CPS 230: Your roadmap to compliance

2 minute read UPDATED 2025 Siobhan Doherty, Martin Wright, Ian Lockhart, Noelia Boscana, Olga Kirillova

From 1 July 2025, APRA-regulated entities must comply with CPS 230 – a new standard requiring entities to better manage operational risks and respond to business disruptions.

On 17 July 2023, APRA released the final new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230) and in June 2024 Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230). APRA-regulated entities must comply with CPS 230 from 1 July 2025.

SPEAK TO AN EXPERT

Source: Interim Policy and Supervision Priorities update | APRA

What is CPS 230?

CPS 230 requires regulated APRA-regulated entities to prepare for service disruptions by understanding the impacts of such events to customers and the wider financial system, take action to prevent these and enhance its operational resilience.

The standard has three overarching objectives:

'Strengthen operational risk management through new requirements to address identified weaknesses in existing controls';
improve business continuity planning to ensure they are positioned to respond to severe disruptions; and
enhance third-party risk management by ensuring risks from material service providers are appropriately managed'.

APRA aims to focus the attention of boards on operational resilience and cyber vulnerabilities by enforcing the setting of tolerance levels for disruptions to critical operations.

While APRA acknowledges some level of disruption is inevitable, it makes it clear that regulated entities should:

have the resilience to resume critical operations without causing financial harm;
work within a pre-defined tolerance level that is appropriate for their risk appetite; and
assess the appropriateness of the tolerances by conducting extensive scenario testing of extreme but plausible events.

Prudential Standard CPS 230 Operational Risk Management (CPS 230)

Coming into force on 1 July 2025, CPS 230 applies to prudentially regulated entities. It replaces five existing outsourcing and business continuity standards and creates additional oversight requirements in respect of material service providers. The new standard requires APRA-regulated entities to prepare for service disruptions, take action to prevent these and enhance operational resilience. Explore our CPS 230 resources now.

Need help implementing CPS 230?

The implementation of CPS 230 will require substantial alterations in operational risk management, business continuity, key service provider agreements, and governance procedures. This new standard, while demanding considerable effort for its design, execution, and ongoing management, will enhance entities' resilience and operational risk management capabilities.