A guide to CPS 230 compliance: Navigating APRA’s new operational risk standard

Back to News

operational risk standard

APRA’s Prudential Standard CPS 230, effective from 1 July 2025, is a significant regulatory development impacting a wide range of financial institutions in Australia. Its core objective is to ensure APRA-regulated entities are resilient to operational risks and disruptions. The standard mandates robust frameworks for managing operational risk, maintaining critical operations through disruptions (Business Continuity), and managing risks associated with service providers. These requirements are detailed and prescriptive, creating a substantial compliance burden and a clear need for effective, integrated risk management software solutions across the regulated entity landscape.

Key Requirements and Market Opportunities:

CPS 230 presents a comprehensive set of requirements that directly align with the capabilities offered by modern risk management software platforms. The standard requires entities to effectively manage operational risks, maintain critical operations during disruptions, and manage risks from service providers. An entity’s approach must be appropriate to its size, business mix, and complexity.
Here are the key areas mandated by the standard:

  1. Operational Risk Management Framework:
    • Entities must identify, assess, and manage their operational risks. Operational risk is defined as inherent in all products, activities, processes, and systems, potentially resulting from inadequate or failed internal processes, people, or external events.
    • Management must cover a full range of risks, including legal, regulatory, compliance, conduct, technology, data, and change management.
    • A comprehensive assessment of the operational risk profile is required. This includes assessing the impact of business and strategic decisions on the profile and operational resilience.
    • Entities must maintain appropriate and effective information systems to monitor operational risk, compile/analyse data, and facilitate reporting to the Board and senior management. This is a direct call for software solutions.
    • Internal controls must be designed, implemented, and embedded to mitigate risks. Controls must be regularly monitored, reviewed, and tested for effectiveness. Gaps and deficiencies must be reported and rectified timely, with material weaknesses remediated with clear accountability. Identified control gaps must be included in the operational risk profile until remediated. Software can support control frameworks, testing workflows, and gap tracking.
    • Entities must undertake scenario analysis to identify potential impacts of severe operational risk events, test resilience, and identify mitigation strategies. Software can facilitate scenario planning and analysis.
    • Operational risk incidents and near misses must be identified, escalated, recorded, and addressed timely, impacting the risk profile and control effectiveness assessments. Software providing incident management capabilities is relevant here.
    • Entities must notify APRA of material operational risk incidents (material financial or critical operations impact) within 72 hours. Software can support notification workflows.
  2. Business Continuity (Critical Operations):
    • Entities must be able to continue delivering critical operations within tolerance levels through severe disruptions, with a credible BCP.
    • Critical operations are those which, if disrupted beyond tolerance levels, would have a material adverse impact on customers (depositors, policyholders, beneficiaries) or the financial system. Specific examples listed include payments, deposit-taking, claims processing, investment management, fund administration, customer enquiries, and supporting systems/infrastructure.
    • Entities must identify, define, and maintain a register of critical operations.
    • For each critical operation, tolerance levels must be established for maximum disruption time, maximum data loss, and minimum service levels during alternative arrangements. APRA may require changes or set these levels. Software can help track critical operations, associated resources (people, tech, info, facilities, providers), dependencies, risks, and controls, and monitor compliance with tolerance levels.
    • A credible BCP must be maintained, detailing how to maintain critical operations within tolerance. This includes triggers, actions, assessment of execution risks/resources/dependencies, and a communications strategy. Disaster recovery planning for critical IT assets is required.
    • The BCP must be regularly tested with severe but plausible scenarios. A systematic testing program covering all critical operations, including an annual exercise, is required. Scenarios should include disruptions to material service providers and where contingency arrangements are needed. APRA may require specific scenarios. Software is key to managing testing programs, recording results, and tracking findings.
    • Entities must notify APRA within 24 hours of a disruption to a critical operation that is outside tolerance. Software can facilitate this reporting.
  3. Management of Service Provider Arrangements:
    • Entities must effectively manage the risks associated with service providers. This includes those providing services for critical operations.
    • A comprehensive service provider management policy is required, covering identification of material providers, managing arrangements, and associated risks, including risks from fourth parties that material service providers rely on for critical operations. Software can help enforce policy workflows.
    • Entities must identify and maintain a register of material service providers – those relied upon for critical operations or exposing the entity to material operational risk. Examples include core technology services, internal audit, and specific services relevant to different entity types (e.g., credit assessment, claims management, fund administration). This register must be submitted to APRA annually. Software can manage this register.
    • Before entering or materially modifying a material arrangement, entities must conduct due diligence (selection process, provider ability assessment) and risk assessment (financial/non-financial, geographic, concentration). Software can streamline due diligence and risk assessment processes.
    • Material arrangements require a formal, legally binding agreement. Key required clauses include: specifying services/levels, rights/responsibilities (data ownership/control, audit access, liability), ensuring entity’s legal/compliance obligations can be met, requiring service provider notification of their material sub-contractors (fourth parties), ensuring service provider is liable for sub-contractor failure, force majeure, and termination rights (including specific RSE licensee requirements). Agreements must also allow APRA access to documentation/data and on-site visits to the service provider. Software can support contract management and clause tracking.
    • Entities must manage risks affecting the provider’s ability to provide the service, risks to the entity (e.g., step-in, contagion), ensure BCP execution using the provider, and ensure an orderly exit from the arrangement if needed. Software can support ongoing risk assessment and exit planning.
    • Monitoring and reporting on material arrangements is required, covering performance (service levels), control effectiveness, and compliance of both parties with the agreement. Software can provide dashboards and reporting for service provider performance and risk.
    • Notifications to APRA are required: within 20 business days of entering/changing an agreement for a critical operations service, and prior to entering into a material offshoring arrangement or making a significant change to one. Software can trigger notifications based on contract events.
    • Internal audit must review proposed material outsourcing of critical operations and regularly report on compliance with the service provider policy. Software can provide audit trails and reporting.

