On 1 July 2025, the Australian Prudential Regulation Authority’s (APRA) Prudential Standard (CPS) 230 Operational Risk Management came into force.

The aim of CPS 230 is to ensure that an APRA-regulated entity is resilient to operational risks and disruptions.

The key requirements are that an APRA-regulated entity must:

• Identify, assess and manage its operational risks, with effective internal controls, monitoring and remediation.
• Be able to continue to deliver its critical operations within tolerance levels through severe disruptions, with a credible business continuity plan.
• Effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements and robust monitoring.

Where there are existing contractual arrangements in place with service providers, CPS 230 will apply from the earlier of the next renewal date or 1 July 2026.

APRA’s practical guide contains the regulator’s views on sound practice to aid compliance with CPS 230.

How we can help

We continue to help clients and contacts with their compliance with CPS 230 including:

• Legal gap analysis.
• Contractual compliance.
• Governance and board advisory.
• Internal policies and procedures.
• Training and change management.

For further information please contact one of the authors.