The Australian Prudential Regulation Authority (APRA) release of cross-industry Prudential Standard CPS 230 Operational Risk Management has been designed to strengthen operational risk management and resilience across APRA-regulated entities.
CPS 230 applies to entities in financial services including banking, insurance and superannuation fund organisations.
The standard underpins CPS 220 Risk Management and replaces several existing standards including CPS/SPS 232 Business Continuity management and CPS/SPS/HPS 231 Outsourcing.
If you need help to comply with CPS 230 by 1 July 2025, contact us
Final guidance for APRA's Prudential Practice Guide CPG 230
On 13 June 2024, APRA formally released its final Prudential Practice Guide CPG 230 Operational Risk Management.
In response to consultation feedback received from 16 entities and industry bodies, APRA recognised the requirement for greater clarity to avoid the creation of unintentional practical difficulties during implementation.
The guidance has been simplified to be shorter, sharper and focused on effective baseline compliance. Whilst maintaining strong expectations around achieving resilience, APRA has effectively given regulated entities more flexibility around how they achieve stronger resilience outcomes by applying more of a risk-based lens to their approaches.
Key changes include:
CPS 230 timeline
* Proactive transition period, regulated entitites prepare for new requirements
Key considerations for CPS 230
In consideration of the timeframe for implementation, APRA regulated entities should have a robust implementation plan, identifying the uplifts required to be compliant with the standard. The standard and accompanying Prudential Practice Guide reflect many aspects of better practice across Operational Risk Management and Resilience globally.
APRA has introduced a proactive transition period where they would see entities have identified Material service providers and critical operations by mid-2024, with entities setting tolerance levels by the end of 2024. This supports the heightened expectations on maturity before the July 2025 effective date.
Key themes of CPS 230 to consider include:
- Be prepared for risk events – Entities must ensure effective process to support the management and response to risk events, effectively reducing their impact.
- Know your customer and market impacting Critical Operations – Entities must have an end-to-end understanding of critical operations and the associated resources which are critical to the operation to ensure appropriate mitigating controls are in place to prevent disruption and manage risk within appetite.
- Be resilient – Entities must be able to continue to operate through the ever-increasing breadth of disruption, providing critical services to their customers and the market.
- Protect the entity and the community – Business Continuity Planning and exercising will be critical to ensure that the impact of disruptions is minimised to an acceptable/tolerable level.
- Effectively manage service provider risk – Entities must ensure they have processes in place to identify, assess, manage, and govern service providers that are critical to service delivery or pose a material risk.
CPS 230 compliance: Areas of focus
Guidance for CPS 230 compliance
Understanding the impact of APRA's Prudential Standard CPS 230 is complex. Learn more about APRA's guidance and implementation timeline through KPMG's summaries.

CPG 230 Operational Risk Management



Key elements of draft prudential standard CPS 230



CPS 230 – Considerations for the Chief Operating Officer
CPS 230 operational risk management implementaton
KPMG’s experienced risk and resilience teams support Global Financial Services clients throughout Australia, Europe, the United Kingdom and APAC to respond to evolving regulation and framework changes and implementation of operational risk management and resilience practices.
KPMG recommends that the Board and Executive Teams prioritise what their organisation can and should have in place by 1 July 2025 for CPS 230.
It is expected that implementing CPS 230 will be a multi-year program of work that will have a lengthy duration period but the outcome will help businesses achieve a strong position of operational resilience which will benefit your customers and your stakeholders.
Related services
KPMG's Operational Risk Management team
To understand the impact of Prudential Standard CPS 230 on your business, contact KPMG’s operational risk specialists for an individual briefing.
Related insights
Something went wrong
Oops!! Something went wrong, please try again
Prudential Standard CPS 230 FAQs
The standard applies to all APRA-regulated entities which includes:
- Banking – Authorised deposit-taking institutions (ADIs), including Foreign ADIs, and non-operating holding companies (NOHCs)
- General Insurance – Including Category C insurers, NOHCs and parent entities of Level 2 insurance groups
- Life Insurance – Including friendly societies, eligible foreign insurance companies (EFLICs) and NOHCs
- Private Health Insurance – Registered under the PHIPS Act
- Superannuation – Registerable superannuation entity licensees (RSE licensees)
The standard is relevant for the Australian branch operations for foreign ADI, Category C insurer and EFLIC entities. Where the entity is the Head of a Group, it must comply with CPS 230.
As part of APRA's plan to modernise the architecture of prudential standards and guidance for banks, insurers and superannuation funds, CPS 230 Operational Risk Management is a combination of five existing APRA standards, these being:
- CPS 231 Outsourcing
- CPS 232 Business Continuity Management
- SPS 231 Outsourcing (Superannuation)
- SPS 232 Business Continuity Management (Superannuation)
- HPS 231 Outsourcing (Private Health Insurance)
This standard aims to ensure banks, insurers and superannuation funds better manage operational risk, the ability to respond to business disruption and manage the risks from the use of service providers.