← Back to all briefings
Governance 8 min read Published Updated Credibility 96/100

APRA CPS 230 operational risk management

APRA's CPS 230 operational risk standard went effective July 1, 2025 for Australian ADIs, insurers, and super funds. It is a big upgrade from CPS 231 and 232, with stricter requirements for operational resilience, critical operations identification, and third-party risk management. If you are in Australian financial services, you should already be compliant.

Kodi C.

Editor & Research Lead

Fact-checked and reviewed — Kodi C.

Governance pillar illustration for Zeph Tech briefings
Governance, ESG, and board reporting briefings

Why this analysis matters: APRA’s Prudential Standard CPS 230 Operational Risk Management becomes enforceable on 1 July 2025 for most authorized deposit-taking institutions, insurers, and superannuation trustees. The standard elevates board-level accountability for operational resilience by tying risk appetite, service provider dependency, and scenario response to documented tolerances that can be showed to supervisors. Teams that treat CPS 230 as a standalone compliance task risk fragmented governance; the institutions that will clear the initial supervisory reviews are those that bring together risk, technology, operations, procurement, and audit leaders to run a single, evidenced program.

The legacy CPS 231 outsourcing and CPS 232 business continuity obligations have been folded into an integrated framework that demands fresh governance artifacts. Boards must approve an operational risk management framework (ORMF) that catalogs critical operations, sets tolerance statements for disruption duration and impact, and mandates reporting cadences down to committee level.

Senior officers will take ownership for cross-entity incident classification, and to certify that critical operations can recover within board-approved tolerances. APRA supervisors are already sampling board packs, scenario test documentation, and vendor assurance files to judge readiness, which means program offices need to update evidence packs monthly.

Regulatory scope and timing

Large and medium APRA-regulated entities must comply from 1 July 2025, while smaller ADIs and insurers have a one-year extension. Regardless of cohort, APRA expects to see by Q4 2024 a validated inventory of critical operations, refreshed service provider registers, and the governance structure that will operate from day one. CPS 230 also dovetails with CPS 234 information security and CPS 190 recovery and resolution planning; the board must be able to explain how frameworks remain consistent across these standards. Programs therefore need an integrated roadmap that brings privacy, cybersecurity, and business continuity owners into the same design authority.

APRA has issued an information paper outlining initial supervisory focus areas: whether boards have materially reviewed operational risk tolerance statements, whether third-party concentration is governed through contractual controls and exit strategies, and whether scenario testing covers severe but plausible events. Entities must be prepared to submit detailed responses within 10 business days of a data request. A compliance calendar should therefore schedule quarterly control testing, with results translated into board dashboards and risk appetite breach reports.

Governance controls to prioritize

Board oversight cadence. set up a CPS 230 governance charter that describes how the board, risk committee, and executive operational resilience forum exchange information. Minutes should record challenges to management, tolerance breach deliberations, and endorsement of remediation actions. The charter must also require independent assurance—internal audit, risk review, or external experts—over the ORMF at least annually. Align the charter with existing CPS 234 reporting so directors receive a unified view of technology and operational exposures.

Critical operation lifecycle. Build a repository that defines critical operations, maps dependencies across people, technology, facilities, and data, and records the approved maximum tolerable outages. Each entry should reference supporting evidence, such as business impact analyzes, capacity models, and exit plans. Change management workflows must trigger a review whenever a dependency, outsourcing arrangement, or tolerance statement changes. The repository should feed both crisis playbooks and third-party oversight dashboards.

Service provider governance. CPS 230 expects boards to review material outsourcing registers, due diligence reports, and contingency arrangements. Implement a tiered assurance model: critical providers require annual control attestations (SOC 1/2, CPS 234 evidence), scenario participation, and tested exit plans; high-risk non-critical providers receive targeted monitoring; lower tiers rely on automated alerts. Procurement, legal, and risk teams should maintain a standard contract annex covering notification obligations, data residency, subcontractor controls, and step-in rights. Evidence packs must show that the board has visibility into concentration risk and remediation progress.

Incident and change reporting. Embed CPS 230 metrics into enterprise risk reporting. Track near misses, tolerance breaches, incident root cause closure, and time-to-restore across critical operations. Introduce key control indicators for change freezes, failover readiness, and vendor performance. Every breach or near miss should trigger a lessons-learned session whose minutes are stored in the evidence pack and reported to the risk committee. APRA will expect to see not just the raw incident count but trend analysis, scenario rehearsal frequency, and audit coverage.

Evidence pack blueprint

program offices should maintain a digital evidence room structured in five folders: governance, critical operations, third-party management, scenario testing, and assurance. The governance section contains board and committee papers, approval records, and the annual CPS 230 attestation. Critical operations folders include heat maps, dependency diagrams, resilience tests, and tolerance review logs.

Third-party management holds due diligence questionnaires, control attestations, contract extracts, and corrective action plans. Scenario testing archives should store exercise scripts, participant lists, post-incident reports, and evidence of board-level debriefs. Assurance materials encompass internal audit scopes, findings tracking, and confirmation of closed actions.

