APRA CPS 230 Compliance Guide with Checklist

APRA CPS 230 Compliance Guide with Checklist

APRA CPS 230 requires APRA-regulated institutions to manage operational risk, control third-party providers, define impact tolerance, test business continuity, and maintain resilience for critical services. You must document, monitor, test, and prove compliance before the CPS 230 deadline to avoid regulatory issues.

If you fall under APRA regulation, CPS 230 changes how you manage operational risk, outsourcing, and business continuity. You can no longer rely on general policies or outdated frameworks. You must prove that your organisation can continue delivering critical services during disruption, vendor failure, cyber incidents, or system outages.

Many institutions underestimate how much work CPS 230 requires. The standard replaces CPS 231 and CPS 232, but it also introduces stricter rules for operational resilience, impact tolerance, third-party risk, and board accountability. You must map every critical operation, define measurable limits, monitor service providers, and regularly test recovery scenarios.

You are not preparing documents for auditors. You are building a system that must work during real incidents.

This guide explains CPS 230 in full detail, including requirements, deadlines, a checklist, examples, implementation steps, and audit preparation. If you follow this guide, you can build a compliance program that stands up to APRA review and reduces operational risk across your organisation.

Use our Cybersecurity Risk Calculator

What Is APRA CPS 230?

apra cps 230
Source: Australian Prudential Regulation Authority (APRA), CPS 230 Operational Risk Management Standard

APRA CPS 230 is a prudential standard that requires banks, insurers, and superannuation funds to maintain strong operational resilience. You must ensure that critical services continue even when technology fails, vendors stop working, or unexpected events occur.

The standard focuses on operational risk, outsourcing, and business continuity as one combined framework.

APRA introduced CPS 230 after several incidents showed that financial institutions often fail because of operational problems rather than financial weakness. Cloud outages, vendor failures, cyber incidents, and poor recovery planning caused serious disruptions across the industry.

Under CPS 230, you must understand exactly how your organisation operates and where failure could cause harm.

Read More On: What Is a Network Security Key?

Main objectives of CPS 230

  • Protect customers from service disruption
  • Reduce systemic risk in the financial sector
  • Strengthen operational risk management
  • Improve outsourcing controls
  • Ensure strong business continuity
  • Increase board accountability
  • Require measurable tolerance limits

You must show evidence that your organisation can continue operating within defined limits.

What CPS 230 covers

AreaIncluded
Operational riskYes
OutsourcingYes
Third-party riskYes
Business continuityYes
Disaster recoveryYes
Impact toleranceYes
Board governanceYes
Vendor registerYes

This makes CPS 230 broader than previous standards.

Read More On How Can Generative AI Be Used In Cybersecurity

Why is CPS 230 stricter than the old rules?

Older standards allowed high-level policies. CPS 230 requires proof.

You must show:

  • documented critical operations
  • defined tolerance levels
  • tested recovery plans
  • approved service providers
  • active monitoring
  • board reporting
  • audit evidence

If you cannot show evidence, APRA considers you non-compliant.

If you want to improve your security setup, read our guide on cybersecurity for law firms to see the best protection strategies for legal professionals.

Check out our latest blog on How to Fix Kernel Security Check Failure and Check for Malware

Why CPS 230 Was Introduced

APRA introduced CPS 230 because operational failures became one of the biggest risks in the financial sector. Many institutions had strong capital positions but still experienced outages, customer impact, and regulatory breaches due to weak operational controls.

Most failures were caused by poor vendor oversight, unclear responsibilities, or untested recovery plans. Institutions often assumed their systems would work during a crisis without proving it through testing.

CPS 230 forces you to move from assumption to verification.

Common problems seen before CPS 230

  • critical services not documented
  • vendors not monitored
  • Contracts missing risk clauses
  • recovery plans not tested
  • unclear accountability
  • slow incident response
  • weak board oversight

These weaknesses created a serious risk to customers and the financial system.

