Effective 1 July 2025. Business continuity, critical operations, service provider management, and testing obligations. CyberHeed helps you prepare, comply, and demonstrate ongoing resilience.
Prudential Standard CPS 230 Operational Risk Management comes into effect on 1 July 2025. It replaces and consolidates CPS 231 (Outsourcing), CPS 232 (Business Continuity Management), and parts of SPS 231 and SPS 232 for superannuation entities. CPS 230 represents a fundamental shift in how APRA expects regulated entities to manage operational risk - from compliance-driven controls to outcome-focused resilience. The standard requires entities to be able to continue to deliver critical operations through severe disruptions.
CPS 230 applies to all APRA-regulated entities - the same scope as CPS 234:
All authorised deposit-taking institutions must identify critical operations, set tolerance levels for disruption, and demonstrate they can continue operating through severe but plausible scenarios.
Licensed insurers must ensure claims processing, policy management, and customer-facing operations can continue through disruptions. Service provider dependencies must be mapped and managed.
RSE licensees managing retirement savings must ensure member access, contribution processing, and investment operations remain resilient. The standard replaces SPS 231 and SPS 232 for super funds.
Claims processing, member services, and provider payments must continue through disruptions. Third-party dependencies - particularly technology providers - must be identified and managed.
CPS 230 represents a significant uplift from previous standards. Key changes that affect every regulated entity:
Entities must identify critical operations - processes that, if disrupted beyond tolerance, could cause significant harm to depositors, policyholders, or fund members, or to the financial system. This is a new obligation with no equivalent in CPS 231 or CPS 232.
For each critical operation, entities must set tolerance levels - the maximum disruption they can tolerate. These must be approved by the board and tested through scenario exercises. Tolerances must reflect the impact on customers, not just the entity itself.
Material service provider arrangements must be documented, risk-assessed, and monitored. Fourth-party risk (your provider's providers) must be considered. Exit strategies must be viable, not theoretical.
Business continuity plans must be tested against severe but plausible scenarios - at least annually for critical operations. Testing must include service providers and demonstrate the entity can stay within tolerance levels.
CPS 230 is structured around four pillars that together form a comprehensive operational resilience framework. Each pillar has specific obligations that APRA will assess during supervisory reviews.
Establish and maintain an operational risk management framework. The board must approve a risk appetite statement covering operational risk. The framework must identify, assess, manage, and report operational risks - including people, process, technology, and external event risks.
- Board-approved operational risk appetite and tolerance statements
- Three lines of defence model for operational risk
- Operational risk event identification, escalation, and reporting
- Scenario analysis for low-probability, high-impact events
- Integration with enterprise risk management framework
Maintain a business continuity plan (BCP) that sets out the entity's approach to maintaining critical operations within tolerance levels during disruptions. Plans must be actionable, tested, and current - not documents that sit in a drawer until crisis strikes.
- Business impact analysis for all operations
- Recovery time and point objectives for critical systems
- Business continuity plans covering people, premises, technology, and data
- Annual testing against severe but plausible scenarios
- Post-test remediation of identified gaps
Manage the risks associated with the use of service providers - including material arrangements, fourth-party dependencies, and offshoring. The entity cannot outsource accountability. CPS 230 requires a comprehensive register, due diligence, ongoing monitoring, and viable exit strategies for all material arrangements.
- Register of all material service provider arrangements
- Due diligence before entering material arrangements
- Contractual provisions for audit, access, and substitutability
- Ongoing monitoring of service provider performance and risk
- Viable exit strategies that can be executed under stress
- Fourth-party risk identification and management
Identify and manage critical operations - those processes that, if disrupted beyond tolerance, would cause significant harm to customers or the financial system. This is the centrepiece of CPS 230 and represents the most significant new obligation.
- Identification of critical operations using defined criteria
- Board-approved tolerance levels for each critical operation
- Mapping of processes, people, technology, and service providers supporting each critical operation
- Scenario testing demonstrating ability to stay within tolerance
- Remediation plans when testing reveals tolerance breaches
APRA has set clear milestones for CPS 230 implementation. Entities should be actively preparing now - July 2025 is the compliance date, not the start date.
Final CPS 230 published by APRA. Entities begin gap assessments and implementation planning. Board engagement on critical operations identification.
CPS 230 comes into effect. All requirements are mandatory from this date. Entities must have operational risk frameworks, business continuity plans, service provider registers, and critical operations identified.
Annual testing of business continuity plans against severe but plausible scenarios. Continuous monitoring of service provider arrangements. Board reporting on operational resilience posture.
CyberHeed maps every CPS 230 obligation across all four pillars, captures your current state, identifies gaps, and provides the framework for ongoing compliance and board reporting.
SmartPrep guides your team through structured conversations covering operational risk management, business continuity, service provider arrangements, and critical operations. AI captures your current state against each CPS 230 obligation and identifies where your preparations fall short.
Critical operation identification, tolerance level setting, and service provider mapping are structured into the assessment flow.
Upload evidence for each obligation. AI validates whether your documentation meets APRA's expectations. Business continuity plans, service provider registers, operational risk frameworks, critical operation assessments, and tolerance level documentation - each validated against CPS 230's requirements.
Complementary evidence from CPS 234 and ISO 27001 is cross-referenced automatically. What you've built for information security supports operational resilience.
CPS 230 requires continuous operational resilience - annual BCP testing, ongoing service provider monitoring, regular review of critical operations and tolerance levels. CyberHeed tracks every recurring obligation with owners, deadlines, and evidence.
Board reports on operational resilience posture are generated from your live compliance data. When APRA engages, your evidence is comprehensive and current.
CPS 230 and CPS 234 are complementary standards. Information security capability under CPS 234 directly supports operational resilience under CPS 230. ISO 27001's business continuity and supplier management controls overlap with both. CyberHeed maps across all three.
Information security capability, incident management, and third-party security assessments under CPS 234 directly support CPS 230's operational resilience, business continuity, and service provider management requirements.
ISO 27001's business continuity controls (A.5.29, A.5.30), supplier management controls (A.5.19-A.5.22), and incident management controls support CPS 230's business continuity and service provider pillars.
NIST CSF's Respond and Recover functions map to CPS 230's business continuity requirements. Risk management processes under Identify support CPS 230's operational risk management pillar.
Other frameworks: [Links to: cps-234.html], [Links to: iso-27001.html], [Links to: essential-eight.html], [Links to: nist-csf.html], [Links to: pci-dss.html], [Links to: desc-isr.html], [Links to: nca-ecc.html], [Links to: dfsa.html]
Operational resilience. Critical operations. Service provider management. One platform to assess, evidence, and monitor it all.
Book a Demo