CPS 230 is APRA's Prudential Standard on Operational Risk Management, in force from 1 July 2025. It replaces CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management) and consolidates them into a broader operational-resilience framework.
CPS 230 introduces three new obligations for APRA-regulated entities. First, a Critical Operations Register: each entity must identify the operations (e.g. payments, claims, member services) the failure of which would materially affect the entity, financial system stability, or beneficiaries. Second, tolerance levels: maximum allowable disruption for each critical operation, with quarterly monitoring. Third, a strengthened third-party management framework: documented arrangements, identified risk concentrations, and APRA notification for material new arrangements.
CPS 230 and CPS 234 work together. CPS 230 forces a critical-operations view that CPS 234 then secures. A mid-market FS IT programme that maps services to critical operations, sets RTO/RPO tolerances, and runs tested third-party assurance satisfies both standards from the same evidence pack.