What is APRA CPS 230?

APRA CPS 230 is an operational risk management standard issued by the Australian Prudential Regulation Authority (APRA). The regulation requires financial institutions to identify critical business services, manage operational risk across their operational value chain, oversee third-party service providers, and maintain operational resilience during disruptions.

With CPS 230 now in effect, APRA-regulated entities must maintain continuous oversight of operational risk, third-party dependencies, and critical business services.

What does CPS 230 require organizations to do?

  • Identify critical business services
  • Map the operational value chain
  • Manage third- and fourth-party risk
  • Define operational resilience tolerances
  • Implement incident management and reporting procedures

These requirements are designed to ensure organizations can prevent disruptions where possible and maintain service continuity when incidents occur.

ProcessUnity for APRA CPS 230 Enables You To:

  • Establish a risk management framework to identify, assess, and manage operational and cyber risks with effective internal controls, monitoring, and remediation.
  • Maintain a credible business continuity plan while overseeing third parties to ensure they can continue delivering critical services within tolerance levels during severe disruptions.
  • Implement an effective third-party risk management strategy including service provider governance, contract oversight, and continuous monitoring.
img-apra

Strengthen Operational Resilience with APRA CPS 230

The goal of CPS 230 is to elevate operational resilience standards across APRA-regulated entities. The regulation took effect in mid‑2025 and now serves as the framework financial institutions must follow to manage operational risk and maintain resilience across their operational value chains.

Organizations must continuously assess operational risk, respond to incidents as they occur, and adjust controls following disruptions to reduce the likelihood and impact of future incidents.

For organizations subject to CPS 230, it is not enough to prevent operational incidents. They must also ensure they can maintain critical services, manage the impact of disruptions, and recover quickly when incidents occur.

Selecting the right operational risk management software can help organizations automate risk assessments, monitor third‑party dependencies, and maintain ongoing compliance with CPS 230 requirements.

Whitepaper

APRA CPS 230: Key Provisions and Best Practices

Learn More

Key Benefits: ProcessUnity for APRA CPS 230

Accelerated APRA CPS 230 Compliance

A comprehensive solution that meets complex requirements across the enterprise and integrates with existing processes via API.

Simplified Executive Reporting and Notification

Provides executive reporting, operational resiliency thresholds, and notification requirements to improve visibility and reduce reporting effort.

Value Chain Visibility

Enables visibility across the entire value chain, linking lines of business, processes, systems/applications, and vendors.

Automated Workflow Processes

Supports operational risk assessments for internal systems and due diligence on third parties.

Multi‑Risk and Threat Intelligence

Leverages external intelligence sources and the Global Risk Exchange (GRX) to enhance risk visibility and scalability.

Operational Risk Identification

Identifies operational risk disruptions and evaluates their impact on business processes and customer-facing services.

Collaboration and Compliance

Supports cross‑functional collaboration and demonstrates compliance to auditors and regulators.

ProcessUnity combines its offerings into one comprehensive solution designed to help you meet APRA CPS 230 obligations. The table below outlines the core APRA CPS 230 components and how ProcessUnity streamlines your adherence to these requirements.

Key Requirement Detail ProcessUnity Solution Component
Operational Value Chain and Board Reporting
  • Ability to identify business processes, supporting systems/applications, underlying assets, and associated vendors for key lines of business or essential customer-facing services
  • Provide visibility of the value chain to the board
  • Relationship Architecture – operational value chain connecting lines of business to associated business processes, supported by critical systems/applications with underlying assets
  • Linkage of these processes, systems, and assets to third parties
  • Executive dashboards
Operational Risk Management Framework
  • Identification of controls
  • Assessment of operational risk profile with periodic risk assessments
  • Monitoring and analysis of operational risk profile
  • Identification of key operational risk profiles
  • Control library AI capability leveraging regulations and standards
  • Control testing/evaluations
  • Issue register, risk register, remediation and action plans
Business Continuity Plans and Resiliency Thresholds
  • Business continuity plans across the operational value chain (capture internal and external dependencies)
  • Resiliency threshold data – RTO, RPO, and MTD
  • Business continuity testing and updates
  • Ability to conduct business impact assessment across the value chain and build a business continuity plan
  • Test the business continuity plan for its effectiveness against a range of scenarios
  • Capture resiliency threshold data across the LoB, business process, system/application and vendor and identify a gap across the value chain
Service Provider Arrangements
  • Identification of material service providers including offshore arrangements
  • Agreement and contract risk management – additional clauses for reporting
  • Vendor risk management program from inherent to residual risk across multi-risk domains
  • 4th-Party concentration risk
  • Master vendor inventory with vendor attributes
  • Capture inherent risk based on key usage of third-party as well as threat intelligence data
  • Build questionnaire library as well as combination of predictive AI capability to perform due diligence across multiple risk domains
  • Contract lifecycle management, including capability to capture key provisions of the contracts
  • Grant ability to vendor to provide operational resiliency data i.e. BCP plans and thresholds, MTD, RTO, and RPO
  • Grant the ability for the third party to report incidents and vulnerabilities through a vendor portal
  • Assess 4th-Party concentration risk
Vulnerabilities Operational Risk Incidents
  • Identification of vulnerabilities in the key systems/assets, which can impact the operational value chain
  • Notification requirement for notifying operational risk incidents both internally and externally
  • Identification of vulnerability catalogue using API capabilities through intelligence sources
  • Leveraging GRX exchange capabilities to map vendors and leverage the operational value chain to identify operational risk incidents
  • Incident reporting portal inclusive of identification, notification, and reporting of incidents for internal users and vendor portal for vendors to report incidents in a timely manner

Talk to Our Team About Your APRA Compliance Needs

Schedule a personalized demo of our award-winning platform and see why leading global brands rely on ProcessUnity for effective and efficient Third-Party Risk Management.

Request a Demo

Who Must Comply with APRA CPS 230?

APRA CPS 230 applies to all APRA-regulated financial institutions operating in Australia. These organizations must implement operational risk management frameworks to ensure operational resilience and effective oversight of third-party service providers.

  • Authorized deposit‑taking institutions (ADIs), including foreign ADIs and non‑operating holding companies authorized under the Banking Act
  • General insurers and insurance holding companies authorized under the Insurance Act
  • Life companies and registered life NOHCs under the Life Insurance Act
  • Private health insurers registered under the PHIPS Act
  • Registrable superannuation entity (RSE) licensees under the SIS Act

Frequently Asked Questions

APRA CPS 230 is an operational risk management standard issued by APRA that requires financial institutions to manage operational risk, oversee third‑party service providers, and maintain operational resilience.

All APRA‑regulated entities including banks, insurers, life companies, private health insurers, and RSE licensees must comply with CPS 230 requirements.

CPS 230 took effect in mid‑2025. APRA‑regulated entities are now required to maintain operational risk management frameworks aligned with the regulation.

The regulation requires organizations to identify material service providers, monitor vendor resilience, and ensure third parties can support critical operations during disruptions.

Software platforms support CPS 230 compliance by mapping operational value chains, automating risk assessments, managing third‑party risk, and enabling continuous monitoring and reporting.

Next Steps:
Schedule a ProcessUnity TPRM Demo

Request a demo today to learn how ProcessUnity can help your organization meet CPS 230
obligations and build operational resilience for the future.

Request a Demo