Governance Briefing — APRA CPS 230 operational risk management

Executive briefing: APRA’s Prudential Standard CPS 230: Operational Risk Management applies to banks, insurers, and superannuation entities from 1 July 2025 (1 July 2026 for some smaller entities). Boards must approve operational risk frameworks, set tolerance levels, and oversee critical operations, business continuity, and service provider management. CPS 230 elevates expectations on resilience metrics, severe disruption planning, and third-party governance.

Key governance signals

• Board accountability. Boards must ensure operational risk management frameworks align with risk appetite and receive regular reporting on resilience metrics.
• Critical operations. Institutions must identify critical operations, map dependencies, and maintain tolerance statements approved by the board.
• Service provider oversight. Boards must oversee outsourcing registers, contract standards, and assurance over critical service providers.

Action checklist

• Update operational risk policies, board reporting, and committee mandates to align with CPS 230 requirements.
• Conduct resilience mapping exercises to define tolerance levels, scenarios, and recovery plans for critical operations.
• Enhance third-party risk management frameworks, including due diligence, contractual clauses, and monitoring.

Enablement moves

• Deploy dashboards that track operational incidents, resilience metrics, and vendor performance for board oversight.
• Run cross-functional scenario exercises involving technology, operations, and risk teams to validate tolerance thresholds.
• Integrate CPS 230 requirements with CPS 234 (information security) and CPS 190 to streamline governance.

Sources

• APRA CPS 230 — Operational Risk Management
• APRA news release — Operational risk management standard

Zeph Tech supports APRA-regulated institutions with CPS 230 implementation by aligning board oversight, resilience testing, and third-party governance.