Compliance reference · APRA CPS 230

CPS 230 without the spreadsheet sprawl.

APRA Prudential Standard CPS 230 took effect on 1 July 2025. Every APRA-regulated entity now needs an operational risk regime that an external review can survive. Most teams are running it in Excel. This page is the plain-English version of what the standard asks, where teams hit the wall, and how a continuously monitored audit chain changes the work.

Book a CPS 230 walkthroughSee the audit architecture
Effective from
1 July 2025
Replaces
CPS 231 + CPS 232
Applies to
APRA-regulated entities
Pillars
Risk · BCM · Vendors

What it actually requires

Three pillars, one integrated regime.

CPS 230 collapses what used to live across CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management) into a single integrated standard. The three pillars are not optional and they are not independent.

Pillar 1

Operational risk management

Identify, assess, and manage operational risks across the full business — people, processes, technology, and information. Maintain a documented control library with clear ownership and a tested view of effectiveness. The Board must understand the operational risk profile and be able to defend it under review.

Pillar 2

Business continuity

Identify the critical operations that must keep running through disruption, set tolerances for how long they can be impaired, and prove the business can recover within those tolerances. Tabletop exercises and full simulations need to be regular, evidence-bearing, and lessons-learned closed-out.

Pillar 3

Service provider management

Maintain a register of material service providers, evidence the due diligence behind each engagement, monitor performance against contractual obligations, and have an exit plan you could actually execute. Concentration risk and fourth-party exposure are now in scope.

Where teams hit the wall

Four problems we hear in every CPS 230 readiness conversation.

The service provider register grows faster than the team

Material service providers multiply with every new SaaS contract. Without continuous monitoring, the register lags reality. Auditors find vendors operating on contracts that expired six months ago.

Your evidence is older than your exposure.

Critical operations and tolerances drift

Critical operations were mapped during the readiness program. Two years later the architecture has changed, dependencies have moved, and the tolerances were never re-tested against the new shape of the business.

You cannot defend the tolerances you have on file.

Evidence is in five systems and a shared drive

Control evidence lives in GRC, ticket trails live in Jira, BCP test outputs live in OneDrive, vendor reviews live in email. Pulling a coherent evidence package for an external review takes weeks.

Audit prep replaces real risk work for a quarter.

Tabletop exercises that do not move the needle

Annual scenarios run, lessons are noted, and nothing closes. The test report makes it to the Board pack, but six months later the same gap shows up in the next exercise.

You are testing for compliance, not for resilience.

How BackPro maps to CPS 230

Continuous, not quarterly.

The aim is not to replace your GRC platform — it is to keep your evidence current and defensible without a quarter of heroics every audit cycle. Each row below maps a CPS 230 obligation to the part of BackPro that does the work.

CPS 230 obligation

Operational risk profile

The Control Monitor agent runs continuously inside your tenant, flagging failing controls, stale evidence, and overdue reviews. Findings carry severity, dedup keys, and source attribution. The platform produces an audit-grade view of operational risk that is current by construction, not by quarterly heroics.

CPS 230 obligation

Critical operations + tolerances

Critical-operation registers, dependency maps, and tolerance documentation are versioned in the platform with full edit history. The Risk Correlator agent surfaces architectural drift that puts a tolerance at risk. Tabletop exercise outputs and lessons-learned are linked to the affected operation.

CPS 230 obligation

Material service provider register

The Vendor Risk agent watches contract expiries, due-diligence cadence, and policy review dates. Concentration risk and fourth-party exposure surface as findings, not spreadsheet rows. The register is queryable; the evidence is chained.

CPS 230 obligation

Business continuity testing

Test plans, exercise records, debriefs, and remediation actions live in a single chain. Each lesson links to a control and a closure deadline. Findings stay open until evidence shows resolution.

CPS 230 obligation

Audit and Board reporting

Every audit entry is signed with HMAC-SHA256 and chained to the previous entry. Daily integrity verification catches tampering. Audit packages export to your SIEM as CEF, JSON Lines, or Syslog (RFC 5424). Board packs are generated from the source of record, not assembled from screenshots.

See the architecture in detail

Who is on the hook?

CPS 230 lands on three desks more than any other.

Compliance Officers

Owns the operational risk profile and the evidence trail an external review will inspect.

Open page

Super Funds — CRO

Trustee-grade documentation, member-data resilience, and APRA-cycle reporting under continuous oversight.

Open page

Insurance — Risk & Compliance

Claims governance, policy-document defensibility, and AI risk under a single audit chain.

Open page

Frequently asked questions

What APRA-regulated teams ask before bringing AI inside the CPS 230 perimeter.

Who does CPS 230 apply to?
CPS 230 applies to APRA-regulated entities: authorised deposit-taking institutions (ADIs), general and life insurers, private health insurers, and registrable superannuation entity (RSE) licensees. The standard took effect on 1 July 2025 for most entities, with transitional arrangements for service-provider obligations.
How is CPS 230 different from CPS 231 and CPS 232?
CPS 230 consolidates and replaces APRA Prudential Standards CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management) into a single integrated operational risk regime. The new standard expands scope from outsourcing to all material service providers, raises the bar on critical-operation tolerances, and ties operational risk, business continuity, and third-party management together rather than treating them as separate disciplines.
What does APRA expect under business continuity testing?
APRA expects regulated entities to identify their critical operations, set quantified tolerances for how long each can be disrupted, and test recovery against those tolerances on a regular cycle. Testing must be evidence-bearing — exercise plans, runbooks, observations, lessons learned, and remediation actions all need to be retained and reviewable. Annual desk-checks alone are not sufficient for entities with significant operational risk exposure.
How does BackPro map to CPS 230?
BackPro provides continuous compliance monitoring across all three CPS 230 pillars. The Control Monitor agent watches operational controls and evidence freshness; the Vendor Risk agent watches material service provider contracts, due diligence, and concentration risk; the Risk Correlator agent surfaces cross-domain risk that spans operations, vendors, and incidents. All findings flow into a tamper-evident HMAC-chained audit log that exports to your SIEM. The aim is not to replace your GRC system — it is to keep your evidence current and defensible without quarterly heroics.
Does BackPro replace our existing GRC platform?
No. BackPro complements GRC platforms (RSA Archer, ServiceNow GRC, MetricStream, OneTrust, and similar). Your GRC remains the system of record for risk-and-control workflows. BackPro automates the evidence and document work surrounding it — keeping registers current, surfacing findings, generating audit packages, and providing the tamper-evident chain that auditors increasingly expect. Findings export through standard formats so the integration is straightforward.
How is BackPro itself deployed for an APRA-regulated entity?
BackPro deploys entirely inside your Azure, AWS, or GCP tenant using production infrastructure-as-code. No customer data or model output leaves your perimeter. The platform is designed to align with APRA CPS 234 (Information Security) — encryption at rest and in transit, tenant isolation, role-based access control, audit logging on by default, and a tamper-evident audit chain. SOC 2 Type II and ISO/IEC 27001 readiness programs are underway.

Ready to take CPS 230 off the spreadsheet?

One walkthrough covers architecture, audit chain, deployment model, and how the platform maps to each CPS 230 pillar.

Book a CPS 230 walkthroughSee the audit architecture