CPS 230 Compliance

APRA CPS 230: What it requires and how we can help

CPS 230 (Operational Risk Management) is APRA's prudential standard for operational resilience. It became effective on 1 July 2025 and applies to all APRA-regulated entities, including authorised deposit-taking institutions (ADIs), general insurers, life insurers, superannuation funds, and friendly societies.

If your organisation is regulated by APRA and hasn't yet addressed CPS 230, you're already behind. Here's what the standard requires and how Continuity Matters can help you meet it.

What CPS 230 requires

CPS 230 has three core obligations:

1. Manage operational risks effectively
Your organisation must identify, assess, and manage material operational risks, including people, processes, systems and external events. The Board is accountable for this. Risk appetites must be set, documented and reviewed annually.

2. Maintain Critical Operations through disruptions
You must identify your Critical Operations that if disrupted, would cause material harm to your customers, the financial system, or your organisation. For each critical operation, you need documented recovery plans and validated recovery time objectives (RTOs).

3. Manage risks from service providers
This is where CPS 230 goes further than its predecessors. If you rely on Third Party providers (including cloud services) for Critical Operations, you must assess their operational risk, ensure contractual protections are in place and maintain the ability to recover if a provider fails or exits. APRA expects you to have visibility over your entire service provider chain, including subcontractors.

What's changed from CPS 232

CPS 230 replaces CPS 232 (Business Continuity Management) and significantly raises the bar in several areas:

  • Board accountability is explicit. The Board must approve the operational risk management framework and review it annually.

  • Critical Operations are defined more precisely. The standard requires you to identify which operations are truly critical, not just list all your processes.

  • Third-party risk is now central. CPS 232 touched on outsourcing; CPS 230 makes service provider risk management a core compliance obligation.

  • Scenario testing is required. You must test your ability to maintain critical operations through severe but plausible disruption scenarios, not just standard annual BCP exercises.

  • Tolerance levels must be set and documented. For each critical operation, you must define the Maximum Tolerable of Disruption.

Common gaps we find

When we review CPS 230 readiness with regulated entities, these are the issues that come up most often:

  • Business Continuity Plans that list all activities rather than identifying most  time critical ones.

  • IT Disaster Recovery Plans where systems cannot actually be recovered within the required timeframes.

  • Third-party contracts that don't address operational risk, notification obligations, or exit arrangements.

  • No documented tolerance levels for Critical Operations.

  • Board reporting that doesn't adequately address operational risk

How we help

We work with APRA-regulated entities at any stage of CPS 230 readiness: from initial gap assessment through to full program delivery.

  • Gap assessment
    We review your existing plans, framework and governance arrangements against CPS 230 requirements and produce a clear gap analysis with prioritised recommendations.

  • Critical Operations identification
    We facilitate workshops with your leadership team to identify and document your Critical Operations, set tolerance levels and establish the link between business processes and IT systems.

  • Business Continuity Plan development and review
    We develop or review your BCP’s to ensure they meet CPS 230 requirements, including recovery strategies, documented RTO’s, and tested procedures.

  • IT Disaster Recovery review
    We assess whether your critical IT systems can actually be recovered within your required timeframes. This is often where the most significant gaps are found.

  • Third-party risk assessment
    We help you identify which Service Providers support Critical Operations, assess their risk and review contractual arrangements against CPS 230 requirements.

  • Exercising
    We design and facilitate scenario-based exercises that test your ability to maintain critical operations through realistic disruption scenarios, meeting the CPS 230 requirement for annual testing.

Who CPS 230 applies to

  • Authorised Deposit-Taking Institutions (ADIs): banks, credit unions, building societies

  • General insurers

  • Life insurers

  • Superannuation funds (RSE licensees)

  • Friendly societies

  • Private health insurers (via equivalent PHIAC requirements)

If you're unsure whether CPS 230 applies to your organisation, get in touch and we can clarify.

Ready to get started?

CPS 230 compliance is not a one-off project, it's an ongoing program. The earlier you start, the more manageable it is.

Get in touch to discuss your CPS 230 requirements →

Or read our overview of APRA requirements for regulated entities →

contact us
We offer business continuity consulting services to help your business develop a robust business continuity plan.