Who should read this financial services article?

This article is written for compliance professionals, CISOs, GRC managers, audit teams, and risk officers working in financial services. It provides actionable insights relevant to organizations managing compliance programs.

How can I apply these financial services insights?

Use our AI-powered compliance platform to map your requirements across 692 frameworks with 819,000+ control mappings. Start with a free account to explore relevant frameworks, run gap analyses, and build remediation plans.

APRA CPS 230: What Australian Financial Services Need to Know

APRA's CPS 230 Operational Risk Management standard takes effect July 2025. It introduces new requirements for critical operations, material service providers, and operational resilience testing.

A New Era for Operational Risk

The Australian Prudential Regulation Authority (APRA) released CPS 230 to replace and consolidate three existing standards: CPS 220 (Risk Management), CPS 231 (Outsourcing), and CPS 232 (Business Continuity Management). The new standard takes effect on 1 July 2025 and represents a significant uplift in operational risk expectations.

Key Requirements

Critical Operations: Entities must identify their critical operations:the processes, activities, and services where disruption could have a material impact on depositors, policyholders, or the financial system. Each critical operation must have defined tolerance levels for disruption.

Material Service Providers: CPS 230 introduces a formal category of material service providers:any third party whose failure could impact critical operations. These providers must be subject to enhanced due diligence, contractual requirements, and ongoing monitoring. The board must approve all material service provider arrangements.

Operational Resilience Testing: Entities must conduct regular testing of their ability to remain within tolerance levels for critical operations during severe but plausible disruption scenarios. This goes beyond traditional business continuity testing:it requires end-to-end scenario testing that includes third-party dependencies.

What's Different from Current Requirements

CPS 230 raises the bar in several ways:

Board accountability: The board must approve the operational risk framework, critical operations identification, tolerance settings, and material service provider arrangements
End-to-end view: Previous standards addressed outsourcing, business continuity, and risk management separately. CPS 230 integrates them into a single operational resilience framework
Third-party depth: The requirements for material service providers go well beyond traditional outsourcing oversight, including requirements for substitutability planning and fourth-party risk management
Quantitative tolerances: Entities must set specific, measurable tolerance levels for disruption:not just qualitative statements

Preparing for July 2025

Start with three actions: map your critical operations end-to-end, identify your material service providers and assess their risk, and review your testing programme against the new scenario testing requirements.

APRA CPS 230: What Australian Financial Services Need to Know

A New Era for Operational Risk

Key Requirements

What's Different from Current Requirements

Preparing for July 2025

Frequently Asked Questions

Explore this topic on our compliance platform

Put compliance intelligence to work