Raising the bar for operational resilience: APRA CPS 230

People working in Australia’s financial services sector are pretty familiar with APRA, the Australian Prudential Regulation Authority, and the important role it plays in keeping the financial system stable. On 1 July 2025, APRA rolled out its new prudential standard, CPS 230, which is shaking up how regulated organisations handle operational risk, work with third-party providers, and plan for business continuity.

This standard is one of the most significant regulatory shifts in recent years. It builds on CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management) to create a more unified, risk-based framework for operational resilience. However, CPS 230 cannot be viewed in isolation. To be effective, it must work hand in hand with CPS 234, which defines information security requirements. Together, these standards create a comprehensive model for protecting critical operations, securing information assets, and maintaining trust in the financial system.

What CPS 230 Requires

CPS 230 is designed to ensure that financial institutions can continue delivering critical services even during major disruptions. Its requirements include:

Identifying all critical operations and mapping dependencies across third- and fourth-party providers.
Maintaining a complete register of material service providers and updating it regularly as services evolve.
Defining an operational risk appetite that is approved by the board and includes metrics such as recovery time tolerances.
Establishing robust incident response and notification thresholds, aligned to business and regulatory expectations.
Strengthening board and executive oversight through regular risk reporting and governance reviews.
Developing and testing business continuity and contingency plans to ensure readiness for disruption

Organisations have until 1 July 2026 to transition fully to CPS 230 compliance, which includes making sure their contracts with service providers line up with the new requirements.

Why APRA introduced CPS 230

Financial institutions today depend on an extensive ecosystem of digital services, including cloud platforms, data centres, network providers, and managed service partners. This interconnectedness improves efficiency but also increases exposure to outages and cascading failures.

Disruptions can be caused by cyber attacks, power outages, natural disasters, supply chain breakdowns, or network outages. According to APRA Chair John Lonsdale¹, disruptions to financial services can have severe impacts on individuals and communities, affecting their ability to pay bills, access funds, or recover from loss., disruptions to financial services can have severe impacts on individuals and communities, affecting their ability to pay bills, access funds, or recover from loss.

Recent high-profile events, including prolonged trading outages and material cyber breaches, have highlighted gaps in existing risk controls. APRA’s intent is clear: institutions must set, test, and continuously improve operational risk management frameworks and be prepared to respond to disruptions effectively.

The connection to CPS 234

While CPS 230 focuses on operational risk and continuity of critical services, CPS 234 addresses information security. The two standards are deeply complementary. An organisation cannot claim operational resilience if it is unable to protect its information assets from compromise.

CPS 234 requires regulated entities to implement and regularly test security controls, classify information assets, and report material information security incidents to APRA.

When combined with CPS 230’s requirements for third-party oversight and continuity planning, organisations can take a holistic view of risk, one that covers both the prevention of incidents and the response to operational disruption when it occurs.

Building a risk management framework that work

Meeting CPS 230 obligations is not about having policies on paper. An organisation’s risk management framework must be actionable, comprehensive, and regularly tested.

An effective framework should include:

A detailed risk taxonomy that covers internal processes, people, external events, and single points of failure.
Control registers describing how each risk is mitigated, who owns each control, how testing will occur, and how issues will be escalated.
A board-approved operational risk appetite that sets clear thresholds for acceptable and unacceptable risk exposure.
A current and complete inventory of material service providers, including contract terms, monitoring obligations, and exit strategies.
Documented roles and responsibilities for the board, committees, senior management, and control owners.
Minutes and evidence of board-level engagement with operational risk and business continuity planning.

This framework should be reviewed at least annually and tested through real-world scenarios to ensure it is effective.

Developing and testing your business continuity plan

A Business Continuity Plan (BCP) is central to CPS 230 compliance. It must clearly set out how critical operations will continue during a disruption. A strong BCP includes:

Identification of essential services and prioritisation of their restoration.
Recovery time objectives and recovery point objectives to guide decision-making.
Dependency mapping to highlight systems, providers, and people required to maintain operations.
Scenario-specific response procedures, including failover and alternate processes.
Defined roles and responsibilities for activation, communications, and decision-making.
Communication protocols and contact details, including pre-prepared messaging templates.
A schedule for testing, review, and continuous improvement of the plan.

Testing is essential. Tabletop exercises, failover tests, and live simulations will demonstrate whether your plan is practical and whether your teams are ready to execute it under pressure.

Managing third-party and fourth-party risk

Third-party risk management is no longer a procurement exercise but a critical governance function. Institutions must maintain visibility not only of their direct service providers but also of the subcontractors those providers rely on. This means:

Conducting due diligence at onboarding and throughout the provider lifecycle.
Monitoring performance, security posture, and ownership changes.
Validating assurance through independent testing rather than relying solely on vendor attestations.
Building exit strategies that ensure data is returned or securely destroyed and that operations can be transitioned without service gaps.

The role of the board and senior executives

CPS 230 places clear responsibility on boards and senior executives to oversee operational risk management. This means they must not only approve frameworks but also receive regular reporting, challenge management where needed, and ensure resources are allocated to address risks.

Nexon’s Advisory and GRC Capabilities: Turning compliance into resilience

Nexon brings decades of combined experience across multiple industries in designing, implementing, and certifying information security management systems against globally recognised standards. Our approach is consultative and collaborative, we work side by side with clients to select the right Information Security Management System (ISMS) framework based on business objectives, regulatory obligations, and risk appetite.

The frameworks we most commonly work with include:

ASD Essential Eight and ASD Top 37 Mitigation Strategies for maturity uplift and compliance with Australian Government guidance.
ISO/IEC 27001:2022 Information Security Management System, including scoping, risk assessment, and certification readiness.
CIS Critical Security Controls v8 for practical, control-focused cyber security benchmarking.
NIST Cybersecurity Framework v1.1 and NIST SP 800-171 Rev. 2 for risk-based security architecture and compliance in regulated environments.
APRA CPS 234 Information Security Standard for regulated entities and their third-party service providers, including breach notification readiness, asset classification, and control testing regimes.
ISO/IEC 42001 AI Management System. A structured gap analysis of the organisation’s AI strategy, AI management system components, associated applications, and data governance practices.
ISO/IEC 62443 national standards for protecting Operational Technology (OT) in critical infrastructure from cyber threats.
SOCI compliance, ASD’s ISM mapping with your current controls and cyber uplift strategy

Regardless of the framework chosen, our team ensures that security controls are proportionate to your unique context and aligned with business strategy, risk tolerance, and operational priorities. Our goal is not just compliance but the creation of measurable, sustainable security capability that supports your organisation’s resilience, reputation, and long-term growth.

Final thoughts

2025 and 2026 represent a defining period for APRA-regulated entities. Compliance with CPS 230 is mandatory, but organisations that go further and integrate CPS 234 into their approach will achieve true operational resilience.

The financial system runs on trust. By taking a proactive, integrated approach to risk management and third-party oversight, boards and executives can protect that trust, safeguard customers, and turn regulatory compliance into a strategic advantage.