CPS 230 Compliance Guide 2025-2026: Everything Your ADI Needs to Know
APRA Prudential Standard CPS 230 (Operational Risk Management) is the most significant prudential standard change in a decade. It consolidates three previous standards — CPS 231 (Outsourcing), CPS 232 (Business Continuity Management), and the operational risk elements of CPS 220 — into a single, integrated operational resilience framework.
Effective date: 1 July 2025 for SFIs (Significant Financial Institutions). Non-SFIs have until 1 July 2026 for BCP requirements.
What CPS 230 Replaced and Why
CPS 230 replaced three separate standards that APRA recognised were treating interconnected risks in silos:
- CPS 231 (Outsourcing) — focused on material outsourcing arrangements but didn't adequately address intra-group service providers or fourth-party risk
- CPS 232 (Business Continuity Management) — required BCPs but lacked the concept of mandatory tolerance levels for critical operations
- Operational risk elements of CPS 220 — general risk management requirements that didn't specifically address operational resilience
The key insight driving CPS 230 is that a service provider failure IS a business continuity event IS an operational risk incident. APRA wants entities to manage these as a connected system, not separate compliance exercises.
Key Requirements
1. Critical Operations and Tolerance Levels
This is the biggest change from CPS 232. Entities must:
- Define and maintain a register of critical operations
- Set tolerance levels for each critical operation covering: maximum disruption period (RTO), maximum acceptable data loss (RPO), and minimum service levels during alternative arrangements
- APRA can override your tolerance levels if they find material weakness
2. Business Continuity Planning
BCPs must include:
- Critical operations register with tolerance levels
- Disruption identification triggers and activation procedures
- Actions to maintain operations within tolerance levels
- Communications strategy
- Annual testing using severe but plausible scenarios
3. Service Provider Management
CPS 230 replaces the old CPS 231 concept of "material outsourcing" with "material service provider" — a broader definition that includes intra-group arrangements. Requirements include:
- Comprehensive due diligence before engagement
- Formal written agreements with audit and APRA access rights
- Ongoing monitoring and performance reporting to the board
- Fourth-party risk assessment (your provider's providers)
- Exit strategies and substitutability plans
4. APRA Notification Requirements
- 72 hours — notify APRA of operational risk incidents with material financial impact
- 24 hours — notify APRA of disruptions to critical operations outside tolerance levels
Transition Timeline
- 1 July 2025 — CPS 230 effective for all APRA-regulated entities. SFIs must fully comply including BCP testing.
- 1 July 2026 — Non-SFIs must comply with BCP requirements. Pre-existing service provider contracts must comply by earlier of next renewal or this date.
Enforcement Context
APRA has already demonstrated willingness to use capital charges as enforcement tools for operational resilience failures:
- Medibank — $250M capital charge after the October 2022 data breach (CPS 234)
- Bendigo Bank — $50M additional capital charge for compliance deficiencies
Expect similar enforcement under CPS 230 for entities that cannot demonstrate adequate operational resilience.
Practical Steps for Compliance
- Gap analysis — Map your current CPS 231/232 compliance against CPS 230 requirements
- Critical operations register — Define and document all critical operations with tolerance levels
- Service provider inventory — Reclassify material outsourcing arrangements as material service provider arrangements under the new definitions
- BCP update — Ensure BCPs include tolerance levels, scenario testing plans, and APRA notification procedures
- Board engagement — Brief the board on CPS 230 requirements and their oversight responsibilities
- Testing program — Design annual testing using severe but plausible scenarios covering service provider disruptions
Get instant CPS 230 answers
Ask any question about CPS 230 and get structured answers with clause references in seconds.
Try the AI chatbot freeRelated Regulations
CPS 230 intersects with several other standards your compliance team needs to consider:
- CPS 234 (Information Security) — cyber incidents are a key operational risk under CPS 230
- CPS 220 (Risk Management) — operational risk must integrate into the overall RMF
- CPS 510 (Governance) — board oversight of operational resilience
- FAR Act 2023 — accountable persons must have CPS 230 responsibilities allocated
- Banking Act 1959 — APRA's enforcement powers under s11CA
This guide is for informational purposes and does not constitute legal advice. Consult qualified compliance professionals for specific obligations. GoComply covers 37 Australian financial regulations — try the chatbot for instant clause-level answers.