With the release of Apra’s Practice Guide CPG230 – Operational Risk Management, the CPS230 regulatory framework has now been finalised making it an opportune time to take stock on where you are up to in your CPS230 journey. The implementation of CPS230 is a marathon, not a sprint, and it is vital to check in to ensure that your organisation is on track, given it will be difficult to catch up closer to it coming into force during 2025.
Here we share three check in points for your CPS230 journey. First, our thoughts on CPG230 and the accompanying letter from APRA. Second, our views on the progress entities of different sizes should have made by now. And third, looking to the future, we pose questions for Board Risk Committees to consider in the lead up to CPS230 coming into effect.
Guidance is now final
APRA has released the final version of CPG230 which provides practical guidance on the requirements in CPS230. APRA has adopted a new layout for this Practice Guide in an attempt to improve readability. This includes inserting the requirements from the standard which makes cross-referencing easy.
Notably, APRA has refrained from outlining what it considers ‘better practice’, a break with previous CPG’s. Some have welcomed this development as they feel it provides a clearer set of expectations. However, this view is not necessarily universal, as some clients liked the guidance and felt it was useful.
Nevertheless, APRA typically seek to provide principles rather than prescription. Removing the detailed examples means there is less clarity but also less prescription and we would encourage clients to consider the spirit and intent of the requirements, using insights from their industry peers and from advisors such as PFS to answer the question – “are we doing enough for the size, scale and complexity of our business?”
The release of CPG230 was accompanied by a letter responding to submissions on the draft version of CPG230. This letter is essential reading as part of your CPS230 journey. It covers a range of important points on how APRA will enforce CPS230 as well as some practical guidance. The letter includes:
- Giving non-SFIs a 12-month extension on requirements relating to business continuity and scenario analysis. Non-SFIs can choose to transition to CPS 230 in full by 1 July 2025. However, entities that choose to take advantage of this extra time must comply with existing prudential standards CPS 232 Business Continuity Management and SPS 232 Business Continuity Management until they are fully compliant with CPS230.
PFS Insight: non-SFIs may find the extra time welcome, however we recommend selecting a date by which you make a formal go/no-go decision about whether you will take advantage of the additional time, and if so, the expected compliance date.
- Advice for transition including timelines and day-one compliance checklists that includes what is required to be submitted to APRA and whether certain requirements are new or build on CPS231 and CPS232.
PFS Insight: We recommend you compare your project plans against APRA’s expectations to ensure you are set up for success.
- APRA’s supervision programme for the first three years of CPS 230.
PFS Insight: The three year settling in period is much longer than we have seen for other new Prudential Standards. This reflects its pervasive requirements and the expectations from APRA that it will require significant effort to implement.
- A selection of submission comments APRA received during feedback on the draft of CPG230 and APRA’s responses to them. These read almost like an FAQ and are a useful inclusion.
Final version of CPG230:
Response to submissions paper:
https://www.apra.gov.au/response-to-submissions-cpg-230-operational-risk-management
Where are you up to?
Progress to date
Most entities will by now have taken some steps towards meeting CPS230. Some entities will have made significant progress on their CPS230 journey, but where should you be up to? Below we share our thoughts:
CPS230 Requirements
Incorporation of operational risk into RMF including profile, assessment, identification of controls and incident management processes.

Activities
- Established governance arrangements for operational risk
- Assessment of operational risk
- Update to control library and associated testing/validation
- Updates to incident management procedures
IT Capability

Activities
- Assess age and health of IT assets
- Assess appropriateness of IT capability to meet current and projected business requirements
Roles and responsibilities

Activities
- Identified key roles relevant to operational risk and its management
- Update role descriptions
- Recruitment for any new positions
Critical operations + register

Activities
- Identification of critical operations through working groups, workshops and other means
- Design and populate register
Setting tolerance levels for CO’s

Activities
- Identify and quantify metrics for CO’s
- Select, test and calibrate tolerance levels
Processes and resources for delivery of critical operations

Activities
- Document and review processes, update and change as needed
- Identify key roles, update role descriptions, recruit as needed
Service Provider Management Policy

Activities
- Over and above the normal policy development policy (workshops, drafting, review, etc) other worthwhile actions include testing and independent reviews even before the CPS230 comes into effect
Resources available to oversight 3rd parties

Activities
- Comprehensive analysis of existing resources (including skills and capacity) and identification of any gaps
- Where gaps require additional resources, taking action early to fulfil these requirements as demand for relevant skills could increase
Register for MSP’s

Activities
- Design of register which can assist with business needs now and into the future
- Workshops to populate and development of processes to ensure it is maintained
Service provider agreements

Activities
- Use Policy to devise and draft template wording where needed
- Ensure proper communication with service providers regarding any changes is undertaken well in advance
Vendors who aren’t MSPs

Activities
- Ensure agreements are fit for purpose
- Review oversight and reporting arrangements
4th parties

Activities
- Engage with 3rd parties to provide information on their providers (4th parties)
- Analyse 4th party providers and impacts on CO’s
Key geographies

Activities
- Thorough and broad analysis of risks arising from all key geographies
Enhanced BCP/DRP testing including joint exercises with service providers, resilience planning, BCP/DRP and robustness of scenarios

Activities
- Allocation of resources and budget to testing program
- Detailed testing plan and communicate with internal stakeholders and service providers
Top 10 questions to consider
As you continue as your CPS230 journey, here are 10 questions that Board Risk Committees can ask themselves:
- How would you rate the resilience of your organisation to operational shocks?
- Are you comfortable with the process undertaken to assess your operational risk profile? Did it uncover any previously unidentified operational risks or issues?
- Do you have a clear understanding of who is responsible for each aspect of operational risk management, including BCP and service providers?
- Are you comfortable with the level of resources in place to comply and maintain compliance with CPS230, especially in relation to material service providers?
- Are you confident that all critical operations have been identified appropriately?
- Whether or not you were affected by the Crowdstrike event, what are the learnings for resilience in your business?
- What additional reporting on operational risk will you receive when CPS230 comes into effect?
- Do you understand the IT capability needs of your organisation both now and into the future? Do you understand the criticality of these systems for the operation of your business?
- How confident are you that you understand which geographies your business is exposed to, and the significance to your business?
- Is the management of operational risk helping to achieve strategic objectives?