Policy Briefing — APRA CPS 230 operational risk rules extend to superannuation trustees
From 1 July 2026, APRA’s CPS 230 Operational Risk Management standard applies to RSE licensees, requiring superannuation trustees to evidence tolerance statements, service provider oversight, and business continuity testing aligned with the prudential rule set.
Executive briefing: Prudential Standard CPS 230 becomes enforceable for registrable superannuation entity (RSE) licensees on 1 July 2026. Trustees must embed board-approved operational risk frameworks, critical operations mapping, and third-party oversight to meet APRA expectations that already apply to banks and insurers.
Mandatory deliverables
- Operational risk framework. CPS 230 para. 16 requires tolerance statements, key control testing, and issue escalation workflows approved by the board.
- Service provider management. Paras. 47–60 mandate comprehensive due diligence, contract clauses, and exit plans for material outsourcing arrangements, including cloud and administration partners.
- Business continuity plans. Paras. 34–46 demand scenario testing, impact tolerances for critical operations, and documented lessons learned.
Program actions
- Critical operations mapping. Catalogue member-facing processes, benefit payment cycles, and investment operations to set tolerance thresholds and align with cross-industry metrics.
- Third-party reviews. Refresh due diligence on custodians, administrators, and technology vendors to prove compliance with CPS 230 contracting expectations.
- Board engagement. Schedule workshops to test incident escalation, reporting cadence, and assurance coverage before the go-live date.
Enablement moves
- Integrate CPS 230 requirements with CPS 234 (information security) and SPS 220 (risk management) so trustees deliver a unified controls narrative.
- Leverage cross-industry CPS 230 guidance from APRA insights letters to benchmark maturity and remediation timelines.