Why CPS 230 Is Different From Every APRA Standard Before It
APRA has issued prudential standards for operational risk before. CPS 232 Business Continuity Management has been in force since 2005. SPS 232 applies to superannuation funds. But CPS 230, which became effective for all APRA-regulated entities on 1 July 2025, represents a fundamental change in how APRA expects boards and senior management to engage with operational risk — and what they must demonstrate.
The difference is accountability. Where earlier standards focused on what plans must exist, CPS 230 focuses on who is responsible for those plans working, what the board must actively oversee, and what happens when arrangements with critical third parties fail. It is, in essence, APRA applying the logic of FAR (Financial Accountability Regime) to operational resilience.
The Four Core Obligations
1. Operational Risk Management Framework
Every APRA-regulated entity must maintain a documented Operational Risk Management Framework (ORMF) that is approved by the board and reviewed at least annually. The ORMF must define risk appetite for operational risk, set tolerance thresholds, specify how operational risks are identified and assessed, and establish escalation pathways when tolerances are breached.
Critically, the standard requires that the board — not just management — actively sets and monitors operational risk appetite. This is a direct governance obligation, not a delegation.
2. Operational Resilience
Entities must identify their critical operations — the services and functions whose disruption would have a material impact on customers, counterparties, or financial system stability. For each critical operation, entities must set a tolerance for disruption: the maximum period and extent of disruption that is acceptable before material harm occurs.
The tolerance must be tested through scenario analysis and business continuity exercises, not merely documented. APRA expects entities to demonstrate — with evidence — that critical operations can be restored within tolerance thresholds.
3. Service Provider Management
This is where CPS 230 has caused the most immediate compliance work. Entities must identify all material service providers — third parties whose failure would affect critical operations — and maintain a register. Contracts with material service providers must include minimum provisions covering notification obligations, audit rights, exit assistance, and sub-contracting restrictions.
The standard does not allow entities to rely on a service provider's own resilience arrangements without verification. APRA expects regulated entities to have independently assessed the resilience of their critical third parties — and to have contingency plans for their failure.
4. Incident and Breach Management
CPS 230 introduces new notification requirements. Material incidents — operational disruptions that breach or risk breaching a disruption tolerance — must be reported to APRA within 24 hours of identification. A full incident report must follow within 10 business days. APRA has made clear it will use incident data to assess the adequacy of an entity's ORMF.
What Superannuation Funds Must Do Differently
For RSE licensees, CPS 230 interacts with existing SPS standards in important ways. Funds that have strong SPS 232 frameworks in place are better positioned, but CPS 230 goes further in three respects. First, it requires boards to actively approve and monitor the ORMF — not just receive reports. Second, the service provider obligations extend beyond custody and administration to any third party that supports a critical operation. Third, the disruption tolerance concept requires quantification — the fund must be able to say how long member services, unit pricing, or benefit payments can be disrupted before the threshold is breached.
The Immediate Compliance Gap for Many Entities
APRA's own guidance ahead of the commencement date suggested that a significant number of entities — particularly smaller insurers and mid-size superannuation funds — had not completed all four workstreams by 1 July 2025. The most common gaps identified in APRA's supervision work were: incomplete material service provider registers, untested disruption tolerances, and board papers that reported on operational risk rather than actively governing it.
What a Compliant CPS 230 Board Paper Looks Like
One of the most practical questions boards are asking is: what does compliant CPS 230 board reporting look like? APRA's guidance suggests the following minimum elements in each board report on operational risk:
- Current operational risk profile against appetite and tolerance thresholds
- Status of all critical operations and any disruption events in the period
- Material service provider register — changes, issues, and assessment status
- Incident and near-miss summary, including breach of tolerance events
- Status of the current testing and exercise programme
- Any regulatory correspondence or supervisory action related to operational risk
The board should be approving changes to the ORMF, approving the list of critical operations and their tolerances, and receiving assurance (from internal audit or an equivalent function) that the framework is operating as intended.
How Proximo Regulatory Radar Supports CPS 230 Compliance
Proximo Regulatory Radar monitors every APRA publication related to CPS 230 — including guidance letters, consultation papers, frequently asked questions, and supervisory insights — and delivers a prioritised summary to your compliance team within hours of release. As APRA continues to develop its supervisory expectations around CPS 230 through 2025 and 2026, staying current with every guidance update is non-negotiable. Radar ensures you know what APRA has said before your next board meeting.