The Australian Prudential Regulation Authority (APRA) has introduced Prudential Standard CPS 230 to enhance the operational resilience of financial institutions and protect the broader financial system from disruptions. APRA CPS 230 details the crucial requirements for managing operational risks, ensuring business continuity, and overseeing third-party service providers.
Both large financial institutions and smaller APRA-regulated entities must comprehend and implement Prudential Standard CPS 230 to establish a resilient operation capable of withstanding disruptions and safeguarding critical services.
This blog outlines Prudential Standard CPS 230, offering a clear definition, summarizing its essential elements, and providing a step-by-step guide to assist organizations in achieving compliance.
Explore more about CPS 230 and compliance strategies in our ARPA CPS 230 Practical Guide >
What is APRA CPS 230?
The Australian Prudential Regulation Authority’s Prudential Standard CPS 230 Operational Risk Management (ARPA CPS 230) is a standard focused on operational resilience for entities regulated by APRA, such as financial services including banks, insurers, and registrable superannuation entity licensees (RSE licensees).
CPS 230 includes requirements for operational risk management, business continuity planning, service provider management, and other incident management components. This regulatory standard is part of APRA’s broader initiative to strengthen Australia’s financial sector against material operational risks and ensure critical services remain available during disruptions or times of stress.
History of CPS 230
The APRA recognized Australia’s financial system was becoming increasingly complex, with interconnected relationships between technology, third-party service providers, and global operations. With this in mind, they began drafting a proposal for a new standard focused on a more integrated, robust, and resilience-focused management of operational risk.
In 2022, APRA released its first discussion paper outlining the proposal for CPS 230, beginning a consultation process with the financial sector. Following industry feedback and revisions, APRA finalized CPS 230 in late 2023. The new standard will come into effect on 1 July 2025, giving financial institutions sufficient time to adjust their current operational resilience frameworks to increase tolerance levels and ensure compliance with new requirements.
What’s different in CPS 230?
CPS 230 replaces three existing standards: CPS 231 (Outsourcing), CPS 232 (Business Continuity Management), and CPG 233 (Operational Risk Management). APRA introduced this new standard to address gaps in the existing framework and enhance the operational resilience of APRA-regulated entities. Additional key differences between CPS 230 and previous standards include:
- Unified approach: CPS 230 replaces CPS 231, CPS 232, and some of CPG 233, integrating outsourcing, business continuity, and operational risk management into a single framework for APRA-regulated entities.
- Stronger focus on operational resilience: CPS 230 emphasizes operational resilience over operational risk management, ensuring entities can maintain critical operations during disruptions with a proactive and systemic approach.
- Service provider management: In CPS 230, the focus extends to all third-party material service providers, requiring strict resilience criteria for all critical operational relationships.
- Incident management: CPS 230 introduces stricter incident management requirements, including reporting significant incidents to APRA and implementing systems to identify, monitor, and mitigate operational incidents.
- Enhanced board accountability: CPS 230 increases accountability for boards and senior management, requiring them to oversee operational risk and resilience measures actively.
- Greater emphasis on testing: CPS 230 requires more rigorous testing of business continuity and resilience plans, including the ability of third-party service providers to meet resilience obligations.
Overall, CPS 230 represents a more integrated, resilience-focused approach than the previous fragmented, risk-based frameworks of CPS 231, 232, and CPG 233.
Requirements of CPS 230
APRA CPS 230 sets out vital requirements to enhance the operational resilience and risk management practices of APRA-regulated entities and authorized deposit-taking institutions (ADIs). The main focus areas of CPS 230 are operational risk management, business continuity, and third-party service provider management.
Operational risk management
ARPA-regulated entities must identify and assess their operational risks under CPS 230, which may arise from factors related to people, processes, technology, and external events.
These institutions must establish adequate internal controls and mitigation strategies to manage these risks and safeguard their critical operations. Institutions must have robust processes for identifying, reporting, and responding to operational incidents and report significant incidents to APRA in a timely manner. Furthermore, APRA expects regulated entities to continuously review and improve their risk management processes and controls to ensure ongoing effectiveness.
Business continuity management (BCM)
Covered entities must implement business continuity management (BCM), which includes maintaining and testing comprehensive business continuity plans (BCPs). These plans ensure critical business operations remain available during severe disruptions.