APRA goals with CPS 230

GoalExplanation
Improve resilienceVendors must meet the same standards
Strengthen outsourcing controlThe board must understand risk
Increase accountabilityBoard must understand risk
Require testingPlans must work in practice
Define toleranceLimits must be measurable
Reduce systemic riskFailure must not spread

You must now treat operational risk as seriously as credit risk or liquidity risk.

How CPS 230 changes your responsibilities

Before CPS 230:

  • policy focused
  • limited testing
  • outsourcing separate
  • continuity separate

After CPS 230:

  • integrated framework
  • measurable limits
  • Vendor control required
  • testing mandatory
  • board accountable

This change affects risk, IT, compliance, procurement, legal, and senior management at the same time.

If you start late, implementation becomes difficult because you must review contracts, systems, processes, and governance together.

Who Must Comply With CPS 230?

CPS 230 applies to all APRA-regulated entities. If APRA supervises your organisation, you must comply even if your operations are small or outsourced.

Many companies assume the rule applies only to banks. This is incorrect.

The standard applies to any entity regulated by APRA, including insurers and superannuation trustees.

Entities required to comply

Entity typeMust comply
Authorised deposit-taking institutionsYes
BanksYes
Credit unionsYes
Building societiesYes
General insurersYes
Life insurersYes
Private health insurersYes
Superannuation trusteesYes
APRA regulated groupsYes

If your critical services support an APRA entity, you may also be affected through vendor requirements.

Groups and subsidiaries

If you operate in a group structure, CPS 230 may apply at the group level and entity level.

You must ensure:

  • consistent risk framework
  • shared service oversight
  • vendor visibility
  • group reporting

Many organisations fail here because shared services are not clearly controlled.

Third-party providers also impacted

Even if you are not regulated, you may need to meet CPS 230 requirements if you provide services to a regulated entity.

Examples:

  • cloud provider
  • software vendor
  • payment processor
  • IT support
  • data centre
  • outsourcing partner

Clients may require:

  • security controls
  • incident reporting
  • audit rights
  • resilience testing
  • contract updates

This makes CPS 230 important for vendors as well.

You must meet CPS 230 requirements before the official start date, not after. Many organisations misunderstand this and assume they can begin implementation once the standard becomes active. APRA expects you to be fully compliant by the effective date, including documentation, testing, vendor review, and board approval.

The deadline is strict, and late preparation creates serious audit risk.

CPS 230 effective date

ItemDate
CPS 230 published2023
Preparation period2023–2025
Effective date1 July 2025
Full compliance expected1 July 2025

You must be ready before the deadline, not working toward it.

What full compliance means

APRA expects more than updated policies. You must show evidence that the framework works.

You should have completed:

  • critical operations identified
  • impact tolerance defined
  • Vendor register created
  • contracts reviewed
  • Operational risk framework approved
  • Business continuity tested
  • board reporting in place
  • incident process working

If these are incomplete, you are not compliant.

Why does implementation take longer than expected

CPS 230 affects multiple departments at the same time.

Area affectedWhy does it take time
RiskFramework updates
ITSystem mapping
ProcurementVendor contracts
LegalContract clauses
ComplianceDocumentation
OperationsCritical service mapping
BoardApproval process

Most delays happen in vendor review and critical service mapping.

Recommended preparation timeline

PhaseTask
Phase 1Gap assessment
Phase 2Identify critical operations
Phase 3Define tolerance
Phase 4Review vendors
Phase 5Update framework
Phase 6Test continuity
Phase 7Board approval
Phase 8Audit preparation

You should start early because contract updates alone can take months.

Critical Operations Requirement Explained in Detail

apra cps 230
Source: Australian Prudential Regulation Authority (APRA), CPS 230 Operational Risk Management Standard

One of the most important parts of CPS 230 is identifying critical operations. You must know which services are essential to your organisation and what happens if they stop working.

A critical operation is any activity that could cause serious harm if disrupted.

Harm can include:

  • customer impact
  • financial loss
  • regulatory breach
  • market disruption
  • reputational damage
  • inability to operate

You must document all critical operations and keep the list updated.

