional supervisory capital charges - sometimes referred to as "Pillar 2" capital add-ons. These charges are entity-specific and can be substantial.

ICAAP Best Practices

For your ICAAP to satisfy both CPS 220 and APS 110, ensure:

1. The board reviews and approves the ICAAP annually, with explicit sign-off on the capital plan
2. All material risks identified in the RMF are addressed in the ICAAP, including risks not captured by Pillar 1 minimum requirements
3. Stress testing results are directly incorporated into capital planning, with documented management actions for stressed scenarios
4. The ICAAP is forward-looking and covers the entity's strategic planning horizon (typically 3-5 years)
5. There is a clear link between risk appetite, capital buffers, and dividend policy

Common Compliance Gaps GoComply Detects

GoComply's document scanner analyses your policies, frameworks, and board papers against CPS 220 requirements. These are the most frequently flagged gaps across Australian ADIs:

• Missing or vague Risk Appetite Statement metrics. Many entities have a RAS that reads well but lacks the quantitative thresholds APRA expects. GoComply flags documents that reference risk appetite without specifying measurable limits, breach escalation procedures, or tolerance bands for each material risk category.
• No documented three lines of defence structure. Some entities describe risk responsibilities in general terms but do not explicitly delineate accountability between business units (first line), the risk function (second line), and internal audit (third line). APRA expects clear documentation of independence, reporting lines, and escalation paths.
• Stress testing programs that exclude operational risk or emerging risks. GoComply detects when stress testing documentation covers credit and market risk but omits operational risk scenarios, climate risk, or cyber disruption. CPS 220 requires all material risks to be stress tested.
• ICAAP disconnected from the RMF. When the ICAAP document does not reference the RMF, risk appetite, or stress test results, GoComply flags the disconnect. APRA expects these to be a single integrated system, not separate compliance documents produced by different teams.
• Board review frequency and evidence gaps. CPS 220 requires at least annual board review of the RMF. GoComply detects when framework documents lack evidence of board approval dates, review cycles, or version history that would demonstrate ongoing board oversight.

Related Standards: How CPS 220 Connects to the Broader Framework

CPS 220 does not exist in isolation. It is the foundation that several other prudential standards build upon. Your compliance team should consider CPS 220 in conjunction with:

• CPS 230 (Operational Risk Management) - CPS 230 took over the operational risk management elements from CPS 220 and expanded them into a full operational resilience framework. Your CPS 220 RMF must integrate with CPS 230 requirements for critical operations, tolerance levels, and service provider management. The two standards should reference each other in your documentation.
• CPS 510 (Governance) - board composition, board committee structures (including the board risk committee), and the fit and proper requirements for directors and senior managers. CPS 510 provides the governance infrastructure that CPS 220 relies on for effective board oversight of the RMF.
• CPS 234 (Information Security) - information security risk is a material risk that must be covered in the RMF. CPS 234 sets specific requirements for information security capability, incident management, and testing that feed into your overall risk profile under CPS 220.
• APS 110 / APS 112 / APS 114 (Capital Adequacy) - the capital framework that relies on CPS 220's risk identification and stress testing to calibrate capital buffers. A deficient RMF can directly result in higher capital requirements.
• Financial Accountability Regime (FAR) - accountability maps must identify the accountable person responsible for the RMF. FAR creates personal accountability for CPS 220 compliance failures that did not exist before March 2024.
• AML/CTF Act 2006 - money laundering and terrorism financing risk must be included as a material risk in the RMF. AUSTRAC's expectations for risk-based AML/CTF programs should align with the risk appetite and tolerance framework established under CPS 220.

Practical Steps: Getting Your RMF CPS 220-Ready

1. Conduct a gap analysis - Compare your current RMF documentation against CPS 220 paragraph by paragraph. Pay particular attention to the specificity of your RAS metrics and the independence of your risk function.
2. Quantify your Risk Appetite Statement - Move beyond qualitative descriptions. Define measurable limits for each material risk category with clear breach thresholds and escalation procedures.
3. Map the three lines of defence - Document who owns what. Ensure the CRO has genuine independence, direct board access, and sufficient resources.
4. Integrate stress testing with capital planning - Ensure your stress test scenarios are severe but plausible, cover all material risks, and directly inform your ICAAP capital buffers.
5. Connect the documents - Your RMF, RAS, ICAAP, BCP (CPS 230), and information security framework (CPS 234) should explicitly cross-reference each other. APRA sees these as one system.
6. Evidence board oversight - Maintain clear records of board approval dates, discussion minutes, challenges raised, and decisions made on the RMF and RAS.
7. Use automated scanning - Upload your framework documents to GoComply for instant gap detection before your next APRA review.

This guide is for informational purposes and does not constitute legal advice. Consult qualified compliance professionals for specific obligations. GoComply covers 37 Australian financial regulations - try the chatbot for instant clause-level answers.