CPS 230 and what Australian boards now actually own
APRA's Prudential Standard CPS 230 took effect on 1 July 2025. The substance is less about new paperwork and more about a clearer line of accountability that ends at the board table.

Australia's prudential regulator finalised Prudential Standard CPS 230 Operational Risk Management in July 2023 and brought it into force on 1 July 2025. Material arrangements with service providers were given an additional year, with full effect from 1 July 2026 for those contracts. The standard applies across banking, insurance and superannuation, and it consolidates the older outsourcing and business continuity standards into a single regime that the board signs off.
The substantive shift sits in three areas. First, regulated entities must identify their critical operations, defined as processes whose disruption would have a material adverse impact on depositors, policyholders, members or the entity's role in the financial system. Second, they must set tolerance levels for the maximum period of disruption the entity is willing to accept for each critical operation, along with the maximum data loss and the minimum service levels required during disruption. Third, they must maintain a register of material service providers and be able to evidence end-to-end management of those relationships.
Notification timelines are precise. CPS 230 requires APRA to be notified as soon as possible and no later than 24 hours after an entity becomes aware of an operational risk incident that has had, or is likely to have, a material financial impact, or a material impact on the entity's ability to maintain its critical operations. A material change to business operations, or a material disruption that is reasonably expected to last beyond tolerance, triggers the same clock.
What is new for directors is the explicit framing of accountability. The board approves the operational risk management framework, the business continuity plan, the tolerance levels and the policies that govern material service providers. The board is also expected to receive sufficient information to oversee compliance and to challenge management's assessments of resilience. APRA has signalled that it will look for evidence of genuine engagement, not minuted acknowledgement.
The fourth-party question is where many programmes are still weak. CPS 230 expects entities to understand and manage the risks arising from service providers' own sub-contracting arrangements, particularly where those sub-contractors support critical operations. Contractual flow-down is the easy part. Verifiable visibility into where data sits, where work is performed and which sub-contractors carry the load during peak or stress is harder, and APRA reviews are starting to test that visibility directly.
Tolerance setting deserves more attention than it usually receives. A tolerance is a board commitment, expressed in hours of disruption, percentage of customers affected or volume of unprocessed transactions, that the entity is willing to defend in front of customers, members and the regulator. Setting tolerances too generously hides real risk. Setting them too tightly invites breaches at the first storm or supplier outage. The useful tolerance is the one the entity can credibly hold, and that requires the executive team to be honest about current capability rather than aspirational about future investment.
For boards approaching their first full year under CPS 230, three questions sharpen the agenda. Can the executive demonstrate that the list of critical operations matches how the business actually serves customers, rather than how it is organised on the intranet. Are the tolerances supported by evidence from testing rather than by professional judgement alone. And is the material service provider register a living document that the second line can use during an incident, or a spreadsheet that exists for audit. The standard is now law. The board's job is to make sure the answers are credible.

