Table of Contents
ToggleAPRA CPS 230 requires APRA-regulated institutions to manage operational risk, control third-party providers, define impact tolerance, test business continuity, and maintain resilience for critical services. You must document, monitor, test, and prove compliance before the CPS 230 deadline to avoid regulatory issues.
If you fall under APRA regulation, CPS 230 changes how you manage operational risk, outsourcing, and business continuity. You can no longer rely on general policies or outdated frameworks. You must prove that your organisation can continue delivering critical services during disruption, vendor failure, cyber incidents, or system outages.
Many institutions underestimate how much work CPS 230 requires. The standard replaces CPS 231 and CPS 232, but it also introduces stricter rules for operational resilience, impact tolerance, third-party risk, and board accountability. You must map every critical operation, define measurable limits, monitor service providers, and regularly test recovery scenarios.
You are not preparing documents for auditors. You are building a system that must work during real incidents.
This guide explains CPS 230 in full detail, including requirements, deadlines, a checklist, examples, implementation steps, and audit preparation. If you follow this guide, you can build a compliance program that stands up to APRA review and reduces operational risk across your organisation.
Use our Cybersecurity Risk Calculator
What Is APRA CPS 230?

APRA CPS 230 is a prudential standard that requires banks, insurers, and superannuation funds to maintain strong operational resilience. You must ensure that critical services continue even when technology fails, vendors stop working, or unexpected events occur.
The standard focuses on operational risk, outsourcing, and business continuity as one combined framework.
APRA introduced CPS 230 after several incidents showed that financial institutions often fail because of operational problems rather than financial weakness. Cloud outages, vendor failures, cyber incidents, and poor recovery planning caused serious disruptions across the industry.
Under CPS 230, you must understand exactly how your organisation operates and where failure could cause harm.
Read More On: What Is a Network Security Key?
Main objectives of CPS 230
- Protect customers from service disruption
- Reduce systemic risk in the financial sector
- Strengthen operational risk management
- Improve outsourcing controls
- Ensure strong business continuity
- Increase board accountability
- Require measurable tolerance limits
You must show evidence that your organisation can continue operating within defined limits.
What CPS 230 covers
| Area | Included |
|---|---|
| Operational risk | Yes |
| Outsourcing | Yes |
| Third-party risk | Yes |
| Business continuity | Yes |
| Disaster recovery | Yes |
| Impact tolerance | Yes |
| Board governance | Yes |
| Vendor register | Yes |
This makes CPS 230 broader than previous standards.
Read More On How Can Generative AI Be Used In Cybersecurity
Why is CPS 230 stricter than the old rules?
Older standards allowed high-level policies. CPS 230 requires proof.
You must show:
- documented critical operations
- defined tolerance levels
- tested recovery plans
- approved service providers
- active monitoring
- board reporting
- audit evidence
If you cannot show evidence, APRA considers you non-compliant.
If you want to improve your security setup, read our guide on cybersecurity for law firms to see the best protection strategies for legal professionals.
Check out our latest blog on How to Fix Kernel Security Check Failure and Check for Malware
Why CPS 230 Was Introduced
APRA introduced CPS 230 because operational failures became one of the biggest risks in the financial sector. Many institutions had strong capital positions but still experienced outages, customer impact, and regulatory breaches due to weak operational controls.
Most failures were caused by poor vendor oversight, unclear responsibilities, or untested recovery plans. Institutions often assumed their systems would work during a crisis without proving it through testing.
CPS 230 forces you to move from assumption to verification.
Common problems seen before CPS 230
- critical services not documented
- vendors not monitored
- Contracts missing risk clauses
- recovery plans not tested
- unclear accountability
- slow incident response
- weak board oversight
These weaknesses created a serious risk to customers and the financial system.
APRA goals with CPS 230
| Goal | Explanation |
|---|---|
| Improve resilience | Vendors must meet the same standards |
| Strengthen outsourcing control | The board must understand risk |
| Increase accountability | Board must understand risk |
| Require testing | Plans must work in practice |
| Define tolerance | Limits must be measurable |
| Reduce systemic risk | Failure must not spread |
You must now treat operational risk as seriously as credit risk or liquidity risk.
