CPS 230 Operational Risk Management:
Make Resilience Defensible
Turn CPS 230 into measurable resilience: critical ops defined, tolerances set, contracts uplifted, evidence ready.
Overview
CPS 230 is APRA’s cross-industry standard for operational risk, third-party oversight and continuity/resilience. It commenced on 1 July 2025, replacing CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management).
For pre-existing service-provider contracts, CPS 230 applies from the earlier of the next renewal date or 1 July 2026. Non-SFI entities have deferred start dates for specific resilience elements (e.g., business continuity and scenario analysis) to 1 July 2026, while the core standard still starts 1 July 2025.
What CPS 230 Requires
Board accountability and a risk-based, enterprise-wide operational risk management framework.
Critical operations identified with impact tolerances, tested via realistic scenario exercises.
Service-provider risk governed through material service provider identification, enforceable contract clauses, monitoring, assurance and exit/contingency plans.
Testing & assurance that proves control effectiveness, not just policy existence.
Incident management & notification with decision-useful MI for executives and the board.
What Changed vs CPS 231/232
Single, integrated standard: CPS 230 replaces CPS 231 and CPS 232, folding outsourcing and continuity into one resilience spine.
From “continuity” to “tolerances”: outcome-based resilience with measured impact tolerances and severe-but-plausible scenario testing.
Service-provider uplift: stronger expectations for material service providers (MSPs), contract levers (audit, assurance, data/sovereignty, termination), and equivalence of controls.
Transition & guidance: staged contract transition to 1 July 2026; APRA guidance (CPG 230) explains “what good looks like”.
“Non-SFI deferral: Core CPS 230 starts 1 July 2025; business-continuity and scenario-analysis requirements for non-SFIs are deferred to 1 July 2026. Keep the programme moving, but sequence these later-phase items accordingly”
Find out how we can help…
How OCG Delivers CPS230
From Policy to Proof
Phase 1: Define & Prioritise
Critical-operations map, dependency graph and preliminary impact tolerances.
MSP register with tiering logic; “equivalence of control” test.
Gap-analysis to CPS 230 controls library; programme roadmap and board briefing pack.
Phase 2: Build Controls & Contracts
RACI & operating model (three lines; committee charters).
Contractual uplift kit: audit rights, assurance artefacts, incident/data clauses, exit & contingency schedules.
Control baselines: identity/PAM, change, logging/telemetry, vulnerability, data protection.
Phase 3: Prove It
Scenario exercises (cyber, core-vendor outage, payments disruption, data loss); playbook drills.
Testing & assurance: control-effectiveness testing; red/purple-team pathways for critical services; third-party attestations.
MI & dashboards: tolerances vs actuals, incident metrics, supplier heat-map, remediation velocity.
Phase 4: Embed & Evidence
Board-ready evidence packs (decisions, thresholds, test results, supplier evidence).
Continuous improvement loop: incident RCA → control fixes → re-test → close.
The OCG Difference
What we deliver
CPS 230 Target Operating Model (roles, committees, RACI).
Critical operations & tolerances register + severe-but-plausible scenario set.
Material Service Provider register + contract uplift schedule and model clauses.
Control library mapped to CPS 230; evidence catalogue (what to keep, where, how long).
Testing playbook (table-tops → live exercises) and assurance plan.
Board MI templates and a one-page CPS 230 status dashboard.
Results We Aim For:
Time-to-detect and time-to-recover reduced; tolerance breaches trend to zero.
Third-party incidents down via stronger pre-contract diligence and periodic assurance.
Audit/regulatory findings closed faster, with clear ownership and proof.
Fewer customer-impact incidents; improved SLA adherence and communications.
Strengthen Your CPS 230 Programme
Work with OCG’s Operational Resilience Specialists
Don’t just “have a policy”… Prove resilience! We’ll define critical operations and tolerances, uplift third-party contracts and controls, run scenario exercises, and build board-ready evidence packs that stand up to APRA scrutiny.
Our CPS 230 Operational Risk Management Leads
-
James Dickson
FOUNDER & MANAGING DIRECTOR
With over two decades of experience in the industry, James has established OCG as a trusted partner to financial institutions, delivering tailored solutions in risk management, compliance, and operational excellence.
-
Anthony Speight
PRINCIPAL - HEAD OF CONSULTING
Anthony Speight serves as the Principal and Head of Consulting at Oceanic Consulting Group (OCG), where he leads the firm's consulting practice, focusing on delivering high-value, client-centric advisory services and driving innovation.
-
Danielle Radford
HEAD OF SERVICE DELIVERY
Danielle Radford serves as the Head of Service Delivery at Oceanic Consulting Group (OCG), where she leads large-scale operational teams to ensure excellence, innovation, and efficiency in client services.
FAQs
-
It commenced on 1 July 2025. For pre-existing contracts, CPS 230 applies from the earlier of the next renewal or 1 July 2026.
-
Yes, CPS 230 replaces CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management), unifying governance, third-party control and resilience.
-
Yes, non-SFIs have deferred dates for business-continuity and scenario-analysis elements to 1 July 2026; the standard itself still starts 1 July 2025.
-
Tolerance breaches and near-misses, scenario outcomes, supplier assurance status, incident MTTR/MTTI, remediation velocity, audit/regulator findings and closure rates.
-
CPS 234 feeds control hardening and incident paths; payments/scam controls (e.g., Confirmation of Payee, 2025 rollout) test resilience and customer-harm prevention within CPS 230 scenarios.
Have an operational risk management question, or unsure how to enhance your CPS230 obligations?
