CPS 230: Your roadmap to compliance

2 minute read UPDATED September 2024 Siobhan Doherty, Martin Wright, Ruth Stringer, Ian Lockhart, Noelia Boscana, Olga Kirillova

From 1 July 2025, APRA-regulated entities must comply with CPS 230 – a new standard requiring entities to better manage operational risks and respond to business disruptions.

On 17 July 2023, APRA released the final new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230) and a draft of Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230). APRA-regulated entities must comply with CPS 230 from 1 July 2025.

 

As a Legal and Consulting team with an integrated service offering, we’re well-versed in the implementation of CPS 230 and we’re ready to help your organisation.” 

SPEAK TO AN EXPERT

Source: Interim Policy and Supervision Priorities update | APRA

What is CPS 230?

CPS 230 requires regulated APRA-regulated entities to prepare for service disruptions by understanding the impacts of such events to customers and the wider financial system, take action to prevent these and enhance its operational resilience.

The standard has three overarching objectives:

  • 'Strengthen operational risk management through new requirements to address identified weaknesses in existing controls';
  • improve business continuity planning to ensure they are positioned to respond to severe disruptions; and
  • enhance third-party risk management by ensuring risks from material service providers are appropriately managed'.

APRA aims to focus the attention of boards on operational resilience by enforcing the setting of tolerance levels for disruptions to critical operations.

While APRA acknowledges some level of disruption is inevitable, it makes it clear that regulated entities should:

  • have the resilience to resume critical operations without causing financial harm;
  • work within a pre-defined tolerance level that is appropriate for their risk appetite; and
  • assess the appropriateness of the tolerances by conducting extensive scenario testing of extreme but plausible events.

Prudential Standard CPS 230 Operational Risk Management (CPS 230)

Coming into force on 1 July 2025, CPS 230 replaces five existing outsourcing and business continuity standards. The new standard requires APRA-regulated entities to prepare for service disruptions, take action to prevent these and enhance operational resilience. Explore our CPS 230 resources now.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIxOTMxNmUyYi02ZmM1LTQzNWQtYWE1NC03ZmI2NGRiYzM2ZDgiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTcyODY3Mzg2OSwiZXhwIjoxNzI4Njc1MDY5LCJpYXQiOjE3Mjg2NzM4NjksImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2Nwcy0yMzAteW91ci1yb2FkbWFwLXRvLWNvbXBsaWFuY2UiLCJhdWQiOiJodHRwczovL3d3dy5taW50ZXJlbGxpc29uLmNvbS9hcnRpY2xlcy9jcHMtMjMwLXlvdXItcm9hZG1hcC10by1jb21wbGlhbmNlIn0._G3Nf0mQUOTOSgx-qw7OwD_WFkMPo_EJ0kxj8QEOcFk
https://www.minterellison.com/articles/cps-230-your-roadmap-to-compliance

Need help implementing  CPS 230?

The implementation of CPS 230 will require substantial alterations in operational risk management, business continuity, key service provider agreements, and governance procedures. This new standard, while demanding considerable effort for its design, execution, and ongoing management, will enhance entities' resilience and operational risk management capabilities.


Contact us to learn more about how MinterEllison can support your journey to CPS 230 compliance.

Contact

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiJkNWIzODYyMC1hZjUxLTQyYjItYmE2Ni00Mjc4MjJmMDkzMTQiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTcyODY3Mzg2OSwiZXhwIjoxNzI4Njc1MDY5LCJpYXQiOjE3Mjg2NzM4NjksImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2Nwcy0yMzAteW91ci1yb2FkbWFwLXRvLWNvbXBsaWFuY2UiLCJhdWQiOiJodHRwczovL3d3dy5taW50ZXJlbGxpc29uLmNvbS9hcnRpY2xlcy9jcHMtMjMwLXlvdXItcm9hZG1hcC10by1jb21wbGlhbmNlIn0.npupSePwAKrr-yib0x5MqQrnppdIys3KvIczYzMrP3o
https://www.minterellison.com/articles/cps-230-your-roadmap-to-compliance