The APRA CPS 230 standard is the Australian Prudential Regulation Authority’s addition to the ever-growing list of global operational risk and resilience-related requirements. Australian banks, insurance companies, and other financial institutions – including foreign institutions with operations in Australia – have until July 2025 to comply.
While other trending regulations focus on a single discipline of resilience, APRA CPS 230 combines operational resilience, business continuity, and third-party risk management under one regulation. This broader approach requires organizations to collaborate across enterprise risk management, business continuity, and other risk disciplines to effectively comply.
The Four Pillars of APRA CPS 230
APRA CPS 230 establishes a risk management framework that includes four main areas:
Operational risk management. Firms are responsible for managing various operational risks such as legal, regulatory, compliance, conduct, technology, data, and change management. This involves maintaining IT capabilities, assessing the impact of business decisions on operational resilience, and establishing, testing, and monitoring internal controls.
Business continuity. Firms are required to establish and maintain a register of critical operations and associated tolerance levels, along with a business continuity plan detailing strategies for sustaining these operations during disruption. This plan must be updated annually and undergo regular review by internal audit.
Third-party risk management. Firms must maintain a comprehensive service-provider management policy with details about who the material service providers are and the associated risks. To complete this requirement, firms must conduct due diligence before entering agreements, specify terms in formal agreements, and continuously monitor the relationship to ensure compliance and effective risk management.
Roles and responsibilities. The board is ultimately accountable for the oversight of the firm’s operational risk management, including business continuity and third-party agreements. As the overseer, the board is directed to set clear roles for senior management to maintain the operational risk profile through effective internal controls.
How to Prepare Now for APRA CPS 230
Your processes may already align to some elements of APRA, but you will need to review your processes to set your organization on the best path. Here are four steps to get started:
1. Conduct a gap analysis. Take status of your current capabilities by reviewing the policies and procedures of your existing operational risk, business continuity, and TPRM programs. Compare each item in the standard and validate with program leaders on whether additional refinement or detail is needed.
2. Coordinate across risk disciplines. You will need to coordinate across GRC and business continuity management to align with APRA CSP 230. Establish an organizational leader to head the CPS 230 compliance committee and spearhead communication between teams. Then, take stock of existing operational risk management, business continuity, and third-party risk management programs and practices to see what controls can be met and which will require further work. Meet regularly with the committee and board to report on progress and solve issues.
3. Establish and endorse critical business processes. Identify your critical business processes or important business services with input from executive leaders. Most organizations, regardless of size, will have ten to twelve that are critical to the delivery of products and services. Then you’ll want to identify impact tolerance levels for each process to ensure resilience planners understand the timeframes required for recovery and when intolerable harm would be reached.
4. Update vendor management policies. Work with your legal team to create or review existing vendor or supplier management policies and consider consolidation where practical. To align with APRA, you must have a formalized process to identify, assess, and evaluate risks posed by service providers – and ensure that those service providers have procedures in place for managing their own third parties. After the policy is established, take a comprehensive review process of all existing contract templates against the new policy.
While any new standard can stir some anxiety, the process doesn’t need to be dauting. Focus on what you already have and work with leadership and departmental management to bring the rest of the pieces together. In the end, compliance with APRA 230 will help your organization be better prepared to protect your people, customers, and brand.
For the latest information on new and existing operational resilience legislation, download our white paper, Operational Resilience: Navigating the Global Regulatory Landscape, and check out Riskonnect’s Business Continuity & Resilience consulting services for compliance support.