How CPS 230 changes your responsibilities
Before CPS 230:
- policy focused
- limited testing
- outsourcing separate
- continuity separate
After CPS 230:
- integrated framework
- measurable limits
- Vendor control required
- testing mandatory
- board accountable
This change affects risk, IT, compliance, procurement, legal, and senior management at the same time.
If you start late, implementation becomes difficult because you must review contracts, systems, processes, and governance together.
Who Must Comply With CPS 230?
CPS 230 applies to all APRA-regulated entities. If APRA supervises your organisation, you must comply even if your operations are small or outsourced.
Many companies assume the rule applies only to banks. This is incorrect.
The standard applies to any entity regulated by APRA, including insurers and superannuation trustees.
Entities required to comply
| Entity type | Must comply |
|---|---|
| Authorised deposit-taking institutions | Yes |
| Banks | Yes |
| Credit unions | Yes |
| Building societies | Yes |
| General insurers | Yes |
| Life insurers | Yes |
| Private health insurers | Yes |
| Superannuation trustees | Yes |
| APRA regulated groups | Yes |
If your critical services support an APRA entity, you may also be affected through vendor requirements.
Groups and subsidiaries
If you operate in a group structure, CPS 230 may apply at the group level and entity level.
You must ensure:
- consistent risk framework
- shared service oversight
- vendor visibility
- group reporting
Many organisations fail here because shared services are not clearly controlled.
Third-party providers also impacted
Even if you are not regulated, you may need to meet CPS 230 requirements if you provide services to a regulated entity.
Examples:
- cloud provider
- software vendor
- payment processor
- IT support
- data centre
- outsourcing partner
Clients may require:
- security controls
- incident reporting
- audit rights
- resilience testing
- contract updates
This makes CPS 230 important for vendors as well.
You must meet CPS 230 requirements before the official start date, not after. Many organisations misunderstand this and assume they can begin implementation once the standard becomes active. APRA expects you to be fully compliant by the effective date, including documentation, testing, vendor review, and board approval.
The deadline is strict, and late preparation creates serious audit risk.
CPS 230 effective date
| Item | Date |
|---|---|
| CPS 230 published | 2023 |
| Preparation period | 2023–2025 |
| Effective date | 1 July 2025 |
| Full compliance expected | 1 July 2025 |
You must be ready before the deadline, not working toward it.
What full compliance means
APRA expects more than updated policies. You must show evidence that the framework works.
You should have completed:
- critical operations identified
- impact tolerance defined
- Vendor register created
- contracts reviewed
- Operational risk framework approved
- Business continuity tested
- board reporting in place
- incident process working
If these are incomplete, you are not compliant.
Why does implementation take longer than expected
CPS 230 affects multiple departments at the same time.
| Area affected | Why does it take time |
|---|---|
| Risk | Framework updates |
| IT | System mapping |
| Procurement | Vendor contracts |
| Legal | Contract clauses |
| Compliance | Documentation |
| Operations | Critical service mapping |
| Board | Approval process |
Most delays happen in vendor review and critical service mapping.
Recommended preparation timeline
| Phase | Task |
|---|---|
| Phase 1 | Gap assessment |
| Phase 2 | Identify critical operations |
| Phase 3 | Define tolerance |
| Phase 4 | Review vendors |
| Phase 5 | Update framework |
| Phase 6 | Test continuity |
| Phase 7 | Board approval |
| Phase 8 | Audit preparation |
You should start early because contract updates alone can take months.
Critical Operations Requirement Explained in Detail

One of the most important parts of CPS 230 is identifying critical operations. You must know which services are essential to your organisation and what happens if they stop working.
A critical operation is any activity that could cause serious harm if disrupted.
Harm can include:
- customer impact
- financial loss
- regulatory breach
- market disruption
- reputational damage
- inability to operate
You must document all critical operations and keep the list updated.
Examples of critical operations
| Operation | Why critical |
|---|---|
| Core banking system | Customers cannot access money |
| Payment processing | Transactions stop |
| Claims system | Customers not paid |
| Trading platform | Market risk |
| Customer portal | Service unavailable |
| Identity system | Cannot verify users |
| Data storage | Loss of records |
| Cloud hosting | System outage |
You cannot decide based only on IT importance. You must consider business impact.
