APRA CPS 230 in force since 1 July 2025· existing material service-provider arrangements must comply by 1 July 2026

APRA CPS 230

APRA CPS 230: bring legacy service-provider arrangements into line by 1 July 2026

CPS 230 requires every APRA-regulated entity to identify its critical operations, set impact tolerances, manage material service-provider risk, and demonstrate continuity through scenario testing - operationalised through BPMN-standard process maps the board can actually read.

Official source:

Read APRA CPS 230 on apra.gov.au (official)

Map a CPS 230 critical operation Browse compliance templates

About CPS 230

What CPS 230 actually asks for

CPS 230 consolidates APRA’s older operational-risk standards into a single regime. The substance is outcomes-based: the regulator wants evidence that you understand which operations are critical, what disruption you can absorb, where your third-party dependencies create risk, and how you would respond if something severe happened. Process maps are the medium that ties those four obligations together - every critical operation needs one, every tolerance is attached to one, and every service-provider dependency shows up on one.

The standard came into force on 1 July 2025 and applies to APRA-regulated banks, insurers, and registrable superannuation entities. APRA published transition relief for legacy material service-provider arrangements - those existing contracts must comply by the earlier of 1 July 2026 or their next renewal. The headline obligations - critical-operations register, impact tolerances, business-continuity capability - have applied since 1 July 2025.

CPS 230 Programme

Four pieces of a CPS 230 programme

Each piece is a process map - and each map links back to the same critical-operations register.

Critical operations register

Identify the operations whose disruption would breach customer outcomes, financial soundness, or financial-system stability. Each critical operation gets its own end-to-end process map.

Impact tolerances

For each critical operation, set the maximum tolerable disruption - the time, scale, or volume the entity can absorb. Tolerances live on the same diagram as the process so they can't drift from the operation they govern.

Service-provider arrangements

Map material service providers (and material fourth parties) into the process diagram so dependencies are visible. CPS 230 expects this register to be live, not a one-off PDF.

Scenario testing and reporting

Run severe-but-plausible scenarios against each critical operation, capture breaches and remediation plans, and report annually to the board. The same process diagrams drive the test design and the board pack.

CPS 230 Download

Take the CPS 230 one-pager with you

A fillable PDF and editable DOCX of the CPS 230 readiness one-pager. Tick each step in your PDF reader, fill in your organisation, programme owner, and target date, and circulate to operational-risk and second-line stakeholders.

Download fillable PDF Download DOCX

Both formats include the same programme structure - the PDF adds AcroForm checkboxes for the steps and fillable text fields for the organisation, programme owner, and target date.

FILLABLE PDF PREVIEW

APRA CPS 230 readiness one-pager

APRA Prudential Standard CPS 230 (Operational Risk Management)

Organisation

[Organisation name]

Programme owner

[Programme owner]

Target date

[Target date]

Jurisdiction

Australia - APRA

Operational Risk kicks off the CPS 230 programme and identifies the entity's critical operations.

For each critical operation, set the impact tolerance - the maximum tolerable disruption to customers, the entity, or the financial system.

Map material service providers that support each critical operation, including fourth parties where dependencies are significant.

Assess service-provider risk against the impact tolerances and CPS 230 third-party obligations.

+ 2 more checkboxes in the downloaded PDF

CPS 230 Process Map

The CPS 230 programme as a process map

A single end-to-end view of how a CPS 230 programme actually flows: identification, tolerances, third-party assessment, remediation, testing, and board reporting. Customise it to your entity’s structure or re-use the shape across each critical operation.

Open in editor

APRA CPS 230 critical-operations mapping

An APRA CPS 230 operational-risk programme rendered as a BPMN 2.0 process map. The flow identifies critical operations, sets impact tolerances, assesses material service-provider risk, drives remediation where tolerances are breached, runs scenario testing, and reports annually to the board - the core obligations that have been in force since 1 July 2025, with legacy material service-provider arrangements required to comply by 1 July 2026.

