On 17 July 2023, APRA released the final new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230) and a draft of Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230). APRA-regulated entities must comply with CPS 230 from 1 July 2025.

As a Legal and Consulting team with an integrated service offering, we’re well-versed in the implementation of CPS 230 and we’re ready to help your organisation.” 

SPEAK TO AN EXPERT

What is CPS 230?

CPS 230 requires regulated APRA-regulated entities to prepare for service disruptions by understanding the impacts of such events to customers and the wider financial system, take action to prevent these and enhance its operational resilience.

The standard has three overarching objectives:

• 'Strengthen operational risk management through new requirements to address identified weaknesses in existing controls';
• improve business continuity planning to ensure they are positioned to respond to severe disruptions; and
• enhance third-party risk management by ensuring risks from material service providers are appropriately managed'.

APRA aims to focus the attention of boards on operational resilience by enforcing the setting of tolerance levels for disruptions to critical operations.

While APRA acknowledges some level of disruption is inevitable, it makes it clear that regulated entities should:

• have the resilience to resume critical operations without causing financial harm;
• work within a pre-defined tolerance level that is appropriate for their risk appetite; and
• assess the appropriateness of the tolerances by conducting extensive scenario testing of extreme but plausible events.