Examples of critical operations

OperationWhy critical
Core banking systemCustomers cannot access money
Payment processingTransactions stop
Claims systemCustomers not paid
Trading platformMarket risk
Customer portalService unavailable
Identity systemCannot verify users
Data storageLoss of records
Cloud hostingSystem outage

You cannot decide based only on IT importance. You must consider business impact.

Required information for each critical operation

FieldDescription
NameOperation name
OwnerResponsible manager
SystemTechnology used
VendorThird-party involved
ImpactWhat happens if failed
ToleranceAllowed downtime
Recovery timeTarget
Data loss limitAllowed loss

APRA expects this information to be accurate.

How to identify critical operations

You should ask:

  • Would customers be harmed?
  • Would APRA be concerned?
  • Would financial loss occur?
  • Would we stop operating?
  • Would reputation be damaged?

If the answer is yes, it is critical.

Common mistakes

  • only listing IT systems
  • ignoring vendors
  • missing shared services
  • No owner assigned
  • No tolerance defined

These mistakes cause audit findings.

Impact Tolerance Requirement Explained

apra cps 230
Source: Australian Prudential Regulation Authority (APRA), CPS 230 Operational Risk Management Standard

CPS 230 requires you to define impact tolerance for every critical operation. This means you must decide how much disruption you can allow before serious harm occurs.

You must use measurable limits. General statements are not enough.

Impact tolerance tells APRA how resilient your organisation is.

What tolerance must include

  • maximum downtime
  • maximum data loss
  • maximum customer impact
  • maximum financial impact
  • recovery time objective
  • recovery point objective

These limits must be realistic and approved by senior management.

Example impact tolerance table

OperationMax downtimeMax data lossCustomers affectedRisk
Payments2 hours5 minHighHigh
Online banking4 hours15 minHighHigh
Claims8 hours30 minMediumMedium
HR system24 hours1 hourLowLow

You must justify each limit.

How to define tolerance correctly

You should consider:

  • customer impact
  • legal obligations
  • financial loss
  • operational dependency
  • vendor dependency
  • recovery capability

Tolerance must match real recovery ability.

Approval requirement

Tolerance must be approved by:

  • senior management
  • risk function
  • board or committee

You cannot define limits without governance.

Review requirement

You must review tolerance regularly.

Triggers for review:

  • system change
  • vendor change
  • incident
  • audit finding
  • business change

Outdated tolerance is a compliance issue.

Operational Risk Framework Requirement Explained

apra cps 230
Source: Australian Prudential Regulation Authority (APRA), CPS 230 Operational Risk Management Standard

CPS 230 requires a formal operational risk management framework that covers the whole organisation. You must show how risks are identified, controlled, monitored, and reported.

The framework must exist in practice, not only on paper.

What the framework must include

ComponentRequired
PolicyYes
ProceduresYes
Risk registerYes
ControlsYes
Incident managementYes
MonitoringYes
ReportingYes
ReviewYes
AuditYes

You must also show who is responsible.

Example framework structure

SectionContent
PolicyRules
StandardRequirements
ProcedureSteps
ControlPrevention
MonitoringChecks
ReportingManagement
ReviewImprovement

APRA expects consistency across the organisation.

Incident management requirement

You must record operational incidents.

Examples:

  • system outage
  • vendor failure
  • cyber attack
  • data loss
  • processing error

Incident records must show:

  • date
  • impact
  • cause
  • action taken
  • fix implemented

If incidents are not recorded, APRA assumes weak control.

Monitoring requirement

You must monitor controls regularly.

Examples:

  • system availability
  • vendor performance
  • incident frequency
  • recovery time
  • control failures

Monitoring must be reported to management.

Board reporting

The board must receive operational risk reports.

Reports should include:

  • incidents
  • vendor risk
  • tolerance breaches
  • testing results
  • audit findings

Board oversight is mandatory under CPS 230.

CPS 230 places very strict requirements on third-party and outsourcing risk. You must manage service providers as if they are part of your own organisation. If a vendor fails and your critical service stops, APRA considers it your failure, not the vendor’s.

