← Back to all briefings

Policy · Credibility 93/100 · · 2 min read

Policy Briefing — APRA CPS 230 go-live demands board-owned operational resilience evidence

APRA’s Prudential Standard CPS 230 takes effect on 1 July 2025 for banks and insurers, requiring boards to certify operational risk controls, critical operations tolerances, and third-party continuity plans ahead of supervisory deep dives.

Executive briefing: The Australian Prudential Regulation Authority’s (APRA) Prudential Standard CPS 230 Operational Risk Management becomes effective on 1 July 2025 for authorised deposit-taking institutions (ADIs), general insurers, life companies, and private health insurers. Superannuation trustees follow on 1 July 2026, but APRA expects whole-of-group readiness testing this year. Boards must approve operational risk frameworks, set tolerance statements for critical operations, and demonstrate continuity arrangements that cover material service providers.

Key obligations

  • Board accountability. Paragraphs 18–24 require boards to approve the operational risk management framework, review risk appetite statements annually, and receive regular reporting on control effectiveness and incidents.
  • Critical operations tolerances. Paragraphs 33–42 mandate identification of critical operations, setting impact tolerances, and testing response plans that align with tolerance thresholds.
  • Service provider management. Paragraphs 60–87 require due diligence, contractual controls, contingency planning, and exit strategies for material outsourcing arrangements, including sub-service monitoring.

Program actions

  • Framework refresh. Map CPS 230 requirements against CPS 234 (Information Security) and CPS 231 (Outsourcing) obligations to update policies, control libraries, and board reporting packs.
  • Scenario exercises. Execute business continuity and severe-but-plausible stress tests that prove impact tolerances can be met, documenting lessons learned and remediation owners.
  • Service provider attestations. Obtain assurance that critical suppliers can meet tolerance targets, including evidence of redundancy, incident reporting timelines, and regulator notification rights.

Enablement moves

  • Align CPS 230 implementation steering committees with finance, risk, and audit functions to coordinate board updates and readiness certifications.
  • Prepare supervisory engagement briefs summarising progress, outstanding remediation, and milestone plans for legacy outsourcing arrangements that run past July 2025.

Sources

  • APRA CPS 230
  • Operational resilience
  • Board governance
  • Third-party risk
Back to curated briefings