Effective 1 July 2025. Business continuity, critical operations, service provider management, and testing obligations. CyberHeed helps you prepare, comply, and demonstrate ongoing resilience.
Prudential Standard CPS 230 Operational Risk Management comes into effect on 1 July 2025. It consolidates business continuity management (previously in CPS 232 and SPS 232) and service provider management into a single operational resilience framework. CPS 230 represents a fundamental shift in how APRA expects regulated entities to manage operational risk — from compliance-driven controls to outcome-focused resilience. The standard requires entities to be able to continue to deliver critical operations through severe disruptions.
CPS 230 applies to all APRA-regulated entities: authorised deposit-taking institutions (ADIs), general insurers, life companies, private health insurers, and RSE licensees (paragraph 2).
All authorised deposit-taking institutions must identify critical operations — including payments, deposit-taking and management, custody, settlements and clearing — set tolerance levels for disruption, and demonstrate they can continue operating through severe but plausible scenarios.
Licensed insurers must classify claims processing as a critical operation at minimum, and ensure it can continue through disruptions. Service provider dependencies must be mapped and managed.
RSE licensees must classify investment management and fund administration as critical operations at minimum. CPS 230 consolidates the business continuity obligations previously in SPS 232, alongside new requirements for critical operations, tolerance levels and service provider management.
Private health insurers must classify claims processing as a critical operation at minimum. Third-party dependencies — particularly technology providers — must be identified and managed as material service providers where applicable.
CPS 230 represents a significant uplift from previous standards. Key changes that affect every regulated entity:
Entities must identify critical operations — defined in paragraph 35 as processes which, if disrupted beyond tolerance levels, would have a material adverse impact on depositors, policyholders, beneficiaries or other customers, or the entity's role in the financial system. Paragraph 36 sets minimum classifications by entity type.
For each critical operation, entities must establish tolerance levels covering: the maximum period of disruption the entity would tolerate; the maximum extent of data loss it would accept; and the minimum service levels it would maintain while operating under alternative arrangements (paragraph 38). These must be approved by the Board.
Material service provider arrangements must be documented, risk-assessed, and monitored. Fourth-party risk — the parties that material service providers themselves rely on — must also be managed (paragraph 48). Formal agreements must include termination provisions and the ability to conduct an orderly exit.
Business continuity plans must be tested through a systematic testing programme covering all critical operations, including an annual business continuity exercise, against a range of severe but plausible scenarios (paragraph 43). Testing must include scenarios involving disruptions to material service providers.
CPS 230 is built around three key requirements stated at the outset of the standard: manage operational risks effectively, maintain critical operations within tolerance levels through severe disruptions, and manage the risks associated with service providers. The following areas of obligation sit within these three requirements and will each be assessed during APRA supervisory reviews.
As part of its risk management framework, an APRA-regulated entity must develop and maintain: governance arrangements for oversight of operational risk; an assessment of its operational risk profile with a defined risk appetite supported by indicators, limits and tolerance levels; internal controls that are designed and operating effectively; appropriate monitoring, analysis and reporting of operational risks; BCPs regularly tested with severe but plausible scenarios; and processes for managing service provider arrangements (paragraph 16).
- Board-approved operational risk appetite and tolerance statements (para 16)
- Operational risk event identification, escalation, and reporting — including near misses (paras 16, 32)
- Scenario analysis to assess the potential impact of severe operational risk events (para 27)
- Integration with the entity's overall risk management framework under CPS 220 (para 18)
- Technology risk management and information security capability meeting CPS 234 requirements (para 25)
An APRA-regulated entity must maintain a credible BCP that sets out how it would maintain critical operations within tolerance levels through disruptions, including disaster recovery planning for critical information assets (paragraph 34). The BCP must be actionable and tested — not a document that sits unused until crisis strikes.