Many institutions underestimate this section, but most CPS 230 remediation work happens here because contracts, vendor registers, and monitoring processes are often incomplete.

A third-party is any external provider that supports your operations.

Examples include:

  • cloud providers
  • IT vendors
  • software suppliers
  • payment processors
  • managed services
  • consultants
  • offshore teams
  • data centres
  • shared group services

If the service supports a critical operation, the risk level is higher.

What CPS 230 requires of vendors

RequirementDescription
Due diligenceBefore onboarding
Written contractWith risk clauses
Performance monitoringOngoing
Incident reportingRequired
Exit planMust exist
Subcontractor visibilityMust know
Risk assessmentRequired
RegisterMust maintain

You must be able to show APRA that every critical vendor is controlled.

Due diligence before onboarding

Before using a vendor, you must assess risk.

You should review:

  • security controls
  • financial stability
  • operational resilience
  • data protection
  • regulatory history
  • subcontractors
  • location risk

Example due diligence checklist:

CheckRequired
Security reviewYes
Financial reviewYes
Contract reviewYes
Risk ratingYes
ApprovalYes

You must keep records.

Contract requirements

Contracts must include risk clauses.

Required clauses may include:

  • service levels
  • security requirements
  • incident notification
  • audit rights
  • termination rights
  • data protection
  • subcontractor approval
  • business continuity obligations

If contracts are missing these, you must update them.

Ongoing monitoring

You must monitor vendors regularly.

Examples:

  • performance reports
  • incidents
  • outages
  • audit results
  • control reviews

Monitoring must be documented.

Exit strategy requirement

You must be able to replace a vendor if needed.

Your exit plan should include:

  • alternative provider
  • data migration
  • contract termination
  • transition process

If you cannot exit safely, the risk is too high.

Service Provider Register Requirement

CPS 230 requires you to maintain a register of service providers, especially those supporting critical operations. This register must be accurate, complete, and available for review.

Many organisations fail audits because their vendor list is incomplete.

What the register must include

FieldRequired
Vendor nameYes
Service providedYes
Critical or notYes
Risk ratingYes
Contract dateYes
Renewal dateYes
Exit planYes
OwnerYes

You must keep this updated.

Example service provider register

VendorServiceCriticalRiskExit plan
AWSHostingYesHighYes
Vendor AClaims systemYesHighYes
Vendor BHR systemNoLowYes
Vendor CPayrollNoMediumYes

You should also link vendors to critical operations.

Why APRA requires this

APRA wants visibility of operational dependency.

If a critical vendor fails, APRA must know:

  • What service stops
  • How long does recovery take?
  • What backup exists

Without a register, you cannot answer.

Common mistakes

  • missing vendors
  • outdated data
  • no risk rating
  • no owner
  • no exit plan

These are common audit findings.

Business Continuity and Scenario Testing Requirement

CPS 230 requires you to test your ability to continue operations during disruption. Written plans are not enough. You must prove they work.

Testing must be realistic and documented.

You must test scenarios that could affect critical operations.

Required testing areas

ScenarioMust test
System failureYes
Cyber attackYes
Vendor outageYes
Data lossYes
Cloud outageYes
Building outageYes
Staff unavailableYes
Power failureYes

Testing must involve real teams.

What testing evidence must show

ItemRequired
ScenarioYes
DateYes
ParticipantsYes
ResultYes
Issues foundYes
Fix appliedYes
RetestYes

If testing is not documented, APRA assumes it did not happen.

Disaster recovery testing

You must test system recovery.

Examples:

  • restore backup
  • switch data centre
  • failover cloud
  • recover database

You must show recovery time matches tolerance.

Business continuity testing

You must test business processes.

Examples:

  • manual processing
  • remote work
  • alternative system
  • vendor failure

You must show operations continue.

Testing frequency

Testing must be regular.

Typical expectation:

TestFrequency
Critical systemsyearly
Vendorsyearly
Full scenarioyearly
DR testyearly
Tabletopmultiple times

More frequent testing may be required for high-risk individuals.

Board and Senior Management Responsibilities

CPS 230 increases accountability at the senior level. The board must understand operational risk, not only financial risk.

