APRA’s CPS 230 Takes Effect: A New Era of Operational Risk Management

As of 1 July 2025, the Australian Prudential Regulation Authority’s (APRA) Prudential Standard CPS 230 (CPS 230) is in force. CPS 230 brings a more structured, accountable, and forward-looking approach to managing operational risk, business continuity and service provider arrangements to those parts of Australia’s financial services sector that are regulated by APRA.  The requirements of CPS 230 should also be front-of-mind for all suppliers of services to those regulated businesses.

CPS 230 applies to all APRA-regulated entities, including banks, insurers, and superannuation trustees. It reflects APRA’s growing focus on ensuring that institutions can maintain critical operations during periods of disruption, such as cyber-attacks, system outages, or failures within key service providers.

Key requirements of CPS 230

Under CPS 230, regulated entities are required to identify their “critical operations” – those essential functions that, if disrupted, could have a material impact on financial markets, customers, or the broader economy. These requirements build upon the foundations established in Prudential Standard CPS 220 and SPS 220, which set out broader operational risk management obligations. For each critical operation, entities must now establish disruption tolerance thresholds and demonstrate how they will remain within these limits under a range of stress scenarios.

APRA mandates that, at a minimum, certain core business operations be classified as “critical” unless the entity can justify otherwise. Examples include payments, deposit-taking, and customer functions for Authorised Deposit-Taking Institutions (ADIs); claims processing for insurers; investment management and fund administration for registrable superannuation entity (RSE) licensees; and customer enquiries across regulated entities.

To support these requirements, entities must maintain a comprehensive operational risk management framework that enables them to identify, assess and control potential threats. This includes developing and regularly testing up-to-date business continuity plans to ensure effective response and recovery to operational incidents.

A significant focus of CPS 230 is managing risks related to external suppliers. A regulated entity must ensure that contracts with its service providers contain appropriate safeguards, particularly for services supporting critical functions.

Regulated institutions are now required to keep a register of all material service providers and maintain a service provider management policy. For the first time, institutions must formally document their approach to managing the risks associated with fourth party suppliers that material suppliers rely upon (sometimes known as sub-outsourcing), which could include a wide range of cloud service, telecommunications and other IT industry suppliers.

Stronger governance and board accountability

CPS 230 strengthens the role of boards and senior management in operational risk oversight. Directors and executives are now explicitly responsible for ensuring that operational resilience is embedded into their organisation’s governance frameworks and decision-making processes.

Boards must oversee the effectiveness of risk management practices and ensure that adequate resources are allocated to meet the new requirements. This represents a cultural shift from reactive risk management to proactive deterrent strategies.

Implementation and industry impact

Many institutions have spent the last two years undertaking readiness assessments, updating internal controls, mapping critical operations, and renegotiating external contracts to meet the new obligations.

While the transition has not been without challenges – particularly around resourcing and compliance costs – many institutions recognise CPS 230 as a necessary response to the growing complexity and interconnectedness of operational risks in today’s financial market.

Looking ahead

With initial CPS 230 compliance for most institutions completed, the next challenge will be integrating operational resilience as a sustained strategic priority. Institutions that approach CPS 230 as a one-off project risk falling behind in an environment where operational disruptions are increasingly complex and interdependent.

In a financial landscape defined by constant change, resilience is not merely about ticking regulatory boxes – it’s about maintaining the trust and confidence of regulators and customers alike.  CPS 230 has been designed to facilitate this, but it’s up to industry to achieve it.

If you have any questions about compliance with CPS 230, please contact Special Counsel, Michael Stojanovic on [email protected].