Required information for each critical operation
| Field | Description |
|---|---|
| Name | Operation name |
| Owner | Responsible manager |
| System | Technology used |
| Vendor | Third-party involved |
| Impact | What happens if failed |
| Tolerance | Allowed downtime |
| Recovery time | Target |
| Data loss limit | Allowed loss |
APRA expects this information to be accurate.
How to identify critical operations
You should ask:
- Would customers be harmed?
- Would APRA be concerned?
- Would financial loss occur?
- Would we stop operating?
- Would reputation be damaged?
If the answer is yes, it is critical.
Common mistakes
- only listing IT systems
- ignoring vendors
- missing shared services
- No owner assigned
- No tolerance defined
These mistakes cause audit findings.
Impact Tolerance Requirement Explained

CPS 230 requires you to define impact tolerance for every critical operation. This means you must decide how much disruption you can allow before serious harm occurs.
You must use measurable limits. General statements are not enough.
Impact tolerance tells APRA how resilient your organisation is.
What tolerance must include
- maximum downtime
- maximum data loss
- maximum customer impact
- maximum financial impact
- recovery time objective
- recovery point objective
These limits must be realistic and approved by senior management.
Example impact tolerance table
| Operation | Max downtime | Max data loss | Customers affected | Risk |
|---|---|---|---|---|
| Payments | 2 hours | 5 min | High | High |
| Online banking | 4 hours | 15 min | High | High |
| Claims | 8 hours | 30 min | Medium | Medium |
| HR system | 24 hours | 1 hour | Low | Low |
You must justify each limit.
How to define tolerance correctly
You should consider:
- customer impact
- legal obligations
- financial loss
- operational dependency
- vendor dependency
- recovery capability
Tolerance must match real recovery ability.
Approval requirement
Tolerance must be approved by:
- senior management
- risk function
- board or committee
You cannot define limits without governance.
Review requirement
You must review tolerance regularly.
Triggers for review:
- system change
- vendor change
- incident
- audit finding
- business change
Outdated tolerance is a compliance issue.
Operational Risk Framework Requirement Explained

CPS 230 requires a formal operational risk management framework that covers the whole organisation. You must show how risks are identified, controlled, monitored, and reported.
The framework must exist in practice, not only on paper.
What the framework must include
| Component | Required |
|---|---|
| Policy | Yes |
| Procedures | Yes |
| Risk register | Yes |
| Controls | Yes |
| Incident management | Yes |
| Monitoring | Yes |
| Reporting | Yes |
| Review | Yes |
| Audit | Yes |
You must also show who is responsible.
Example framework structure
| Section | Content |
|---|---|
| Policy | Rules |
| Standard | Requirements |
| Procedure | Steps |
| Control | Prevention |
| Monitoring | Checks |
| Reporting | Management |
| Review | Improvement |
APRA expects consistency across the organisation.
Incident management requirement
You must record operational incidents.
Examples:
- system outage
- vendor failure
- cyber attack
- data loss
- processing error
Incident records must show:
- date
- impact
- cause
- action taken
- fix implemented
If incidents are not recorded, APRA assumes weak control.
Monitoring requirement
You must monitor controls regularly.
Examples:
- system availability
- vendor performance
- incident frequency
- recovery time
- control failures
Monitoring must be reported to management.
Board reporting
The board must receive operational risk reports.
Reports should include:
- incidents
- vendor risk
- tolerance breaches
- testing results
- audit findings
Board oversight is mandatory under CPS 230.
CPS 230 places very strict requirements on third-party and outsourcing risk. You must manage service providers as if they are part of your own organisation. If a vendor fails and your critical service stops, APRA considers it your failure, not the vendor’s.
Many institutions underestimate this section, but most CPS 230 remediation work happens here because contracts, vendor registers, and monitoring processes are often incomplete.
A third-party is any external provider that supports your operations.
Examples include:
- cloud providers
- IT vendors
- software suppliers
- payment processors
- managed services
- consultants
- offshore teams
- data centres
- shared group services
If the service supports a critical operation, the risk level is higher.
