APRA CPS 230 Operational Risk Management: The Standalone Deep Dive

Commencement and scope

CPS 230 Operational Risk Management came into effect on 1 July 2025. This standard supersedes CPS 231 Outsourcing and CPS 232 Business Continuity Management, along with their equivalent Superannuation Prudential Standards (SPS). Entities should review how CPS 230 interacts with other standards, such as CPS 230 vs CPS 234.

The standard’s requirements apply to all APRA-regulated entities, encompassing Authorised Deposit-taking Institutions (ADIs), insurers (including general, life, and private health), and Registered Superannuation Entity (RSE) licensees.

Non-significant financial institutions (non-SFIs) are granted a 12-month extension until 1 July 2026 for specific requirements relating to business continuity and scenario analysis. Transitional relief is also provided for pre-existing service provider contracts, valid until the earlier of contract renewal or 1 July 2026.

Three pillars of CPS 230

CPS 230 outlines three key pillars for operational risk management. These pillars focus on strengthening controls, internal controls testing, and risk assessments. They also require entities to develop business continuity planning, which involves identifying critical operations and establishing tolerance levels to manage maximum disruption.

The third pillar concerns third-party risk management, mandating active management of risks arising from material service providers. This ensures that risks outsourced to external parties are appropriately identified and mitigated.

Entities must report their operational risk profile to the Board and senior management at an appropriate frequency. Furthermore, the Board is responsible for approving the entity’s business continuity plan and the tolerance levels for critical operations on an annual basis.

Material service provider register

APRA requires certain regulated entities to maintain a register of material service providers. This register must be submitted to APRA by 1 October 2025. The register applies to Authorised Deposit-taking Institutions (ADIs), super trustees and insurers.

Material service providers are defined as those providing services to critical operations or holding personal information of a significant number of customers. Before entering into an arrangement with a material service provider, regulated entities must notify APRA. Notification is also required when terminating an arrangement or when significant issues arise.

Entities are responsible for regularly reviewing and updating the material service provider register to reflect changes in arrangements.

Critical operations and tolerance levels

Entities are required to identify critical operations. Disruption to these operations would have a material adverse impact on members, customers, or financial stability. This identification is a key component of operational risk management, aligning with the broader APRA CPS 220 risk management framework.

Tolerance levels are a core element of managing these critical operations. These levels define the maximum tolerable downtime, data loss, and minimum service levels that an entity can accept. Scenario analysis is then used to assess whether the entity can recover from disruptive events within these defined tolerance levels.

Senior management were expected to have identified critical operations and material service providers by mid-2024, with tolerance levels to be established by the end of 2024. Any breach of these tolerance levels must be reported to the board, along with a remediation plan to address the breach.