As of 1 July 2025, APRA’s Prudential Standard CPS 230: Operational Risk Management is in effect. This standard introduces a comprehensive and unified framework for managing operational risk, business continuity and service provider arrangements across all APRA-regulated entities.
At Arnotts Technology Lawyers, we’ve been advising clients since the consultation phase. Now that CPS 230 is in force, we’re helping organisations implement the required frameworks to ensure compliance and enhance resilience.
Key requirements
CPS 230 applies to all APRA-regulated entities, including authorised deposit-taking institutions (ADIs), insurers, and registrable superannuation entity (RSE) licensees. It replaces CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management) and requires entities to, among other things:
- identify, assess and manage operational risks, supported by effective internal controls, monitoring, and remediation;
- maintain critical operations within tolerance levels through severe disruptions, supported by a credible Business Continuity Plan (BCP);
- effectively manage risks associated with service providers, including maintaining a register of material service providers and entering into formal agreements;
- ensure board accountability for oversight of operational risk, business continuity and service provider arrangements;
- notify APRA of material operational incidents and changes to critical service arrangements.
Important: Where an APRA-regulated entity has pre-existing contractual arrangements in place with a service provider, the requirements of CPS 230 will apply in relation to those arrangements from the earlier of the next renewal date of the contract or 1 July 2026.
How we can help
CPS 230 requires more than policy updates. It demands a strategic uplift in governance, risk architecture and third-party oversight.
At Arnotts Technology Lawyers, we can assist clients by:
- conducting CPS 230 gap assessments;
- reviewing and updating material service provider agreements;
- advising on board and senior management responsibilities;
- supporting the development of operational risk and business continuity frameworks from a legal and governance perspective; and
- providing legal and regulatory support to compliance and technology teams during implementation.
Let us help you
We assist APRA-regulated entities across banking, insurance, and superannuation sectors to help them meet CPS 230 obligations with confidence.
If you need support with contract reviews or governance alignment, we are available to help.
Book a free consultation with us via Calendly.