What CPS 230 requires of vendors
| Requirement | Description |
|---|---|
| Due diligence | Before onboarding |
| Written contract | With risk clauses |
| Performance monitoring | Ongoing |
| Incident reporting | Required |
| Exit plan | Must exist |
| Subcontractor visibility | Must know |
| Risk assessment | Required |
| Register | Must maintain |
You must be able to show APRA that every critical vendor is controlled.
Due diligence before onboarding
Before using a vendor, you must assess risk.
You should review:
- security controls
- financial stability
- operational resilience
- data protection
- regulatory history
- subcontractors
- location risk
Example due diligence checklist:
| Check | Required |
|---|---|
| Security review | Yes |
| Financial review | Yes |
| Contract review | Yes |
| Risk rating | Yes |
| Approval | Yes |
You must keep records.
Contract requirements
Contracts must include risk clauses.
Required clauses may include:
- service levels
- security requirements
- incident notification
- audit rights
- termination rights
- data protection
- subcontractor approval
- business continuity obligations
If contracts are missing these, you must update them.
Ongoing monitoring
You must monitor vendors regularly.
Examples:
- performance reports
- incidents
- outages
- audit results
- control reviews
Monitoring must be documented.
Exit strategy requirement
You must be able to replace a vendor if needed.
Your exit plan should include:
- alternative provider
- data migration
- contract termination
- transition process
If you cannot exit safely, the risk is too high.
Service Provider Register Requirement
CPS 230 requires you to maintain a register of service providers, especially those supporting critical operations. This register must be accurate, complete, and available for review.
Many organisations fail audits because their vendor list is incomplete.
What the register must include
| Field | Required |
|---|---|
| Vendor name | Yes |
| Service provided | Yes |
| Critical or not | Yes |
| Risk rating | Yes |
| Contract date | Yes |
| Renewal date | Yes |
| Exit plan | Yes |
| Owner | Yes |
You must keep this updated.
Example service provider register
| Vendor | Service | Critical | Risk | Exit plan |
|---|---|---|---|---|
| AWS | Hosting | Yes | High | Yes |
| Vendor A | Claims system | Yes | High | Yes |
| Vendor B | HR system | No | Low | Yes |
| Vendor C | Payroll | No | Medium | Yes |
You should also link vendors to critical operations.
Why APRA requires this
APRA wants visibility of operational dependency.
If a critical vendor fails, APRA must know:
- What service stops
- How long does recovery take?
- What backup exists
Without a register, you cannot answer.
Common mistakes
- missing vendors
- outdated data
- no risk rating
- no owner
- no exit plan
These are common audit findings.
Business Continuity and Scenario Testing Requirement
CPS 230 requires you to test your ability to continue operations during disruption. Written plans are not enough. You must prove they work.
Testing must be realistic and documented.
You must test scenarios that could affect critical operations.
Required testing areas
| Scenario | Must test |
|---|---|
| System failure | Yes |
| Cyber attack | Yes |
| Vendor outage | Yes |
| Data loss | Yes |
| Cloud outage | Yes |
| Building outage | Yes |
| Staff unavailable | Yes |
| Power failure | Yes |
Testing must involve real teams.
What testing evidence must show
| Item | Required |
|---|---|
| Scenario | Yes |
| Date | Yes |
| Participants | Yes |
| Result | Yes |
| Issues found | Yes |
| Fix applied | Yes |
| Retest | Yes |
If testing is not documented, APRA assumes it did not happen.
Disaster recovery testing
You must test system recovery.
Examples:
- restore backup
- switch data centre
- failover cloud
- recover database
You must show recovery time matches tolerance.
Business continuity testing
You must test business processes.
Examples:
- manual processing
- remote work
- alternative system
- vendor failure
You must show operations continue.
Testing frequency
Testing must be regular.
Typical expectation:
| Test | Frequency |
|---|---|
| Critical systems | yearly |
| Vendors | yearly |
| Full scenario | yearly |
| DR test | yearly |
| Tabletop | multiple times |
More frequent testing may be required for high-risk individuals.
Board and Senior Management Responsibilities
CPS 230 increases accountability at the senior level. The board must understand operational risk, not only financial risk.
