The Australian Prudential Regulation Authority (APRA) issues Cross-industry Prudential Standards (CPS) to ensure that regulated financial institutions maintain robust risk management practices. These standards are designed to promote financial system stability by setting minimum expectations for governance, risk management, and operational resilience. In recent years, the increasing complexity of service delivery models, particularly the reliance on cloud computing, Software-as-a-Service (SaaS), and extended supply chains, has introduced new and evolving forms of operational risk. In response, APRA is introducing CPS 230 Operational Risk Management to better equip regulated entities to identify, manage, and withstand disruptions. This new standard reflects lessons from domestic and global incidents and aims to elevate Australia’s prudential standards in line with international benchmarks.
APRA’s new CPS 230 standard, effective from 1 July 2025, consolidates and replaces two previous standards – CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management), into a single, more comprehensive framework for operational risk management. Unlike its predecessors, which dealt with outsourcing and business continuity as separate issues, CPS 230 takes an integrated approach to managing all forms of operational risk. It applies not just to outsourcing arrangements but to all material service providers, including those offering SaaS and cloud-based services.
The standard introduces a higher bar for governance, requiring boards and senior management to take direct accountability for their organisation’s operational resilience. Key obligations include setting risk tolerances, conducting integrated scenario testing, and notifying APRA of material incidents within 72 hours of detection. In addition, entities must demonstrate due diligence in the selection and management of service providers and enforce robust contractual terms, even with fourth-party suppliers. These requirements reflect a shift toward alignment with global best practices in operational risk oversight.
APRA regulated entities must now treat both new and existing service arrangements with greater ongoing scrutiny. This includes comprehensive risk assessments, continuous performance reviews, and legal clauses that address continuity planning, security, and incident response. Service providers are expected to actively support compliance efforts through timely incident reporting, participating in scenario testing, and disclosing key subcontractor relationships. APRA also reserves the right to inspect service providers directly, increasing the pressure on vendors to meet regulatory expectations.
In summary, CPS 230 marks a significant evolution in how operational risk must be managed across Australia’s financial services sector. It brings a more unified and proactive approach, extending regulatory scrutiny beyond direct outsourcing to include all critical service providers in the supply chain. The new standard demands a much stronger focus on governance, contractual discipline, and end-to-end resilience; placing both regulated entities and their partners on notice that operational risks must now be managed with much greater visibility, agility, and rigour.
References:
Prudential Standard CPS 230 Operational Risk Management
Prudential Practice Guide CPG 230 Operational Risk Management