Entities must establish recovery time objectives (RTOs) for critical business functions, ensuring these objectives are met during business disruptions. Regular testing of these business continuity plans is necessary to confirm their effectiveness in real-world scenarios, including testing disaster recovery and continuing critical operations.
Third-party service provider management
Entities are required to manage the risks posed by third-party service providers, particularly those offering critical services. Organizations should establish a robust service provider management policy that addresses associated risks.
This requirement involves having clear contracts and service-level agreements (SLAs) that address operational resilience. Before engaging with third-party providers, entities must conduct thorough due diligence to assess the provider’s ability to meet resilience requirements. Additionally, ongoing monitoring of third-party provider performance and resilience is required to ensure they meet operational standards. Entities must also establish contingency plans in case a third party or fourth party fails to deliver critical services, including the ability to switch to alternative providers if necessary.
Additional requirements
Alongside the three major areas of focus addressed above, CPS 230 also includes additional requirements covered entities must implement to meet compliance. These requirements include:
- Board and senior management accountability: Boards must ensure oversight and governance of risk management frameworks
- Resilience framework: Develop and test a comprehensive resilience framework covering all operational aspects
- Incident management: Provide notification of significant incidents and improve based on learnings
- Ongoing monitoring: Measure and track operational resilience performance
When will CPS 230 become effective?
CPS 230 will become effective on July 1, 2025. This implementation date gives APRA-regulated entities time to align their operational risk management and resilience frameworks with the new requirements.
8 steps to comply with CPS 230
Compliance with APRA CPS 230 is crucial for ensuring that APRA-regulated entities can effectively manage operational risks and maintain resilience in the face of disruptions. Below are eight key steps that provide a clear path to compliance with CPS 230. By following these steps, organizations can strengthen their operational resilience, ensure regulatory compliance, and mitigate the risks associated with operational disruptions.
1. Establish governance and accountability
To ensure effective compliance with CPS 230, an organization’s board of directors and senior management must be directly involved in overseeing operational resilience and risk management efforts.
This step involves establishing clear roles and responsibilities at the leadership level to ensure compliance obligations and accountability. The board should set the overall resilience strategy, approve critical policies, and regularly review risk management and business continuity practices. Additionally, senior management and stakeholders should be responsible for implementing and monitoring these practices to ensure they align with the organization’s risk appetite and regulatory requirements. Effective governance includes periodic reviews of the resilience framework, incident reports, and third-party risks, with the board taking ultimate responsibility for addressing gaps and ensuring continual improvement.
2. Develop an operational resilience framework
Creating a robust operational resilience framework is key to complying with CPS 230. This framework should comprehensively cover an organization’s operational risk profile, including the identification, assessment, and remediation of operational risks.
Critical business functions and services must be identified, and entities should develop strategies to protect these functions during disruptions. The framework should also integrate risk controls, incident response protocols, and third-party management strategies. By systematically identifying vulnerabilities and implementing preventive measures, organizations can better manage operational risks and enhance their ability to continue delivering critical services during unexpected events.
3. Build and implement business continuity planning
A core requirement of CPS 230 is having a comprehensive business continuity plan (BCP) to ensure that critical operations can continue during disruptions. This plan must outline recovery time objectives (RTOs) for essential business functions and include detailed strategies for maintaining service continuity to minimize data loss.
To build a resilient BCP, organizations should assess their critical processes and potential risks and then develop specific plans for mitigating these risks. Implementation includes ensuring all staff are aware of their roles during a disruption and that backup resources and infrastructure are in place. Regular training through simulated operational risk incidents and communication is essential to keeping the BCP effective, along with scheduled updates to reflect any changes in operations or risk exposure.
4. Conduct third-party risk management
Third-party relationships present significant operational risks, especially when institutions outsource critical functions to external providers. To comply with CPS 230, organizations must conduct thorough due diligence on potential third-party service providers and ensure the management of service provider arrangements.
These contracts should include service-level agreements (SLAs) that define resilience expectations, such as response times and recovery capabilities during disruptions. Continuous monitoring of third-party performance is essential, along with ongoing assessments to verify that providers are maintaining their operational resilience commitments to reduce third-party and fourth-party risks. Contingency plans must also be developed to address potential failures within the supply chain, ensuring that critical services can be maintained even in the event of a third-party disruption.