Each artifact needs metadata: owner, approval date, next review, related risk appetite statement, and linkage to other standards such as CPS 234. Automating this metadata—through a GRC platform or structured SharePoint library—reduces the risk of missing documentation during supervisory requests. Program managers should run monthly evidence reconciliations to confirm that all mandatory artifacts exist, are current, and have been shared with relevant teams involved. When items are not ready, the deficiency must appear in the CPS 230 issues register with an accountable owner and due date.

Reporting workflow design

Create a reporting pipeline that starts with operational data feeds and ends with board decision support. Step one aggregates incident data, vendor performance metrics, and scenario test results in a resilience data mart. Step two converts raw data into dashboards tailored to operational risk managers, technology leads, and procurement. Step three publishes a monthly CPS 230 digest for executive review, highlighting tolerance breaches, remediation status, and upcoming tests. Step four elevates critical themes, unresolved issues, and material outsourcing changes to the board and risk committee each quarter. Step five feeds evidence into the annual attestation and APRA submission packages.

To keep the workflow responsive, define triggers for ad-hoc reporting. For example, any tolerance breach longer than two hours, any critical vendor control failure, or any scenario exercise revealing systemic gaps should generate an extraordinary report. Reporting owners should log when and how updates were escalated, ensuring audit trails. Automate reminders tied to the compliance calendar so cross-functional contributors submit inputs on time. Document the workflow in a RACI matrix that names accountable executives, data stewards, and reviewers.

Implementation sprint plan

Institutions that are behind should run four sprints between now and July 2025. Sprint one (Q4 2024) finalizes the CPS 230 governance charter, identifies critical operations, and maps dependencies. Sprint two (Q1 2025) refreshes service provider contracts, validates scenario designs, and stands up the evidence room. Sprint three (Q2 2025) executes end-to-end scenario tests, populates metrics dashboards, and trains board members on the new reporting format. Sprint four (late Q2 2025) conducts a readiness review combining internal audit testing with executive sign-off, producing the attestation package and action plan for post go-live improvements.

Throughout the sprints, maintain a consolidated issue log that records risk acceptances, remediation milestones, and testing residuals. The log becomes part of the evidence pack and feeds into APRA supervisory conversations. Where dependencies on third parties exist—for example, awaiting updated SOC reports—document interim controls and communication exchanges. Entities should also prepare a mobilization plan for subsidiaries or branches that share infrastructure, clarifying accountability for group-wide controls.

Key metrics and assurance

Define quantitative indicators that show CPS 230 effectiveness: percentage of critical operations with approved tolerance statements; average time to report incidents to executives; percentage of material providers with current assurance reports; number of scenario tests executed versus plan; remediation aging for audit findings; and staff training completion rates. Tie each metric to thresholds that trigger escalation. Embed the metrics within the enterprise risk dashboard so that CPS 230 data sits alongside financial and cyber risk indicators.

Internal audit should prepare a review plan covering ORMF design, data quality in resilience dashboards, contract controls, and scenario testing governance. Where audit capacity is limited, consider co-sourced reviews focusing on high-risk operations or complex outsourcing. Independent assurance reports become part of the evidence pack and will support board attestations. APRA has signaled that early supervisory reviews will look for tangible assurance outcomes rather than planned reviews, so schedule fieldwork before May 2025.

Working with stakeholders

Effective CPS 230 adoption requires clear roles. Risk teams steward the ORMF, operations and technology teams deliver resilience improvements, procurement manages provider oversight, and corporate communications prepares stakeholder messaging. Board directors should receive targeted education sessions covering APRA’s expectations, recent enforcement actions, and how to interpret the resilience dashboards. Regulators expect to see that directors can question management assumptions, so training should include scenario-based workshops.

Finally, align CPS 230 activities with crisis management and customer communication plans. Document how incident escalation will inform regulators, customers, and the market, including pre-approved templates and spokespersons. Capture lessons from any significant incidents between now and go-live in the evidence pack, demonstrating continuous improvement. The goal is to show APRA that governance, evidence, and reporting operate as an integrated system rather than ad-hoc tasks once July 2025 arrives.

More on this topic

Further reading from our research library.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Board Oversight Governance Blueprint

    Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.

  • Third-Party Governance Control Blueprint

    Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

  • Public-Sector Governance Alignment Playbook

    Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

Coverage intelligence

Published
Coverage pillar
Governance
Source credibility
96/100 — high confidence
Topics
APRA CPS 230 · Operational resilience · Third-party risk · Board oversight
Sources cited
3 sources (apra.gov.au, iso.org)
Reading time
8 min

Source material

  1. CPS 230 — Operational Risk Management
  2. APRA finalizes new operational risk management standard
  3. ISO 37000:2021 — Governance of Organizations — International Organization for Standardization
  • APRA CPS 230
  • Operational resilience
  • Third-party risk
  • Board oversight
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.