APRA CPS 230: the 2026 guide for Australian financial services.

What is CPS 230 — and why it's new

CPS 230 — Operational Risk Management is APRA's prudential standard requiring regulated entities to manage operational risk, maintain critical operations through disruptions, and oversee the service providers they rely on. It is the most significant change to APRA's operational-risk framework in over a decade.

The standard moves the bar from documenting that risks exist to proving you can keep running when something fails. Its core demand is concrete: identify your critical operations, set tolerance levels for how much disruption you can absorb, and be able to evidence that you stay within them. It came into force 1 July 2025 and sits alongside CPS 234 (information security) and CPS 220 (risk management).

APRA pairs the standard with CPG 230, a prudential practice guide. CPG 230 isn't legally binding, but it's how APRA describes good practice and how reviewers form a view. If your operational-risk profile, continuity testing and service-provider register don't map cleanly to CPG 230, a review gets uncomfortable quickly.

What it replaces — and what's now consolidated

CPS 230 absorbs three older, narrower standards into a single operational-risk regime. Where you once maintained separate frameworks, policies and evidence trails, APRA now expects one coherent programme.

• CPS 231 — Outsourcing. Outsourcing obligations are replaced by the broader concept of management of service providers, which captures any material arrangement, not just formal outsourcing.
• CPS 232 — Business Continuity Management. BCM is folded in and re-pitched around critical operations and tolerance levels rather than recovery-time objectives in isolation.
• CPS 233 — and the equivalent industry standards. The superannuation and insurance equivalents (SPS/HPS lines) are consolidated so the same expectations apply across all regulated entities.

The intent is consolidation, not addition: one operational-risk lens covering risk profile, continuity and third parties, with a single set of evidence rather than three parallel ones.

The three pillars of CPS 230

The standard's requirements group cleanly into three pillars. Most of the implementation effort — and most review findings — concentrate in the second and third.

Critical operations — how to identify yours, and why it matters

Critical operations are the processes that, if disrupted beyond tolerance, would have a material adverse impact on your depositors, policyholders or beneficiaries — or on financial system stability. They are the spine of the whole standard: tolerance levels, continuity testing and service-provider scope all hang off the list you draw up here.

APRA names some operations it expects most entities to treat as critical — payments, settlements, deposit-taking, claims processing, fund administration — but the obligation is to reason it out for your own business, not to copy a list. Under-scoping is the most common early mistake; an operation you leave off is one you have implicitly decided you can lose.

Tolerance levels — APRA's expectation for how you set and breach them

For each critical operation, CPS 230 requires you to set tolerance levels: the maximum level of disruption you are willing to accept before the impact becomes unacceptable. They are deliberately quantitative — a target you can test against, not a statement of intent.

The harder discipline is what happens at the edge. APRA expects you to know when you are approaching or have breached a tolerance, to escalate it, and to notify APRA where a disruption to a critical operation goes beyond tolerance. Tolerances that are never tested, or set so loosely they can't be breached, are a review finding in waiting.

Service-provider obligations under CPS 230

CPS 230 replaces the narrow idea of "outsourcing" with the broader management of service providers. If a provider supports a critical operation, the arrangement is in scope — whether or not it's a formal outsourcing contract, and whether or not it sits offshore.

You must maintain a register of material service providers, manage the risks of relying on them, and ensure your agreements give you what you need to meet your own tolerance levels. Crucially, the obligation extends to fourth parties — the providers your providers depend on — where they could disrupt a critical operation.

• A register of material service providers, mapped to the critical operations each one supports.
• Agreements that include the rights, service levels and continuity commitments your tolerances depend on.
• Visibility of material fourth-party dependencies and concentration risk behind your key providers.
• Notification to APRA before entering into, or on becoming aware of changes to, agreements for material service providers.

Business continuity — the new bar for testing and recovery

CPS 230 raises business continuity well above the old CPS 232 baseline. A continuity plan that lives in a document and is reviewed annually no longer clears the bar — APRA wants evidence the plan works under stress.

The standard requires a business continuity plan covering all critical operations, and a programme that tests it against a range of severe-but-plausible scenarios — not just the convenient ones. Testing must be frequent enough to give genuine assurance, must involve material service providers where they're part of recovery, and must feed lessons back into the plan.

• A BCP that maps to your critical operations and their tolerance levels.
• A scheduled testing programme using credible severe scenarios, with material providers involved.
• Dated test results, identified weaknesses, and evidence those weaknesses were remediated.

Board responsibilities — what CPS 230 means at the top

CPS 230 places clear, non-delegable accountability with the Board. The Board is ultimately responsible for the entity's operational risk management, and for approving the operational risk appetite and the business continuity plan.

The Board can delegate execution — to management, a committee, or a provider — but APRA expects to see it engaged: that it has endorsed the list of critical operations and their tolerance levels, that it receives meaningful information on operational resilience, and that it challenges service-provider concentration and continuity test results rather than noting them.

How CPS 230 interacts with CPS 234 (information security)

CPS 234 — Information Security has applied since 1 July 2019 and covers the confidentiality, integrity and availability of information assets. CPS 230 is broader: information security is one source of operational risk, and a cyber incident is one way a critical operation gets disrupted.

The cleanest way to hold the two in your head: CPS 234 is the cyber lens; CPS 230 is the operational-risk lens. Both apply to the same entities, and they overlap by design — third-party management, incident response and resilience testing appear in both. Maintaining two parallel evidence bases is wasted effort; the same control and provider evidence should satisfy both standards.

APRA's transition expectations and review cadence

CPS 230 took effect 1 July 2025, but APRA built in a staged path for the hardest part — existing service-provider agreements. Both dates below matter for planning, and APRA has signalled it expects demonstrable maturation rather than a single point of "done".

APRA's posture through transition is supportive but watchful: it has been explicit that entities should be making real progress, not waiting for a review to start. Expect operational resilience to feature in supervisory reviews, thematic work and post-incident probes — and expect tolerance breaches and provider concentration to draw the most scrutiny.

Common implementation pitfalls

From the patterns emerging across early CPS 230 programmes, the same gaps recur regardless of entity size.

1. Critical operations scoped too narrowly

The list is drawn to keep it manageable, not to reflect reality. Operations that clearly affect members or policyholders are left off — and with them, their tolerances and provider dependencies.

2. Tolerances set, never tested

Tolerance levels exist on paper but the continuity programme never stresses them. CPS 230 asks for severe-but-plausible testing that can actually breach a tolerance — an annual desktop walk-through doesn't qualify.

3. Service-provider register that stops at tier one

Direct providers are catalogued, but material fourth-party and concentration risk is invisible. When a shared upstream provider fails, the entity discovers the dependency during the incident.

Tooling: what software actually helps operationalise it

CPS 230 doesn't mandate any tool, and a spreadsheet can technically hold the register. The problem isn't capture — it's keeping it current and producible. The software that earns its place does three things: it links critical operations to their tolerances, controls and providers; it stores dated evidence — continuity tests, provider assessments, incident records — with an audit trail back to source; and it reuses that evidence across the standards that overlap, CPS 234 chief among them.

That's the gap Cybereen is built for — turning CPS 230 from a one-off uplift project into an operating rhythm. The next section shows how.