You must show that leadership is involved.

Board responsibilities

DutyRequired
Approve frameworkYes
Review reportsYes
Monitor incidentsYes
Review testingYes
Approve toleranceYes
Challenge managementYes

Board minutes should show discussion.

Senior management responsibilities

DutyRequired
Implement frameworkYes
Maintain controlsYes
Report incidentsYes
Manage vendorsYes
Prepare reportsYes
Fix issuesYes

Responsibility cannot be delegated completely.

Reporting to the board

Reports should include:

  • incident summary
  • vendor risk
  • tolerance breaches
  • test results
  • audit findings
  • remediation status

Reports must be regular.

Common governance problems

  • board not involved
  • no reports
  • unclear roles
  • no approval record
  • no risk discussion

These cause compliance issues.

CPS 230 vs CPS 231 vs CPS 232 vs CPS 234

Many organisations still use old standards. CPS 230 replaces some of them and works together with others.

You must understand the difference.

StandardTopicStatus
CPS 231OutsourcingReplaced
CPS 232Business continuityReplaced
CPS 234Information securityActive
CPS 220Risk managementActive
CPS 230Operational resilienceNew

What changed with CPS 230

Before:

  • outsourcing separate
  • continuity separate
  • risk separate

Now:

  • one framework
  • measurable tolerance
  • Vendor control requires
  • testing and requires a
  • board to be accountable

This increases work but improves control.

Relationship with CPS 234

CPS 234 covers security.

CPS 230 covers operations.

You must align both.

Example:

AreaCPS 230CPS 234
Vendor riskYesYes
SecurityNoYes
ContinuityYesNo
Risk frameworkYesYes

You should integrate controls.

You should use a checklist to confirm your organisation is ready before the CPS 230 deadline. Many institutions believe they are compliant because policies exist, but audits often show missing evidence, incomplete vendor registers, or undefined tolerance levels.

Use the checklist below to review your current status.

Governance checklist

ItemRequiredDone
Operational risk framework approvedYes
Critical operations identifiedYes
Impact tolerance definedYes
Board approval recordedYes
Roles and responsibilities definedYes
Regular reporting to boardYes

Critical operations checklist

ItemRequiredDone
All critical services listedYes
Owner assignedYes
Systems mappedYes
Vendors linkedYes
Recovery targets definedYes
Tolerance approvedYes

Third-party risk checklist

ItemRequiredDone
Vendor register createdYes
Critical vendors identifiedYes
Risk ratings assignedYes
Contracts updatedYes
Exit plans definedYes
Monitoring process activeYes

Business continuity checklist

ItemRequiredDone
BCP updatedYes
DR plan testedYes
Scenario testing doneYes
Results documentedYes
Issues fixedYes
Retesting completedYes

Operational risk checklist

ItemRequiredDone
Risk register updatedYes
Incident process workingYes
Controls testedYes
Monitoring reportsYes
Internal audit reviewYes

If any item is missing, you are not fully compliant.

Step-by-Step CPS 230 Implementation Guide

You should treat CPS 230 as a structured project. Trying to update everything at once usually fails because the standard affects multiple departments at the same time.

Follow a phased approach.

Step 1 – Perform gap assessment

Review current controls against CPS 230.

Check:

  • policies
  • vendor management
  • continuity plans
  • risk framework
  • testing records
  • board reporting

Create a gap list.

Step 2 – Identify critical operations

Work with business teams.

You should:

  • list services
  • identify dependencies
  • link vendors
  • assign owners
  • define impact

Do not limit to IT systems.

Step 3 – Define impact tolerance

For each critical operation, define:

  • downtime limit
  • data loss limit
  • customer impact
  • recovery target

Tolerance must be realistic.

Step 4 – Build service provider register

List all vendors.

Include:

  • service
  • risk level
  • critical flag
  • contract date
  • exit plan

Link vendors to operations.

Step 5 – Review contracts

Update agreements.

Add:

  • security clauses
  • incident reporting
  • audit rights
  • resilience requirements
  • termination rights

Contract review often takes the longest.