Operational Risk kicks off the CPS 230 programme and identifies the entity's critical operations.
For each critical operation, set the impact tolerance - the maximum tolerable disruption to customers, the entity, or the financial system.
Map material service providers that support each critical operation, including fourth parties where dependencies are significant.
Assess service-provider risk against the impact tolerances and CPS 230 third-party obligations.
If a critical operation breaches its tolerance under the assessment, route to a remediation plan and re-assess. Otherwise, continue to testing.
Run scenario testing at the frequency CPS 230 requires for the operation, then formally report findings, tolerance breaches, and remediation status to the board.

CPS 230 FAQ

Frequently asked questions

What is APRA CPS 230?

CPS 230 is the Australian Prudential Regulation Authority's Prudential Standard on Operational Risk Management. It applies to all APRA-regulated entities - banks, insurers, and superannuation funds - and consolidates and strengthens the older CPS 231, CPS 232, SPS 231, SPS 232, and HPS 231 standards (plus parts of the CPG 233 operational-risk practice guide) into a single operational-risk regime. The standard is principles-based and outcomes-focused rather than rule-by-rule.

When does CPS 230 take effect?

CPS 230 came into force on 1 July 2025 for most APRA-regulated entities. The substantive obligations - critical-operations identification, impact tolerances, business continuity - have applied since that date. APRA's transition guidance allowed for a delayed compliance date on existing material service-provider arrangements (the earlier of 1 July 2026 or the next contract renewal), so legacy contracts must comply by 1 July 2026.

What are the key obligations under CPS 230?

Four obligations frame the standard. First, identify the entity's critical operations - the processes whose disruption would have material impact on customers, the entity, or the financial system. Second, set impact tolerances per critical operation. Third, manage material service-provider risk including fourth-party dependencies. Fourth, demonstrate business-continuity capability through scenario testing and board-level reporting.

Why is process mapping useful for CPS 230?

CPS 230 expects entities to understand each critical operation end-to-end, including the people, systems, and third parties involved. A BPMN-style process map is the most direct way to capture that: the steps, the handoffs, the decision points, and the external dependencies sit on one diagram, which is exactly what an APRA reviewer asks to see during a CPS 230 assessment.

Does BA Copilot replace our CPS 230 compliance programme?

No - BA Copilot is the modelling layer. It does not set tolerances, run scenario tests, or sign off on board reports. It speeds up the part of the programme where you have to draw, share, and maintain the process maps of every critical operation. The standard's substantive obligations sit with your operational-risk and second-line teams.

What about Australian superannuation funds (SPS 230)?

SPS 230 was the parallel superannuation standard. Under the CPS 230 regime, all APRA-regulated entities - banks, insurers, and super funds - converge on the same operational-risk framework. The process-mapping approach on this page applies equally to RSE licensees.

What is the difference between CPS 230 and CPS 234?

CPS 234 is APRA's existing Information Security standard - it covers cyber-security controls, incident response for information assets, and information-security testing. CPS 230 is the broader operational-risk standard covering critical operations, impact tolerances, service-provider arrangements, and business continuity. CPS 234 sits inside the wider operational-risk regime CPS 230 establishes - an APRA-regulated entity needs both, and a single security incident will often touch both standards (CPS 234 governs how you respond to the cyber incident; CPS 230 governs whether the disruption breached your impact tolerance for the affected critical operation).

What does CPS 230 replace?

CPS 230 consolidates and replaces the older CPS 231 (Outsourcing), CPS 232 (Business Continuity Management), SPS 231 and SPS 232 (the equivalent superannuation standards), and HPS 231 (the health-insurance equivalent). It also absorbs parts of the CPG 233 operational-risk practice guide into a single operational-risk regime. Entities that had separate registers and frameworks for each of those older standards now run a single CPS 230 programme.

OSFI E-21 (Canada)

The Canadian equivalent for federally regulated financial institutions - same operational-resilience shape, different jurisdiction.

HIPAA compliance processes

Catalogue of the seven HIPAA compliance processes US healthcare entities run, with breach notification featured as an editable BPMN map.

EU AI Act architecture

Annex IV technical documentation assembled as a process map for high-risk AI systems.

CPS 230 is in force - map your critical operations now

Start with the critical operation that worries you most. Open the template, rename the steps to match your entity, and capture impact tolerances on the same diagram.