You must show that leadership is involved.
Board responsibilities
| Duty | Required |
|---|---|
| Approve framework | Yes |
| Review reports | Yes |
| Monitor incidents | Yes |
| Review testing | Yes |
| Approve tolerance | Yes |
| Challenge management | Yes |
Board minutes should show discussion.
Senior management responsibilities
| Duty | Required |
|---|---|
| Implement framework | Yes |
| Maintain controls | Yes |
| Report incidents | Yes |
| Manage vendors | Yes |
| Prepare reports | Yes |
| Fix issues | Yes |
Responsibility cannot be delegated completely.
Reporting to the board
Reports should include:
- incident summary
- vendor risk
- tolerance breaches
- test results
- audit findings
- remediation status
Reports must be regular.
Common governance problems
- board not involved
- no reports
- unclear roles
- no approval record
- no risk discussion
These cause compliance issues.
CPS 230 vs CPS 231 vs CPS 232 vs CPS 234
Many organisations still use old standards. CPS 230 replaces some of them and works together with others.
You must understand the difference.
| Standard | Topic | Status |
|---|---|---|
| CPS 231 | Outsourcing | Replaced |
| CPS 232 | Business continuity | Replaced |
| CPS 234 | Information security | Active |
| CPS 220 | Risk management | Active |
| CPS 230 | Operational resilience | New |
What changed with CPS 230
Before:
- outsourcing separate
- continuity separate
- risk separate
Now:
- one framework
- measurable tolerance
- Vendor control requires
- testing and requires a
- board to be accountable
This increases work but improves control.
Relationship with CPS 234
CPS 234 covers security.
CPS 230 covers operations.
You must align both.
Example:
| Area | CPS 230 | CPS 234 |
|---|---|---|
| Vendor risk | Yes | Yes |
| Security | No | Yes |
| Continuity | Yes | No |
| Risk framework | Yes | Yes |
You should integrate controls.
You should use a checklist to confirm your organisation is ready before the CPS 230 deadline. Many institutions believe they are compliant because policies exist, but audits often show missing evidence, incomplete vendor registers, or undefined tolerance levels.
Use the checklist below to review your current status.
Governance checklist
| Item | Required | Done |
|---|---|---|
| Operational risk framework approved | Yes | |
| Critical operations identified | Yes | |
| Impact tolerance defined | Yes | |
| Board approval recorded | Yes | |
| Roles and responsibilities defined | Yes | |
| Regular reporting to board | Yes |
Critical operations checklist
| Item | Required | Done |
|---|---|---|
| All critical services listed | Yes | |
| Owner assigned | Yes | |
| Systems mapped | Yes | |
| Vendors linked | Yes | |
| Recovery targets defined | Yes | |
| Tolerance approved | Yes |
Third-party risk checklist
| Item | Required | Done |
|---|---|---|
| Vendor register created | Yes | |
| Critical vendors identified | Yes | |
| Risk ratings assigned | Yes | |
| Contracts updated | Yes | |
| Exit plans defined | Yes | |
| Monitoring process active | Yes |
Business continuity checklist
| Item | Required | Done |
|---|---|---|
| BCP updated | Yes | |
| DR plan tested | Yes | |
| Scenario testing done | Yes | |
| Results documented | Yes | |
| Issues fixed | Yes | |
| Retesting completed | Yes |
Operational risk checklist
| Item | Required | Done |
|---|---|---|
| Risk register updated | Yes | |
| Incident process working | Yes | |
| Controls tested | Yes | |
| Monitoring reports | Yes | |
| Internal audit review | Yes |
If any item is missing, you are not fully compliant.
Step-by-Step CPS 230 Implementation Guide
You should treat CPS 230 as a structured project. Trying to update everything at once usually fails because the standard affects multiple departments at the same time.
Follow a phased approach.
Step 1 – Perform gap assessment
Review current controls against CPS 230.
Check:
- policies
- vendor management
- continuity plans
- risk framework
- testing records
- board reporting
Create a gap list.
Step 2 – Identify critical operations
Work with business teams.
