Rules Mate

Comply with APRA CPS 230 (Operational Risk Management)

APRA-regulated entities must manage operational risk including a comprehensive third-party / outsourcing register from 1 July 2025.

criticalcurrentongoing

Who must comply

All APRA-regulated entities (ADIs, insurers, RSE licensees).

What triggers it

Being APRA-regulated.

When due

Continuous from 1 July 2025; pre-existing arrangements transition through 30 June 2026.

Evidence required

Critical operations register, service provider register, tolerance levels, business continuity test results, board attestation.

Max penalty

APRA directions, additional capital, licence conditions

Effective from

1 July 2025

Summary

CPS 230 (in force from 1 July 2025) replaces CPS 231 (outsourcing) and CPS 232 (business continuity). Requires APRA-regulated entities to identify critical operations, set tolerance levels for disruption, maintain a comprehensive register of material service providers, manage concentration risk, and conduct testing.

Enforced by

Source legislation

Industries

Topics

apraoperational-riskcps-230third-party

Related obligations

Frequently asked questions

Who must comply with APRA CPS 230 (Operational Risk Management)?
All APRA-regulated entities (ADIs, insurers, RSE licensees).
What triggers APRA CPS 230 (Operational Risk Management)?
Being APRA-regulated.
When is APRA CPS 230 (Operational Risk Management) due?
Continuous from 1 July 2025; pre-existing arrangements transition through 30 June 2026.
What is the maximum penalty for APRA CPS 230 (Operational Risk Management)?
APRA directions, additional capital, licence conditions
What evidence is required for APRA CPS 230 (Operational Risk Management)?
Critical operations register, service provider register, tolerance levels, business continuity test results, board attestation.

Source: https://apra.gov.au/operational-risk-management. Rules Mate is not a law firm. Always verify against the live regulator source before acting.