APRA CPS 230 Operational Risk: Australian Financial Services

What Is CPS 230?

The Australian Prudential Regulation Authority (APRA) released Prudential Standard CPS 230 on Operational Risk Management in July 2023, with a compliance date of 1 July 2025. CPS 230 replaces three existing standards: CPS 231 (Outsourcing), CPS 232 (Business Continuity Management), and CPS 234 supplementary guidance. The standard takes a principles-based approach, raising the bar for operational resilience across banking, insurance, and superannuation.

Scope and Application

CPS 230 applies to all APRA-regulated entities, including authorised deposit-taking institutions, general insurers, life insurers, private health insurers, and registrable superannuation entity licensees.

Operational Risk Management Requirements

CPS 230 requires entities to:

• Maintain a sound operational risk management framework approved by the board
• Identify, assess, manage, and monitor operational risks including technology, legal, and compliance risks
• Define board-approved tolerance levels for operational risk
• Establish effective controls that are regularly tested
• Report material operational risk events to the board and APRA

The framework must be proportionate to the entity's nature, size, and complexity.

Identifying Critical Operations

A cornerstone of CPS 230 is identifying critical operations. Entities must:

• Identify critical operations whose disruption could materially impact depositors, policyholders, or beneficiaries
• Set tolerance levels specifying the maximum acceptable disruption period
• Develop business continuity plans enabling continued delivery within tolerance levels
• Ensure adequate resources are available to maintain critical operations during disruption

Service Provider Management

CPS 230 introduces comprehensive service provider requirements:

• Maintain a register of all material service provider arrangements
• Conduct due diligence before engaging material service providers
• Establish legally binding agreements with key risk management provisions
• Monitor service provider performance and risk profile on an ongoing basis
• Develop and test contingency plans for material service provider failure
• Ensure providers supporting critical operations can meet tolerance levels

Testing Requirements

CPS 230 requires rigorous testing:

• Test business continuity plans at least annually for critical operations
• Include severe but plausible disruption scenarios
• Test ability to remain within tolerance levels during disruption
• Test contingency arrangements for material service provider failure
• Document results and remediate identified gaps
• Report outcomes to the board

APRA expects testing to be realistic and challenging.

Board and Senior Management Accountability

The board must approve the operational risk framework, tolerance levels, and material service provider arrangements. Senior management must implement the framework and report to the board on the operational risk profile.

Implementation Roadmap

1. Conduct a gap analysis against CPS 230 requirements
2. Identify and document all critical operations with board-approved tolerance levels
3. Review and update the operational risk management framework
4. Build a comprehensive register of material service provider arrangements
5. Update service provider contracts to include CPS 230 requirements
6. Develop and test business continuity plans aligned with tolerance levels
7. Establish reporting mechanisms to the board and APRA

CPS 230 represents a significant uplift in APRA's expectations. Entities that approach implementation strategically will build genuinely stronger operational capabilities.