You should:
- list services
- identify dependencies
- link vendors
- assign owners
- define impact
Do not limit to IT systems.
Step 3 – Define impact tolerance
For each critical operation, define:
- downtime limit
- data loss limit
- customer impact
- recovery target
Tolerance must be realistic.
Step 4 – Build service provider register
List all vendors.
Include:
- service
- risk level
- critical flag
- contract date
- exit plan
Link vendors to operations.
Step 5 – Review contracts
Update agreements.
Add:
- security clauses
- incident reporting
- audit rights
- resilience requirements
- termination rights
Contract review often takes the longest.
Step 6 – Update operational risk framework
Update documents.
Include:
- risk policy
- incident process
- monitoring
- reporting
- testing
- governance
Ensure consistency.
Step 7 – Test continuity and recovery
Run realistic scenarios.
Examples:
- cloud outage
- cyber attack
- vendor failure
- data loss
- system crash
Record results.
Step 8 – Board approval
Present:
- framework
- tolerance
- vendor risk
- testing results
- remediation plan
Record approval.
Step 9 – Prepare audit evidence
Store documents:
- registers
- reports
- tests
- approvals
- contracts
You must be ready to show proof anytime.
How to Prepare for CPS 230 Audit
APRA reviews evidence, not intentions. You must be able to show that your framework works in practice.
Auditors will usually check the following areas first.
Documents auditors request
| Document | Required |
|---|---|
| Operational risk policy | Yes |
| Critical operations list | Yes |
| Impact tolerance table | Yes |
| Vendor register | Yes |
| Contracts | Yes |
| Test reports | Yes |
| Incident log | Yes |
| Board reports | Yes |
If any are missing, audit risk increases.
Questions auditors may ask
- How do you define critical operations?
- How do you set tolerance?
- Which vendors support this service?
- What happens if the ifthe vendor fails?
- Show the last test result
- Show board approval
- Show incident records
You must answer with evidence.
Audit preparation tips
- Keep documents updated
- keep register accurate
- test regularly
- record approvals
- store evidence centrally
Do not prepare only when the audit starts.
Common CPS 230 Mistakes
Many organisations fail to comply because of the same problems.
Common mistakes list
| Mistake | Result |
|---|---|
| No critical operations list | Non-compliant |
| No tolerance defined | Non-compliant |
| Vendor list incomplete | Audit finding |
| Contracts outdated | High risk |
| No testing | Non-compliant |
| Board not involved | Governance issue |
| No evidence | Fail audit |
| Only IT involved | Missing business risk |
CPS 230 requires organisation-wide effort.
Biggest risk areas
- outsourcing
- shared services
- cloud providers
- recovery testing
- documentation
- governance
Focus on these first.
Final Thoughts
CPS 230 forces you to understand your organisation in detail. You must know what is critical, how long it can fail, who supports it, and how you recover. This standard is not only about compliance. It is about operational resilience.
If you start early, implementation becomes structured. If you delay, vendor reviews, tolerance definition, and testing will create a major workload close to the deadline.
You should treat CPS 230 as a resilience program, not just a regulatory requirement. Organisations that build strong controls will not only pass audits but also reduce outages, vendor risk, and customer impact.
Not sure where to start in cybersecurity? Read our full hackthebox vs tryhackme guide to understand which platform gives better learning paths, realistic labs, and career value.
Frequently Asked Questions
What is APRA CPS 230 in simple terms?
CPS 230 is an APRA prudential standard that requires financial institutions to manage operational risk, control outsourcing, define impact tolerance, and ensure critical services continue during disruptions.
When does CPS 230 start?
CPS 230 becomes effective on 1 July 2025, and all APRA-regulated entities must be fully compliant by that date.
Does CPS 230 replace CPS 231 and CPS 232?
Yes, CPS 230 replaces CPS 231 outsourcing and CPS 232 business continuity, combining them into a single operational resilience standard.
What is impact tolerance in CPS 230?
Impact tolerance is the maximum level of disruption your organisation can allow before serious harm occurs to customers, operations, or the financial system.
Who must comply with CPS 230?
All APRA-regulated banks, insurers, superannuation trustees, and related entities must comply with CPS 230, including their critical service providers.



