CPS 230 — Operational Risk Management
The APRA prudential standard that requires regulated financial entities to manage operational risk, maintain critical operations, and handle disruptions to material service providers.
CPS 230 (Operational Risk Management) is a prudential standard issued by the Australian Prudential Regulation Authority (APRA). It applies to all APRA-regulated entities — banks, insurers, and superannuation funds — and took effect 1 July 2025. CPS 230 consolidates and strengthens APRA’s expectations across operational risk management, business continuity, and the management of material service providers. It replaces several earlier prudential standards (CPS 231, CPS 232, SPS 231, SPS 232).
The standard moves the goal posts from “have a policy” to “demonstrate effective execution.” Boards must approve an operational risk management framework, and management must be able to evidence that critical operations stay within board-approved tolerances during disruption.
- 01
A documented operational risk management framework approved by the board.
- 02
Identification of critical operations and the tolerance levels for disruption.
- 03
A current register of material service providers with risk assessments and contingency arrangements.
- 04
Business continuity plans tested regularly and updated after every material incident.
- 05
Incident management procedures with timely escalation to APRA where thresholds are met.
CPS 230 is the standard APRA uses to assess whether your operational risk posture is fit for purpose. An incident, an audit finding, or a service-provider outage will be scored against the CPS 230 framework — not against your own internal definitions. Most firms struggle not with writing the framework but with continuously evidencing the controls in operation: which is exactly where a continuous evidence layer pays for itself.