CPS 230 Operational Risk Management:
Make Resilience Defensible

Turn CPS 230 into measurable resilience: critical ops defined, tolerances set, contracts uplifted, evidence ready.

Overview

CPS 230 is APRA’s cross-industry standard for operational risk, third-party oversight and continuity/resilience. It commenced on 1 July 2025, replacing CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management).

For pre-existing service-provider contracts, CPS 230 applies from the earlier of the next renewal date or 1 July 2026. Non-SFI entities have deferred start dates for specific resilience elements (e.g., business continuity and scenario analysis) to 1 July 2026, while the core standard still starts 1 July 2025.

What CPS 230 Requires

Board accountability and a risk-based, enterprise-wide operational risk management framework.

  1. Critical operations identified with impact tolerances, tested via realistic scenario exercises.

  2. Service-provider risk governed through material service provider identification, enforceable contract clauses, monitoring, assurance and exit/contingency plans.

  3. Testing & assurance that proves control effectiveness, not just policy existence.

  4. Incident management & notification with decision-useful MI for executives and the board.

What Changed vs CPS 231/232

Single, integrated standard: CPS 230 replaces CPS 231 and CPS 232, folding outsourcing and continuity into one resilience spine.

  1. From “continuity” to “tolerances”: outcome-based resilience with measured impact tolerances and severe-but-plausible scenario testing.

  2. Service-provider uplift: stronger expectations for material service providers (MSPs), contract levers (audit, assurance, data/sovereignty, termination), and equivalence of controls.

  3. Transition & guidance: staged contract transition to 1 July 2026; APRA guidance (CPG 230) explains “what good looks like”.

“Non-SFI deferral: Core CPS 230 starts 1 July 2025; business-continuity and scenario-analysis requirements for non-SFIs are deferred to 1 July 2026. Keep the programme moving, but sequence these later-phase items accordingly”

Find out how we can help…

How OCG Delivers CPS230

From Policy to Proof

Phase 1: Define & Prioritise

  • Critical-operations map, dependency graph and preliminary impact tolerances.

  • MSP register with tiering logic; “equivalence of control” test.

  • Gap-analysis to CPS 230 controls library; programme roadmap and board briefing pack.

Phase 2: Build Controls & Contracts

  • RACI & operating model (three lines; committee charters).

  • Contractual uplift kit: audit rights, assurance artefacts, incident/data clauses, exit & contingency schedules.

  • Control baselines: identity/PAM, change, logging/telemetry, vulnerability, data protection.

Phase 3: Prove It

  • Scenario exercises (cyber, core-vendor outage, payments disruption, data loss); playbook drills.

  • Testing & assurance: control-effectiveness testing; red/purple-team pathways for critical services; third-party attestations.

  • MI & dashboards: tolerances vs actuals, incident metrics, supplier heat-map, remediation velocity.

Phase 4: Embed & Evidence

  • Board-ready evidence packs (decisions, thresholds, test results, supplier evidence).

  • Continuous improvement loop: incident RCA → control fixes → re-test → close.

The OCG Difference

What we deliver

CPS 230 Target Operating Model (roles, committees, RACI).

  1. Critical operations & tolerances register + severe-but-plausible scenario set.

  2. Material Service Provider register + contract uplift schedule and model clauses.

  3. Control library mapped to CPS 230; evidence catalogue (what to keep, where, how long).

  4. Testing playbook (table-tops → live exercises) and assurance plan.

  5. Board MI templates and a one-page CPS 230 status dashboard.

Results We Aim For:

  • Time-to-detect and time-to-recover reduced; tolerance breaches trend to zero.

  • Third-party incidents down via stronger pre-contract diligence and periodic assurance.

  • Audit/regulatory findings closed faster, with clear ownership and proof.

  • Fewer customer-impact incidents; improved SLA adherence and communications.

Strengthen Your CPS 230 Programme

Work with OCG’s Operational Resilience Specialists

Don’t just “have a policy”… Prove resilience! We’ll define critical operations and tolerances, uplift third-party contracts and controls, run scenario exercises, and build board-ready evidence packs that stand up to APRA scrutiny.

Our CPS 230 Operational Risk Management Leads

  • A man with a red beard wearing a suit and tie, smiling in front of a blurred cityscape background.

    James Dickson

    FOUNDER & MANAGING DIRECTOR

    With over two decades of experience in the industry, James has established OCG as a trusted partner to financial institutions, delivering tailored solutions in risk management, compliance, and operational excellence.

    jdickson@ocg.com.au

  • Portrait of a man in a suit and tie with a blurred blue background.

    Anthony Speight

    PRINCIPAL - HEAD OF CONSULTING

    Anthony Speight serves as the Principal and Head of Consulting at Oceanic Consulting Group (OCG), where he leads the firm's consulting practice, focusing on delivering high-value, client-centric advisory services and driving innovation.

    aspeight@ocg.com.au

FAQs

Have an operational risk management question, or unsure how to enhance your CPS230 obligations?

Recent Insights