CPS 230 is a prudential standard issued by the Australian Prudential Regulation Authority (APRA) for operational risk management. It applies to APRA-regulated entities like banks, insurers, and superannuation licensees in Australia.[apra.gov]
Overview
CPS 230 requires entities to manage operational risks effectively, ensure critical operations continue during disruptions, and oversee service providers robustly. It took effect on July 1, 2025, replacing prior standards on outsourcing (CPS 231) and business continuity (CPS 232).[handbook.apra.gov]
Key Requirements
- Entities must identify critical operations (e.g., payments for ADIs, claims for insurers) and set tolerance levels for disruptions, data loss, and minimum service levels.[apra.gov]
- Develop business continuity plans (BCPs) tested annually with severe scenarios, including service provider failures.[grantthornton.com]
- Maintain registers of material service providers and formal agreements covering audits, termination rights, and APRA access.
Compliance Focus
Boards oversee implementation, approving BCPs and policies, while senior management handles day-to-day risks like technology and third-party dependencies. Entities report material incidents to APRA within 72 hours and disruptions outside tolerances within 24 hours.[upguard]