Skip to main content

A Complete Guide toUnderstanding and Achieving Compliance with APRA’s CPS 230

From timelines to key requirements to ready checklists,
access everything you need to adhere to CPS 230 regulations.

5 min read

An Overview of APRA CPS 230

Over the recent years, operational risk has been a central issue for the superannuation, insurance and banking industries as they faced the COVID-19 pandemic, volatile market conditions and the emergence of new and heightened risks. With the objective to strengthen the management of operational risk in these industries and minimise the impact of disruptions to customers and the financial system, APRA released a new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230) in July 2023.

CPS 230 sets forth minimum standards and regulatory requirements that APRA-regulated entities must adhere to in order to mitigate and manage operational risks effectively and ensure the uninterrupted continuity of their business operations within acceptable parameters. It also encompasses guidelines for overseeing third and fourth-party risks, outlines procedures for ending pre-existing contractual agreements, and mandates the reporting of material operational risks to APRA.

The CPS 230 will replace five existing standards: Prudential Standard CPS 231 Outsourcing, Prudential Standard CPS 232 Business Continuity Management and the equivalent superannuation and health insurance standards (SPS and HPS).

The final version of CPS 230 is available to read here.

Who Must Comply with CPS 230?

APRA-regulated entities

  • Authorised deposit-taking institutions (ADIs), such as banks and credit unions
  • General insurers
  • Life Insurance Companies
  • Private health insurers
  • Registerable superannuation entity licensees

Group members of APRA-regulated entities

Where an APRA-regulated entity is the head of the group, it must comply with CPS 230 on a group basis and ensure the requirements are applied appropriately throughout the group.

Service providers to APRA-regulated entities

Service providers should also expect additions/modifications to their contracts as per the CPS 230 framework.

CPS 230 Timelines

CPS 230 will come into force on July 1, 2025.

APRA has made it clear that it “expects regulated entities to be proactive in preparing for implementation, rather than waiting until the last minute to get ready to meet the new requirements.”

Transition ends for pre-existing contractual arrangements with service providers

CPS 230 comes into effect

Tolerance Level to be established for critical operations

Identify critical operations and material service providers

APRA releases final CPS 230 framework

Key Requirements for APRA-Regulated Entities

Risk Assessment and Response Preparedness Financial Institutions must assess and ensure an effective process to manage and respond to risks that may result from inadequate or failed internal processes or systems, the actions or inactions of people or external drivers and events.

Building Resilience Financial institutions should be able to continue their critical functions within tolerance levels even in the face of adverse events.

Service Provider Risk Management Financial institutions are expected to assess and mitigate the risks posed by third-party and fourth-party providers to their business continuity.

Uplift Governance Framework Financial Institutions need to clearly define roles, responsibilities, and reporting lines for risk management between the board, senior management and risk functions and ensure end-to-end responsibility for oversight of operational risk is embedded throughout the business.

To comply with these requirements, entities need to undertake a holistic assessment of their operational processes and business continuity plans. The first step involves mapping and documenting current processes to identify control and compliance gaps, followed by corrective actions and improvements. This is precisely where an end-to-end process improvement software like PRIME BPM can play a crucial role.

How PRIME BPM Helps Meet CPS 230 Requirements

PRIME BPM offers a comprehensive set of functionalities to assist you in aligning your operations with APRA's CPS 230 framework. From enhancing risk assessment and response preparedness to gathering essential audit evidence, discover how PRIME BPM helps you meet key CPS 230 requirements through a single, integrated platform.

1. Develop and Maintain Risk Management Frameworks

  • Integrate operational risk management into the overall risk management framework.
  • Develop a remediation program and obtain an independent review if APRA identifies a significant weakness.
  • Appropriately monitor, analyse, and report operational risks, incident escalation procedures, business continuity plans, and service provider management.

Build a Robust Risk Management Framework with PRIME BPM

Enhance Operational Risk Identification
Using the PRIME Risk Module, link your GRC to operational processes and tasks to get visibility into which processes and tasks perform key controls to business-critical risks. This insight helps you understand operational risk on a task-by-task basis and define actual steps to manage the risks. For instance, a list of all processes and tasks that control adherence to the privacy policy can be shared internally and externally to provide an end-to-end view of how the policy is enacted across the organisation. Any gaps can be identified, and remediation plans quickly developed.
Gather Evidence for Audit
Using a combination of Risk Module reporting and an in-built Operational Intelligence Module that helps record every instance of the Incident Management and BCP processes completed via the module, a detailed record of risk management, control effectiveness, and incident handling can be captured. This can be supplied to auditors as evidence in the event of a review.
Remediation Plan for Business-Critical Processes
Identify and target high-risk and business-critical processes for detailed assessments and improvement programs. The Remediation plan and benefits gained can be produced and supplied to APRA as required.

2. Enhance Board Governance, Accountability, and Oversight

  • Ensure clear roles and responsibilities for senior managers have been set for operational risk management, including business continuity and the management of service provider arrangements.
  • The board should approve the business continuity plan (BCP) and tolerance levels for disruptions.
  • Consider risks related to legal, regulatory, technology, data, cyberattacks, and data breaches.
  • Review and challenge updates to the operational risk profile and delve deep into areas of significant weakness.

