Rules Mate

Free tool

CPS 230 readiness scorer

APRA's Prudential Standard CPS 230 (Operational Risk Management) has been in force for ADIs and insurers since 1 July 2025 — and commences for RSE licensees on 1 July 2026. This tool scores your program across 10 control areas and prioritises gaps by severity.

Scope
Operational profile
10 control areas

Board-approved operational risk management framework

Para 17-21 — risk appetite, escalation pathways, taxonomy of operational risks.

Material operational risk register

Inventoried risks across products, processes, systems with current ratings.

Critical operations register

Para 33 — operations whose disruption would cause material adverse impact.

Business continuity plan with defined tolerance levels

BCP with tested recovery time + recovery point objectives per critical operation.

Resilience testing program (≥ annual)

Para 44 — scenario disruption tests; results reviewed by Board / Risk Committee.

Documented incident management process

Detect → contain → recover → review workflow with defined ownership.

Material service provider register

Para 48 — list every material SP with tier, criticality and contract status.

Service provider risk assessments + ongoing oversight

Para 51-55 — due diligence at onboarding + monitoring + APRA access clauses.

APRA notification process for material incidents

Para 79 — notify APRA within 72 hours of material operational-risk incidents.

Board oversight + at least annual framework review

Para 11-15 — board accountability documented in charters + minutes.

Reference tool — not professional advice. CPS 230 is a principles-based standard; your specific obligations depend on entity class + materiality. Always confirm with APRA or an APRA-experienced risk consultant for material decisions.