APRA CPS 232 Business Continuity: What It Required Before CPS 230 Took Over

Background and current status

CPS 232 Business Continuity Management was the APRA prudential standard governing business continuity management for banking and insurance entities. A parallel standard, SPS 232, applied to RSE licensees in superannuation. These standards outlined requirements for identifying, assessing, and mitigating risks to business operations.

Both CPS 232 and SPS 232 have been superseded by CPS 230. This change occurred from 1 July 2025, and CPS 232 is now listed as 'superseded' within APRA's Prudential Handbook. Those wanting to understand the differences should refer to CPS 230 vs CPS 234.

Non-SFIs (non-adherent systemically important financial institutions) have been granted a 12-month extension. For these entities, CPS 232 and SPS 232 continue to apply until 1 July 2026.

Key obligations CPS 232 imposed

CPS 232 imposed several key obligations on regulated entities. The board of each entity was required to approve a Business Continuity Management policy and plan (BCP). This demonstrated governance oversight and commitment to business continuity preparedness.

Entities were also obligated to identify their critical business functions and establish recovery time objectives for those functions. This ensured that resources were appropriately focused on maintaining essential operations during disruptive events.

Regular testing of BCPs was a mandatory requirement to confirm their effectiveness. Furthermore, entities were required to notify APRA of incidents that materially disrupted operations, and to provide annual attestation to APRA regarding the effectiveness of their BCP.

Why APRA absorbed CPS 232 into CPS 230

APRA determined that existing business continuity practices within regulated entities, and particularly the management of risks associated with third parties, required strengthening. This assessment highlighted weaknesses in how entities were preparing for and responding to disruptions. To address these concerns, APRA undertook a review of its standards.

A key shift introduced by CPS 230 is the focus on ‘critical operations’ instead of ‘critical business functions’ as the basis for business continuity planning. This change, alongside the requirement for explicit tolerance levels regarding downtime and data loss, represented a more rigorous and targeted approach. The integration of third-party risk management directly within business continuity planning was also a significant enhancement.

The consolidation of CPS 231, CPS 232, and the guidance on operational risk into a single standard, CPS 230, streamlined APRA’s regulatory framework. This unified approach aims to provide a more comprehensive and consistent set of expectations for regulated entities.

Transition checklist for entities still on CPS 232

Entities still operating under CPS 232 must continue to meet their obligations under that standard throughout the transition period to CPS 230. This includes maintaining business continuity arrangements and documentation as previously required. It is important to confirm whether the entity qualifies as a non-SFI and is utilising the 12-month extension to 1 July 2026, as this impacts the timeframe for full CPS 230 compliance. The APRA CPS 220 risk management framework remains relevant to this ongoing compliance.

A key step in the transition is mapping existing critical business functions as defined under CPS 232 to the equivalent critical operations identified under CPS 230. This process helps ensure continuity of essential services and facilitates a smooth handover of responsibilities and processes. Entities should also review and, where necessary, refine their existing tolerance levels for maximum tolerable downtime and data loss.

To prepare for CPS 230, entities should build scenario analysis capability. This will allow for robust testing and validation of business continuity arrangements and ensure the organisation is well-prepared for a range of potential disruptions.