← Back to all briefings
Policy 5 min read Published Updated Credibility 93/100

Policy Briefing — APRA CPS 230 go-live demands board-owned operational resilience evidence

CPS 230’s 1 July 2025 start requires boards to evidence operational risk governance, third-party resilience, and reporting routines that stand up to APRA assurance testing and year-one attestation.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: APRA’s Prudential Standard CPS 230 on Operational Risk Management comes into force on 1 July 2025 for authorised deposit-taking institutions, insurers, and private health insurers. Supervisors are signalling immediate deep dives on governance artefacts, scenario testing evidence, and board reporting maturity. This briefing sets out the target control architecture, evidence pack expectations, and reporting workflows executives must have in place to support the first year of CPS 230 assurance.

Regulatory expectations and oversight cadence

APRA expects boards to own the operational risk management framework, approve changes to risk appetite metrics, and evidence quarterly review of control effectiveness. Entities should document a governance map showing the board, risk committee, and accountable executives for critical operations, outsourcing, and business continuity. Align the cadence of board papers with APRA’s proposed thematic reviews: a standing CPS 230 dashboard every quarter; ad hoc escalation papers within 48 hours of major incidents; and an annual operational resilience attestation that references internal audit and scenario test findings.

Operational risk framework upgrades

The framework must integrate risk taxonomies, control libraries, loss event capture, and key risk indicators into a single document set approved by the board before go-live. Refresh operational risk appetite statements to include tolerance metrics for service availability, data integrity, cyber resilience, and third-party performance. Map each metric to measurement methods, data lineage owners, and escalation thresholds. Update policies to reflect the requirement for end-to-end process ownership, ensuring that business line leaders have signed accountability statements and that second line oversight routines—such as challenge meetings and thematic reviews—are recorded with minutes and actions.

Critical operations identification and mapping

APRA will expect a defensible methodology for designating critical operations. Build a heat map that combines customer impact, financial exposure, regulatory obligations, and franchise harm. For each critical operation, maintain process maps covering upstream dependencies, technology assets, facilities, and service providers. Document tolerance statements that specify maximum outage windows, data loss tolerances, and recovery objectives. Evidence that tolerances have been approved by the board and validated through at least one severe-but-plausible scenario exercise per critical operation, with remediation actions tracked to closure.

Scenario testing and resilience assurance

Design an annual test program that blends table-top exercises, live simulations, and data-driven stress tests. Each test scenario should log objectives, assumptions, participating executives, response timelines, lessons learned, and remediation commitments. Maintain a scenario testing register linked to the enterprise issue management system so remediation is traceable. Provide the board with heat maps comparing pre- and post-remediation resilience scores, and embed scenario learnings into updated tolerances and contingency plans.

Outsourcing and third-party control obligations

For material service providers, CPS 230 requires documented due diligence, contractual controls, and contingency planning. Assemble third-party profiles that capture ownership structures, concentration risks, subcontractor dependencies, and exit strategies. Validate that contracts include service levels tied to critical operation tolerances, data residency provisions, audit rights, and notification clauses for incidents. Ensure there is a standing third-party resilience committee that tracks remediation, reviews assurance reports, and reports quarterly to the board on residual risk.

Incident management and escalation workflow

Implement a playbook that defines incident severity tiers, notification responsibilities, and reporting timelines aligned to CPS 230, CPS 234, and breach reporting laws. Integrate incident ticketing systems with executive dashboards so that high-severity events generate automated alerts for accountable executives and the board chair. Capture root cause analysis artefacts, interim controls, and closure evidence. Maintain an incident log that tags critical operations and third parties, so APRA can verify that lessons learned inform updates to tolerances and recovery plans.

Evidence pack and documentation expectations

Construct a digital evidence room with version-controlled folders for governance charters, policies, tolerance registers, scenario test packs, incident reports, and third-party files. Apply metadata for document owners, approval dates, and next review windows. Include internal audit reports, management responses, and status updates on findings. Ensure there is a CPS 230 readiness tracker showing progress against milestones, outstanding control gaps, compensating measures, and accountability owners. Retain minutes from board and executive risk meetings that demonstrate challenge, decisions, and follow-up actions.

Reporting dashboards and management information

Design layered reporting: weekly operational dashboards for executives, monthly risk committee packs, and quarterly board updates. Dashboards should combine lagging indicators (loss events, outages, compliance breaches) with leading indicators (control testing results, scenario readiness scores, vendor risk ratings). Provide commentary on emerging issues, remediation progress, and open audit actions. Align management information with data quality controls—each metric should have defined data sources, validation checks, and data owners to satisfy APRA’s emphasis on reliable reporting.

Internal audit and assurance integration

Internal audit should complete a CPS 230 readiness review before go-live, testing governance structures, policy coverage, and control design. Plan a post-implementation audit within 12 months focused on execution evidence, including whether incidents triggered correct escalations and whether tolerances were respected. Coordinate with compliance and operational risk teams to run joint assurance maps so the board can see coverage across first, second, and third line activities. Document how assurance findings feed into board reporting and remediation governance.

Data, technology, and tooling enablers

Evaluate tooling for enterprise risk management, business continuity, and third-party oversight to confirm they support CPS 230 data requirements. Ensure systems can produce on-demand reports of critical operations, recovery plans, and dependency maps. Implement role-based access controls and audit trails for evidence packs. Where spreadsheets remain, document quality controls, version management, and independent checks to mitigate operational risk.

Change management and culture

Deliver targeted training for directors, executives, and operational leads on CPS 230 responsibilities, highlighting escalation obligations and evidence expectations. Track attendance, comprehension testing, and follow-up coaching. Embed CPS 230 requirements into performance objectives and accountability statements under BEAR/FAR regimes. Use town halls and intranet updates to reinforce the importance of resilience testing, supplier oversight, and incident transparency.

Board actions and next steps

In the June 2025 board cycle, table a CPS 230 readiness report summarising outstanding gaps, risk acceptances, and remediation funding. Approve the operational risk management framework, critical operation tolerance statements, and third-party contingency plans. Mandate quarterly CPS 230 dashboards, endorse the scenario testing schedule, and request an independent readiness review if material gaps remain. Confirm that the organisation can submit a complete evidence pack to APRA within five business days of request, demonstrating that governance, control, and reporting expectations are fully embedded from day one.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • APRA CPS 230
  • Operational resilience
  • Board governance
  • Third-party risk
Back to curated briefings