Target Market:

The standard applies broadly to all APRA-regulated entities. This includes:

  • Authorised deposit-taking institutions (ADIs)
  • General insurers
  • Life companies
  • Private health insurers
  • Registrable superannuation entity (RSE) licensees

The requirements also apply to the Head of a group, ensuring application throughout the group, including non-APRA-regulated entities, and on a group basis. For foreign ADIs, Category C insurers, and EFLICs, the obligations apply only to their Australian branch operations.

Timeline:
The standard commences on 1 July 2025. For pre-existing service provider contractual arrangements, the requirements apply from the earlier of the next renewal date of the contract or 1 July 2026. This provides a transition period for existing service provider relationships but the core operational risk and business continuity requirements commence in July 2025.

APRA’s Role:
APRA is Australia’s prudential supervisor, focused on the stability, competitiveness, and efficiency of the financial system. They authorise entities and monitor compliance. Where APRA considers an entity’s operational risk management has material weaknesses, they may require an independent review, remediation program, additional capital, impose licence conditions, or take other actions. This regulatory oversight is a significant driver for entities to invest in robust compliance solutions. APRA actively engages with the industry through publications, consultations, and speeches, indicating a strong focus on operational resilience.

What’s the take away for a Software Vendor:
CPS 230 creates a mandatory and comprehensive framework for operational risk, business continuity, and service provider management across the Australian financial sector. The standard explicitly calls for effective information systems and detailed processes in areas such as risk assessment, control testing, scenario analysis, incident management, critical operations tracking, BCP testing, service provider due diligence, contract management, and ongoing monitoring/reporting. These requirements represent significant functional needs that APRA-regulated entities will seek to address, creating a clear market opportunity for advanced risk management software solutions that can help entities achieve and demonstrate compliance. The 1 July 2025 effective date creates a near-term catalyst for entities to assess and implement appropriate technology.