BackPro
APRA·In force 1 Jul 2025·Reviewed June 2026·← Compliance hub

CPS 230
Operational Risk Management.

APRA's prudential standard for managing operational risk. Sets requirements for critical operations, third-party arrangements, and business continuity, and consolidates parts of CPS 220, CPS 231, and CPS 232 into a single, sharper standard.

The stakes
A breach of CPS 230 puts your AFSL renewal, board sign-off, and APRA standing at material risk. The §36 notifiable-events regime means failures get reported to your regulator on a clock, not at the end of the quarter, and not at the discretion of senior management.

What CPS 230 requires.
How BackPro handles each obligation.

§ 13–18

Critical operations register

The requirement

Identify and maintain a register of critical operations, services, processes, and resources whose failure would have a material impact on customers or the financial system. The register must be kept current and approved by the board.

§ 19–22

Operational risk framework

The requirement

Identify, assess, monitor, and manage operational risks across the firm. Maintain a risk register with controls, ownership, review cadence, and tolerance thresholds.

§ 23–27

Business continuity

The requirement

Maintain business continuity plans covering each critical operation. Plans must be tested annually and updated when material changes occur. Recovery time and recovery point objectives are set per operation.

§ 29–31

Service provider arrangements

The requirement

Assess and manage risks from material service providers. Risks must be re-assessed on changes or at a minimum annually. Concentration risk and substitutability are explicit factors.

§ 32

Tolerance levels for disruption

The requirement

Establish maximum tolerable disruption periods for each critical operation. Test against them. Report against them.

§ 36

Notifiable events to APRA

The requirement

Notify APRA when an event materially disrupts a critical operation, breaches information security, or otherwise constitutes a notifiable operational risk event. Timing is prescribed; sitting on the decision is not an option.

What BackPro produces for CPS 230.

The artifacts your auditor expects. Hashed, signed, timestamped, exportable. Generated continuously while you work, not assembled in the week before the audit.

Artifact
Critical operations register

Living document with dependency graph, board approval evidence, and version history. Exportable as PDF on request.

Artifact
Operational risk register

Risks linked to controls, controls to evidence, evidence to owners. Attestation cadence enforced automatically.

Artifact
BCP playbook & drill log

Per-operation continuity plan with annual drill schedule, RTO/RPO test results, and drift indicators.

Artifact
Service provider DDQ pack

Completed third-party assessments with concentration analysis and exit-plan documentation.

Artifact
Tolerance-level breach report

Trends in tolerance breaches over time, including ones that did not result in a §36 notification.

Artifact
APRA §36 notification (auto-drafted)

Pre-formatted to APRA's expected structure with classification, timeline, root cause, and remediation. Awaits compliance officer signature.

Common questions

CPS 230, in plain words.

See CPS 230 mapped to your own controls.

Forty‑five minutes with our team. We take your existing control register, map it against CPS 230 obligations, and show you which gaps BackPro closes automatically. The mapping is yours to keep whether you proceed with us or not.

Book a Private Demo← Back to all standards