Rules Mate

Free tool

CPS 230 readiness scorer

APRA's Prudential Standard CPS 230 (Operational Risk Management) has been in force for ADIs and insurers since 1 July 2025 — and commences for RSE licensees on 1 July 2026. This tool scores your program across 10 control areas and prioritises gaps by severity.

Last verified: 28 May 2026
Scope
Operational profile
10 control areas

Board-approved operational risk management framework

Para 17-21 — risk appetite, escalation pathways, taxonomy of operational risks.

Material operational risk register

Inventoried risks across products, processes, systems with current ratings.

Critical operations register

Para 33 — operations whose disruption would cause material adverse impact.

Business continuity plan with defined tolerance levels

BCP with tested recovery time + recovery point objectives per critical operation.

Resilience testing program (≥ annual)

Para 44 — scenario disruption tests; results reviewed by Board / Risk Committee.

Documented incident management process

Detect → contain → recover → review workflow with defined ownership.

Material service provider register

Para 48 — list every material SP with tier, criticality and contract status.

Service provider risk assessments + ongoing oversight

Para 51-55 — due diligence at onboarding + monitoring + APRA access clauses.

APRA notification process for material incidents

Para 79 — notify APRA within 72 hours of material operational-risk incidents.

Board oversight + at least annual framework review

Para 11-15 — board accountability documented in charters + minutes.

Reference tool — not professional advice. CPS 230 is a principles-based standard; your specific obligations depend on entity class + materiality. Always confirm with APRA or an APRA-experienced risk consultant for material decisions.

Related tools

Frequently asked questions

Who does CPS 230 apply to?
All APRA-regulated entities: ADIs (banks, credit unions, building societies), general/life/private health insurers, and RSE licensees (super fund trustees), plus authorised NOHCs.
When did CPS 230 commence?
1 July 2025 for ADIs and insurers. RSE licensees (super fund trustees) commence 1 July 2026. APRA's April 2026 targeted amendments provided some transition relief.
What's the difference between CPS 230 and CPS 234?
CPS 234 is information security specifically. CPS 230 is the broader operational risk standard — it covers business continuity, critical operations, service-provider management and incident management, of which cyber is one component.
What are the key deliverables?
A board-approved operational risk framework, a critical operations register with tolerance levels, a tested business continuity plan, a material service provider register with risk assessments, an incident management process, and a 72-hour APRA notification process.

Have a question about your specific situation?

Ask the Rules Mate AI advisor — attach your own contracts, policies or notices and get answers grounded in the compliance corpus, with citations on every claim. Ask 1 question free, no sign-up.

Ask the AI advisor →

Not sure which obligations apply to you?

Run the Compliance Fingerprint — a 2-minute structured assessment that maps your business to every obligation, deadline and regulator that triggers.

Build my Compliance Fingerprint →