Ensure Effective Board-Level Risk Oversight with PRIME BPM

Clarify Roles and Responsibilities of Board Members
The inbuilt RACI matrix helps capture role names against tasks, indicating which role is Responsible and Accountable and which role is to be Consulted and Informed. This helps set clear expectations and ownership of processes used for Risk Management, BCP and Service Provider Management.
Streamline BCP Availability
Board members have quick access to up-to-date business continuity available centrally in PRIME so they can suggest changes, review and approve prior to them being published.
Enhance the Visibility of Risks and Controls
Using the capability to link risks to any process and task where the controls are enacted, senior management can do a quick assessment of the end-to-end adherence to legal, regulatory, technology, and data security policy. Any gaps can be identified and remediated.
Empowering Data-Driven Decision Making
By matching incident reporting and audit information, a detailed picture of potential weaknesses can be gained. The quick reports generated in the PRIME BPM platform empower the board to understand the risk profile and identify areas of improvement, aiding them to make informed, data-backed decisions.

3. Assess and Control Operational Risks

  • Identify and document the processes and resources needed to deliver critical operations, including people, technology, information, facilities and service providers, the interdependencies across them, and the associated risks, obligations, key data and controls.
  • Maintain appropriate and effective information systems to monitor operational risk, compile and analyse operational risk data.
  • Operational risk incidents and near misses need to be identified, escalated, recorded and addressed in a timely manner. APRA needs to be notified within 72 hours of a risk incident with a significant financial or operational impact.

Mitigate Operational Risks with PRIME BPM

Document Critical Operations
Create standardised and accurate process maps for your as-is processes, complete with procedural level information and document and system links, in minutes with drag-and-drop functionalities and inbuilt BPMN 2.0.
Identify Control Gaps in Critical Operations
Processes can be linked into Journey Maps to show the complete interaction of operational processes and gain a 360-degree view of the process in terms of documents used, people involved, and interdependencies. Linking each of these processes with their associated risks, obligations, and controls provides a clear understanding of where critical risks are being managed. Leveraging these insights, any gaps can be identified, and adjustments can be made to the process.
Effective Risk Management System
With the capability to link to your existing risk management system, PRIME helps you manage and report your operational risks from a single platform. While your risk management system helps you document risks, obligations and controls, PRIME takes operational risk management to the next level. It helps you tie those risk elements to actual processes and tasks. Any changes made to the process to mitigate the risks can be tracked via the version control feature, ensuring an audit trail.
Incident Reporting and Management
Incidents can be reported directly in PRIME or linked from an existing incident management system. Impacted processes can be quickly identified, and remediation programs tracked to provide concrete evidence of actions taken and process changes made.

4. Improve Business Continuity Management

  • Identify critical operations and associated tolerance levels.
  • Maintain the capabilities required to execute the BCP, including access to people, resources and technology.
  • Notify APRA as soon as possible, and no later than 24 hours, if BCP has been activated.

Build Operational Resilience with PRIME BPM

Regular Audits for Critical Operations
Using a combination of functionalities in PRIME BPM, data-critical processes can be quickly identified so that the regular process change management program is aware of the importance of these processes when making changes. These critical processes can be scheduled for detailed, rigorous audits and remediation programs.
Maintain a Record of BCP Capabilities
BCP processes can be enacted and recorded in the Operational Intelligence module to identify the delays encountered due to resourcing or technology and take corrective measures. This data provides solid evidence for assurance of BCP capabilities.
Ensure Access to Effective and Latest Business Continuity Plan
With the documents, systems, and roles and responsibilities clearly highlighted in the BCP process, ensure the requirements for effective execution. Latest and updated Business Continuity Plan is stored centrally to ensure easy access and faster implementation. Also, stakeholders can suggest improvements in real time to drive continuous improvement.
Get Evidence for Auditing
With in-built reporting capabilities inside the Operational Intelligence module, easily track and record every instance when the BCP process was enacted, both in test and live capabilities. Get details, such as who performed the process, how long the process took and who executed each of those tasks. This clear evidence can be shared for auditing purposes.

5. Uplift Arrangements with Service Providers

  • Undertake appropriate due diligence, including an appropriate tender and selection process and an assessment of the ability of the service provider to provide the service on an ongoing basis.
  • Identify and maintain a register of the material service providers and manage the material risks associated with using these providers.

Seamlessly Manage Your Service Provider Risks with PRIME BPM

Streamline Service Provider Selection
Document every process related to the service provider, such as onboarding, setting them up, regular review, etc. With documented processes, ensure a thorough assessment of a service provider before selection. Documented processes not only help in due diligence but also help maintain a record that proves instrumental during audits, substantiating compliance with the CPS 230 framework.
Ensure Adherence to Defined Processes
Using access control and role restriction, give access to service providers for selected process maps to ensure the process is executed as defined, averting risks. For instance, if you have an incident management process defined in PRIME, you can give access to that process so that any outage on the service provider side is handled as per the steps defined by you.
Maintain a Proof of Continual Review
Service provider-related information is accurately captured and stored centrally. Manage a record of review, approval and published cycles on all the service provider management processes to show proof of regular audits on these processes. Any change or improvement to the process can be tracked with the version control functionality.

Download Guidance

CPS 230 Compliance Action Checklist for Risk Management Teams

A ready checklist that outlines action items for the risk management teams to help align their operations with CPS 230 regulations.

CPS 230 Process Mapping Checklist

A comprehensive guide to help ensure you are mapping and documenting your processes effectively to meet CPS 230 mandates.

CPS 230 Roadmap: Simplify your Journey to Compliance

Get a complete roadmap for achieving CPS 230 compliance requirements with PRIME BPM’s functionalities.