Step 6 – Update operational risk framework

Update documents.

Include:

  • risk policy
  • incident process
  • monitoring
  • reporting
  • testing
  • governance

Ensure consistency.

Step 7 – Test continuity and recovery

Run realistic scenarios.

Examples:

  • cloud outage
  • cyber attack
  • vendor failure
  • data loss
  • system crash

Record results.

Step 8 – Board approval

Present:

  • framework
  • tolerance
  • vendor risk
  • testing results
  • remediation plan

Record approval.

Step 9 – Prepare audit evidence

Store documents:

  • registers
  • reports
  • tests
  • approvals
  • contracts

You must be ready to show proof anytime.

How to Prepare for CPS 230 Audit

APRA reviews evidence, not intentions. You must be able to show that your framework works in practice.

Auditors will usually check the following areas first.

Documents auditors request

DocumentRequired
Operational risk policyYes
Critical operations listYes
Impact tolerance tableYes
Vendor registerYes
ContractsYes
Test reportsYes
Incident logYes
Board reportsYes

If any are missing, audit risk increases.

Questions auditors may ask

  • How do you define critical operations?
  • How do you set tolerance?
  • Which vendors support this service?
  • What happens if the ifthe vendor fails?
  • Show the last test result
  • Show board approval
  • Show incident records

You must answer with evidence.

Audit preparation tips

  • Keep documents updated
  • keep register accurate
  • test regularly
  • record approvals
  • store evidence centrally

Do not prepare only when the audit starts.

Common CPS 230 Mistakes

Many organisations fail to comply because of the same problems.

Common mistakes list

MistakeResult
No critical operations listNon-compliant
No tolerance definedNon-compliant
Vendor list incompleteAudit finding
Contracts outdatedHigh risk
No testingNon-compliant
Board not involvedGovernance issue
No evidenceFail audit
Only IT involvedMissing business risk

CPS 230 requires organisation-wide effort.

Biggest risk areas

  • outsourcing
  • shared services
  • cloud providers
  • recovery testing
  • documentation
  • governance

Focus on these first.

Final Thoughts

CPS 230 forces you to understand your organisation in detail. You must know what is critical, how long it can fail, who supports it, and how you recover. This standard is not only about compliance. It is about operational resilience.

If you start early, implementation becomes structured. If you delay, vendor reviews, tolerance definition, and testing will create a major workload close to the deadline.

You should treat CPS 230 as a resilience program, not just a regulatory requirement. Organisations that build strong controls will not only pass audits but also reduce outages, vendor risk, and customer impact.

Not sure where to start in cybersecurity? Read our full hackthebox vs tryhackme guide to understand which platform gives better learning paths, realistic labs, and career value.

Frequently Asked Questions

What is APRA CPS 230 in simple terms?

CPS 230 is an APRA prudential standard that requires financial institutions to manage operational risk, control outsourcing, define impact tolerance, and ensure critical services continue during disruptions.

When does CPS 230 start?

CPS 230 becomes effective on 1 July 2025, and all APRA-regulated entities must be fully compliant by that date.

Does CPS 230 replace CPS 231 and CPS 232?

Yes, CPS 230 replaces CPS 231 outsourcing and CPS 232 business continuity, combining them into a single operational resilience standard.

What is impact tolerance in CPS 230?

Impact tolerance is the maximum level of disruption your organisation can allow before serious harm occurs to customers, operations, or the financial system.

Who must comply with CPS 230?

All APRA-regulated banks, insurers, superannuation trustees, and related entities must comply with CPS 230, including their critical service providers.

Picture of Majid Shahmiri

Majid Shahmiri

Majid Shahmiri

Majid is a cybersecurity professional with 10+ years of experience in SOC consulting, threat intelligence, and cloud security. He has worked with global enterprises including IBM, Mercedes-Benz, and Core42, helping organizations strengthen their defenses against evolving threats. Through CyberLad, he shares practical security insights to empower businesses. Outside of work, Majid is passionate about mentoring young professionals entering the cybersecurity field.