5. Implement incident management and reporting
Effective incident management is a key pillar of operational resilience. To comply with CPS 230, organizations must develop robust systems for identifying, responding to, and reporting operational incidents that threaten critical business functions.
This process includes setting up clear internal procedures for escalating incidents to the appropriate teams and leadership, enabling a coordinated response within a dedicated timeframe. Significant incidents, like data breaches, must be reported to APRA in a timely manner, as required by the standard. Organizations should also establish root cause analysis processes to understand the causes of incidents and take corrective actions to prevent recurrence. By effectively managing incidents and maintaining clear communication with regulators, entities can reduce the impact of disruptions on their operations.
6. Conduct regular testing and improvement
Compliance with CPS 230 requires regular testing of the organization’s resilience and business continuity plans to ensure they are effective under real-world conditions. Testing includes conducting scenario analysis, stress tests, and simulations of operational outages to evaluate the readiness of both internal teams and third-party providers.
Testing should focus on the entity’s ability to meet recovery time objectives (RTOs) and continue critical business functions during disruptions. Regular testing helps identify gaps in the resilience framework and material weaknesses and provides opportunities for improvement. Report the results of these tests to senior management and the board, who should ensure that identified weaknesses are addressed in a timely manner.
7. Maintain documentation and compliance
Maintaining accurate and comprehensive documentation is essential for CPS 230 compliance. Organizations must keep detailed records of their operational risk assessments, business continuity plans, third-party due diligence, incident reports, and test results.
Update this documentation regularly to reflect any changes in the organization’s operations, risk profile, or third-party arrangements. Proper record-keeping not only ensures compliance with regulatory requirements but also supports internal audits and reviews of the operational resilience framework. Additionally, organizations must be prepared to provide documentation to APRA when requested, ensuring transparency and demonstrating adherence to the standard. Periodic internal audits can help verify that documentation is complete and up to date.
CPS 230 Prudential Practice Guide
The APRA's Prudential Practice Guide (CPG 230 Operational Risk Management) guides APRA-regulated entities on how to comply with CPS 230, focusing on operational risk management and resilience. While the guide is not enforceable, it offers practical advice on implementing sound practices for managing risks related to people, technology, processes, and external events. It also emphasizes the importance of business continuity planning, third-party risk management, and incident response to ensure critical operations can continue during disruptions.
The guide highlights the principle of proportionality, where the expectations for compliance vary based on an entity’s size and complexity. Larger institutions are expected to have more robust risk management practices. As entities grow, their operational risk management and resilience frameworks should evolve accordingly. Enforceable requirements from CPS 230 are highlighted in blue boxes, while the rest of the guide offers practical, non-enforceable advice to help organizations enhance their operational resilience.
Achieve CPS 230 Compliance with UpGuard
UpGuard provides organizations with all the necessary tools to meet the cybersecurity requirements of APRA CPS 230. It offers security teams a centralized platform to identify, assess, and mitigate significant risks across their internal systems and third-party partnerships.
By using UpGuard, organizations can better understand their risk profile, identify operational risks and vulnerabilities, automate workflows, and gain real-time insights. These features allow for improved collaboration among stakeholders and comprehensive compliance with CPS 230 and other critical regulations such as GDPR, EU Cybersecurity Act, etc.
Here’s how UpGuard can help your organization strengthen its cybersecurity and compliance management programs:
- Real-time scanning: Don’t accept an incomplete or lagging picture of your attack surface. Protect your domains, IP, and external assets with real-time scans.
- Instant alerts: Be alerted the moment a vulnerability is detected. Receive notifications where your team works, whether Jira, Service Now, or another platform like Slack.
- Detect stolen credentials: Know when your data or credentials are circulating online or at risk of unauthorized access. UpGuard combines proprietary sources and dark web scanning to spot leaked data faster.
- Constant vendor monitoring: Get alerted whenever the security posture of a third or fourth party changes. Continuous monitoring ensures you’re always the first to know.
- 360° risk assessments: See your vendor risks from all angles. Automated scanning, evidence analysis, and insights from industry questionnaires (NIST, GDPR, ISO 27001) give you the complete picture of your service providers.
- End-to-end workflows: Forget spreadsheets and stale data. Transform your processes with a single platform for identifying and managing risk mitigation.
