Board-approved BCM policy, business impact analysis, and documented business continuity plans. CPS 232 was revoked on 1 July 2025 and consolidated into CPS 230 Operational Risk Management. For most APRA-regulated entities, business continuity obligations are now governed by CPS 230.
Prudential Standard CPS 232 Business Continuity Management required APRA-regulated institutions to implement a whole-of-business approach to business continuity — ensuring critical business operations could be maintained or recovered in a timely fashion in the event of a disruption, minimising financial, legal, regulatory and reputational consequences.
CPS 232 was revoked on 1 July 2025. Its requirements have been consolidated into CPS 230 Operational Risk Management, which covers business continuity alongside service provider management and the broader operational risk framework. For most APRA-regulated entities, CPS 232 obligations are now met under CPS 230.
Transition arrangements: Per APRA's implementation guidance, non-significant financial institutions (non-SFIs) — predominantly smaller superannuation licensees under SPS 232 — were provided a transition period to continue applying SPS 232 requirements until 1 July 2026. Entities should confirm the applicable transition arrangements with APRA directly for their specific circumstances.
CPS 232 applied to all APRA-regulated institutions in banking, insurance, and life insurance sectors:
All authorised deposit-taking institutions (including foreign ADIs) and authorised banking non-operating holding companies. Banks were required to identify, assess, manage, mitigate and report on business continuity risks to meet their financial and service obligations to depositors and other stakeholders (paragraph 17).
All general insurers (including Category C insurers), authorised insurance NOHCs, life companies, friendly societies, eligible foreign life insurance companies, and registered life NOHCs. Insurers needed to maintain claims processing, policy administration, and customer service capability.
RSE licensees were not treated as APRA-regulated institutions under CPS 232 (footnote 1) and were instead covered by the parallel Prudential Standard SPS 232 Business Continuity Management. Super funds had to ensure continuity of member contributions, investment operations, and benefit payments. Entities should confirm their current transition obligations directly with APRA.
Business continuity management was, and remains, a prudential concern. When a regulated entity fails to maintain critical operations through a disruption, the consequences fall on depositors, policyholders, fund members, and the broader financial system. CPS 232 made the Board ultimately responsible for BCM — not just an operational concern, but a governance one.
CPS 230 represents a meaningful uplift from CPS 232. Both standards required that critical operations be maintained or recovered through disruptions (CPS 232 paragraph 20). CPS 230 goes further by introducing tolerance levels — predefined maximum disruption limits for each critical operation — and requiring entities to demonstrate they can stay within those tolerances through severe but plausible scenarios. CPS 230 also brings service provider management obligations (previously separate) into the same consolidated framework.
CPS 232 set out five key obligations for APRA-regulated institutions, structured across paragraphs 20 to 39. Entities still subject to CPS 232 or SPS 232 during any applicable transition period must continue to meet these requirements. Entities now under CPS 230 will recognise most of these obligations in the new standard, with additional requirements around critical operations, tolerance levels, and service provider management.
Maintain a Business Continuity Management policy for the institution or group, approved by the Board. The Board held — and under CPS 230 still holds — ultimate responsibility for business continuity, whether or not operations are outsourced.
- Whole-of-business approach appropriate to the nature and scale of operations
- Policy coverage across the entity and its group, including non-APRA-regulated subsidiaries where material
- Clear allocation of accountabilities for BCM across senior management
A BIA involves identifying all critical business functions, resources and infrastructure and assessing the impact of disruption on these (paragraph 26). When conducting the BIA, the institution must consider: plausible disruption scenarios over varying periods of time; how long the institution could not operate without each critical business operation; the extent to which a disruption could materially impact depositors and/or policyholders; and the financial, legal, regulatory and reputational impact over varying time periods (paragraph 27).
- Critical business operations identified and documented
- Impact assessed on depositors, policyholders and other stakeholders across varying time periods
- Financial, legal, regulatory and reputational consequences quantified
- Recovery objectives defined — recovery time and recovery level for each critical operation (paragraph 28)
Maintain a documented BCP at all times that documents the procedures and information enabling the institution to manage an initial business disruption (crisis management) and recover critical business operations (paragraphs 30–31).
- Critical business operations identified (para 32(a))
- Recovery levels and time targets for each critical operation (para 32(b))
- Recovery strategies for each critical operation (para 32(c))
- Infrastructure and resources required to implement the BCP (para 32(d))
- Roles, responsibilities and authorities to act in relation to the BCP (para 32(e))
- Communication plans with staff and external stakeholders (para 32(f))
- Where material business activities are outsourced, the adequacy of the service provider's BCP must be assessed and dependencies between BCPs considered (para 33)
Review and test the BCP at least annually, or more frequently if there are material changes to business operations (paragraph 34). Results must be formally reported to the Board or delegated management. The BCP must be updated if shortcomings are identified (paragraph 35).
- Annual review and testing of the BCP, with results formally reported to the Board or delegated management (para 34)
- BCP updated when shortcomings are identified (para 35)
- Periodic independent review by the internal audit function or an appropriate external expert, providing assurance to the Board that: the BCP is in accordance with the BCM policy and addresses the risks it is designed to control; and testing procedures are adequate and have been conducted satisfactorily (paragraph 38)
- APRA may request the external auditor or another external expert to provide an assessment of the institution's BCM arrangements (para 39)
BCM must include programs for training and ensuring awareness of staff in relation to BCM (paragraph 22(e)(ii)). This is a distinct BCM component alongside the BCP review and testing programme.
Notify APRA as soon as possible — and no later than 24 hours — after experiencing a major disruption that has the potential to have a material impact on the institution's risk profile or affect its financial soundness (paragraph 36). The notification must explain the nature of the disruption, the action being taken, the likely effect and the timeframe for returning to normal operations. A further notification must be made when normal operations resume.
- 24-hour notification window from becoming aware of the major disruption
- Notification must cover: nature of disruption, action being taken, likely effect, and expected timeframe for return to normal operations
- Follow-up notification required upon resumption of normal operations
Notify APRA as soon as possible — and no later than 24 hours — after experiencing a disruption that has the potential to materially impact the entity's risk profile or financial soundness. Notify APRA again when normal operations resume.
- 24-hour notification window for major disruptions
- Clear description of the disruption, actions being taken, and expected recovery timeframe
- Follow-up notification upon resumption of normal operations
Whether your entity is still operating under CPS 232 during the transition period, or has moved to CPS 230, CyberHeed maps your business continuity posture against the applicable standard, captures your current state, identifies gaps, and provides the framework for ongoing compliance.
SmartPrep guides your team through structured conversations covering your BCM policy, business impact analysis, business continuity plan, and testing programs. AI captures your current state against each applicable obligation — under CPS 232, SPS 232, or CPS 230 — and identifies gaps in your business continuity framework.
Upload evidence for each obligation. AI validates whether your BCM policy, BIA, BCP, and testing evidence meet APRA's expectations. For entities transitioning to CPS 230, we map existing CPS 232 evidence to the new critical operations and tolerance levels framework.
Track BCP testing cycles, manage APRA notification obligations, schedule independent reviews, and generate board reports on business continuity posture. CyberHeed ensures your BCM programme remains current between APRA engagements.
BCM policy. Business impact analysis. Business continuity plan. Review, testing and audit. Training and awareness. APRA notification. One platform across the transition.
Book a Demo