APRA CPS 230: What Australian Financial Services Need to Know
APRA's CPS 230 Operational Risk Management standard takes effect July 2025. It introduces new requirements for critical operations, material service providers, and operational resilience testing.
A New Era for Operational Risk
The Australian Prudential Regulation Authority (APRA) released CPS 230 to replace and consolidate three existing standards: CPS 220 (Risk Management), CPS 231 (Outsourcing), and CPS 232 (Business Continuity Management). The new standard takes effect on 1 July 2025 and represents a significant uplift in operational risk expectations.
Key Requirements
Critical Operations: Entities must identify their critical operations:the processes, activities, and services where disruption could have a material impact on depositors, policyholders, or the financial system. Each critical operation must have defined tolerance levels for disruption.
Material Service Providers: CPS 230 introduces a formal category of material service providers:any third party whose failure could impact critical operations. These providers must be subject to enhanced due diligence, contractual requirements, and ongoing monitoring. The board must approve all material service provider arrangements.
Operational Resilience Testing: Entities must conduct regular testing of their ability to remain within tolerance levels for critical operations during severe but plausible disruption scenarios. This goes beyond traditional business continuity testing:it requires end-to-end scenario testing that includes third-party dependencies.
What's Different from Current Requirements
CPS 230 raises the bar in several ways:
- Board accountability: The board must approve the operational risk framework, critical operations identification, tolerance settings, and material service provider arrangements
- End-to-end view: Previous standards addressed outsourcing, business continuity, and risk management separately. CPS 230 integrates them into a single operational resilience framework
- Third-party depth: The requirements for material service providers go well beyond traditional outsourcing oversight, including requirements for substitutability planning and fourth-party risk management
- Quantitative tolerances: Entities must set specific, measurable tolerance levels for disruption:not just qualitative statements
Preparing for July 2025
Start with three actions: map your critical operations end-to-end, identify your material service providers and assess their risk, and review your testing programme against the new scenario testing requirements.
Frequently Asked Questions
Explore this topic on our compliance platform
Our platform covers 692 compliance frameworks with 819,000+ cross-framework control mappings. Start free, no credit card required.
Try the Platform Free →