- Register of critical operations and associated tolerance levels (para 40(a))
- Triggers to identify a disruption and activate the plan, with arrangements to direct resources (para 40(b))
- Actions to maintain critical operations within tolerance levels through disruptions (para 40(c))
- Assessment of execution risks, required resources, and internal and external dependencies (para 40(d))
- Communications strategy to support execution of the plan (para 40(e))
- Annual BCP update to reflect changes in structure, business mix, strategy or risk profile (para 45)
- Periodic internal audit review of the BCP with assurance to the Board (para 46)
An APRA-regulated entity must maintain a comprehensive service provider management policy and cannot outsource its accountability. The policy must cover how the entity identifies material service providers, manages material risks, and manages risks from fourth parties that material service providers rely on to deliver critical operations (paragraphs 47–48).
- Register of all material service providers, submitted to APRA annually (paras 49, 51)
- Due diligence before entering or materially modifying a material arrangement (para 53)
- Formal legally binding agreements covering service levels, audit access, data ownership, liability, and termination provisions including APRA's right of access and on-site visit (paras 54–55)
- Ongoing monitoring of service provider performance, controls effectiveness, and agreement compliance (para 58)
- APRA notification within 20 business days of entering into or materially changing a critical operation arrangement (para 59(a))
- Prior notification to APRA before entering any material offshoring arrangement (para 59(b))
- Fourth-party risk identification and management (para 48)
Identify and manage critical operations — those processes which, if disrupted beyond tolerance levels, would have a material adverse impact on depositors, policyholders, beneficiaries or other customers, or the entity's role in the financial system (paragraph 35). Paragraph 36 sets minimum classifications by entity type.
- Define, identify and maintain a register of critical operations (para 34(a))
- Establish tolerance levels for each critical operation: maximum disruption period, maximum data loss, and minimum service levels under alternative arrangements (para 38)
- Map processes, people, technology, information, facilities and service providers supporting each critical operation, including interdependencies (para 27)
- Annual business continuity exercise covering all critical operations, tested against severe but plausible scenarios including service provider disruptions (paras 43–44)
- Report any failure to meet tolerance levels to the Board, with a remediation plan (para 41)
APRA has set clear milestones for CPS 230 implementation. CPS 230 came into force on 1 July 2025. Entities that have not yet completed their implementation are now out of compliance.
Final CPS 230 published by APRA. Entities begin gap assessments and implementation planning. Board engagement on critical operations identification.
CPS 230 comes into effect. All requirements are mandatory from this date. Entities must have operational risk frameworks, business continuity plans, service provider registers, and critical operations identified.
Annual testing of business continuity plans against severe but plausible scenarios. Continuous monitoring of service provider arrangements. Board reporting on operational resilience posture.
CPS 230 imposes two distinct notification windows. First, entities must notify APRA as soon as possible and no later than 72 hours after becoming aware of an operational risk incident that is likely to have a material financial impact or materially affect the entity's ability to maintain its critical operations (paragraph 33). Second, entities must notify APRA as soon as possible and no later than 24 hours after suffering a disruption to a critical operation outside its approved tolerance levels (paragraph 42). The 24-hour notification must cover the nature of the disruption, actions taken, likely business impact, and expected timeframe for returning to normal operations.
CyberHeed maps every CPS 230 obligation across operational risk management, business continuity, service provider management, and critical operations — captures your current state, identifies gaps, and provides the framework for ongoing compliance and board reporting.
SmartPrep guides your team through structured conversations covering operational risk management, business continuity, service provider arrangements, and critical operations. AI captures your current state against each CPS 230 obligation and identifies where your preparations fall short.
Critical operation identification, tolerance level setting, and service provider mapping are structured into the assessment flow.
Upload evidence for each obligation. AI validates whether your documentation meets APRA's expectations. Business continuity plans, service provider registers, operational risk frameworks, critical operation assessments, and tolerance level documentation - each validated against CPS 230's requirements.
Complementary evidence from CPS 234 and ISO 27001 is cross-referenced automatically. What you've built for information security supports operational resilience.
CPS 230 requires continuous operational resilience - annual BCP testing, ongoing service provider monitoring, regular review of critical operations and tolerance levels. CyberHeed tracks every recurring obligation with owners, deadlines, and evidence.
Board reports on operational resilience posture are generated from your live compliance data. When APRA engages, your evidence is comprehensive and current.
Operational resilience. Critical operations. Service provider management. One platform to assess, evidence, and monitor it all.
Book a Demo