Article Posted date 30 May 2024

Timeline | Key considerations | Focus areas | Download guidance | How we can help | FAQs

Strengthening your operational risk and resilience practices

The Australian Prudential Regulation Authority (APRA) release of cross-industry Prudential Standard CPS 230 Operational Risk Management has been designed to strengthen operational risk management and resilience across APRA-regulated entities across financial services which includes banking, insurance, superannuation fund organisations.

The standard underpins CPS 220 Risk Management and replaces several existing standards including CPS/SPS 232 Business Continuity management and CPS/SPS/HPS 231 Outsourcing.

CPS 230 timeline

July 2022

APRA consults on draft CPS 230

April 2023

APRA announces revised implementation timetable

July 2023

APRA releases Final CPS 230* and a Draft Practice Guide

Mid July 2024

Material service providers / critical operations identified*

End 2024

Entities positioned to set tolerance levels set*

1 July 2025

CPS 230 commences*

1 July 2026

Transition ends for existing contracts with service providers
* Proactive transition period, regulated entities prepare for new requirements


Key considerations for CPS 230

In consideration of the timeframe for implementation, APRA regulated entities should have a robust implementation plan, identifying the uplifts required to be compliant with the standard. The standard and accompanying Prudential Practice Guide reflect many aspects of better practice across Operational Risk Management and Resilience globally.

APRA has introduced a proactive transition period where they would see entities have identified Material service providers and critical operations by mid-2024, with entities setting tolerance levels by the end of 2024. This supports the heightened expectations on maturity before the July 2025 effective date.

Key themes of CPS 230 to consider include:

  • Be prepared for risk events – Entities must ensure effective process to support the management and response to risk events, effectively reducing their impact.
  • Know your customer and market impacting Critical Operations – Entities must have an end-to-end understanding of critical operations and the associated resources which are critical to the operation to ensure appropriate mitigating controls are in place to prevent disruption and manage risk within appetite.
  • Be resilient – Entities must be able to continue to operate through the ever-increasing breadth of disruption, providing critical services to their customers and the market.
  • Protect the entity and the community – Business Continuity Planning and exercising will be critical to ensure that the impact of disruptions is minimised to an acceptable/tolerable level.
  • Effectively manage service provider risk – Entities must ensure they have processes in place to identify, assess, manage, and govern service providers that are critical to service delivery or pose a material risk.

CPS 230 areas of focus

  • Ensure you have a future fit target operating model with clear roles and responsibilities.
  • Define the methodology and approach to identify your critical operations.
  • Enhance your frameworks, identification and risk management relating to material service providers.
  • Utilise existing business continuity and IT disaster recover capabilities to support the recovery of critical operations.
  • Implement an effective incident management approach to ensure escalation and notification to APRA within time-frame.
  • Develop a robust controls management approach to ensure the controls mitigating your critical operations are tested frequently, weaknesses identified and plans in place to remediate.

CPS 230 guidance

Understanding the impact of APRA's Prudential Standard CPS 230 is complex. Learn more about APRA's guidance and implementation timeline through KPMG's summaries.

CPS 230 Operational Risk Management – July 2023 update

Final Rule released

Opens in a new window

CPS 230 operational risk management implementation

KPMG’s experienced risk and resilience teams support Global Financial Services clients throughout Australia, Europe, the United Kingdom and APAC to respond to evolving regulation and framework changes and implementation of operational risk management and resilience practices.

KPMG recommends that the Board and Executive Teams prioritise what their organisation can and should have in place by 1 July 2025 for CPS 230.

It is expected that implementing CPS 230 will be a multi-year program of work that will have a lengthy duration period but the outcome will help businesses achieve a strong position of operational resilience which will benefit your customers and your stakeholders.

KPMG's Operational Risk Management team

To understand the impact of Prudential Standard CPS 230 on your business, contact KPMG’s operational risk specialists for an individual briefing.

Gavin Rosettenstein blog posts
Gavin Rosettenstein
National Lead, Risk Advisory | ASPAC Leader, Third Party Risk Management
KPMG Australia
Profile | | Phone
Matt Tottenham blog posts
Matt Tottenham
Partner, Risk Strategy & Technology
KPMG Australia
Profile | | Phone
Kathleen conner blog posts
Kathleen Conner
Partner, GRC – Regulation & Compliance
KPMG Australia
Profile | | Phone

Related operational risk strategy insights & services

Businesswoman with protective face mask checking financial trading data
Businesswoman with protective face mask checking financial trading data
Financial Services
Financial Services
Financial Services

We work with our financial services clients to help them thrive in a rapidly transforming industry.

We work with our financial services clients to help them thrive in a rapidly transforming industry.

We work with our clients to help them thrive in a rapidly transforming industry.

APRA’s policy priorities: impacts for the banking sector
APRA’s policy priorities: impacts for the banking sector
APRA’s policy priorities: impacts for the banking sector

APRA’s new prudential standards are designed to bolster our financial resilience. Explore how they impact ADI holders and the banking sector.

APRA’s new prudential standards are designed to bolster our financial resilience. Explore how they impact ADI holders and the banking sector.

Explore how APRA’s new prudential standards impact ADI holders and the banking sector.

Risk Strategy & Technology
Risk Strategy & Technology
Risk Strategy & Technology
Risk Strategy & Technology
Risk Strategy & Technology

KPMG’s Risk Strategy & Technology team helps clients with the design and transformation of their governance and enterprise risk management frameworks.

KPMG’s Risk Strategy & Technology team helps clients with the design and transformation of their governance and enterprise risk management frameworks.

Our Risk Strategy & Technology team helps with governance and risk management frameworks.

Risk & Governance Insights Subscription
Risk & Governance Insights Subscription
Risk & Governance Subscription
Risk & Governance Subscription
Risk & Governance Subscription

Sign up for risk and governance insights – delivered direct to your inbox.

Sign up for risk and governance insights – delivered direct to your inbox.

Sign up for risk and governance insights – delivered direct to your inbox.

Prudential Standard CPS 230 FAQs

Which organisations are impacted by CPS 230 Operational Risk Management?

The standard applies to all APRA-regulated entities which includes:

  • Banking – Authorised deposit-taking institutions (ADIs), including Foreign ADIs, and non-operating holding companies (NOHCs)
  • General Insurance – Including Category C insurers, NOHCs and parent entities of Level 2 insurance groups
  • Life Insurance – Including friendly societies, eligible foreign insurance companies (EFLICs) and NOHCs
  • Private Health Insurance – Registered under the PHIPS Act
  • Superannuation – Registerable superannuation entity licensees (RSE licensees)

The standard is relevant for the Australian branch operations for foreign ADI, Category C insurer and EFLIC entities. Where the entity is the Head of a Group, it must comply with CPS 230.

What does APRA CPS 230 Operational Risk Management replace?

As part of APRA's plan to modernise the architecture of prudential standards and guidance for banks, insurers and superannuation funds, CPS 230 Operational Risk Management is a combination of five existing APRA standards, these being:

  • CPS 231 Outsourcing
  • CPS 232 Business Continuity Management
  • SPS 231 Outsourcing (Superannuation)
  • SPS 232 Business Continuity Management (Superannuation)
  • HPS 231 Outsourcing (Private Health Insurance)

What is the purpose of CPS 230 Operational Risk Management?

This standard aims to ensure banks, insurers and superannuation funds better manage operational risk, the ability to respond to business disruption and manage the risks from the use of service providers.