The Australian Prudential Regulation Authority has brought its cross-industry Prudential Standard CPS 230 Operational Risk Management into force, requiring APRA-regulated banks, insurers and superannuation funds to meet higher operational risk management and resilience expectations. CPS 230 requires entities to identify important business services and determine the extent to which they can continue during severe disruptions, test business continuity planning to identify vulnerabilities, and strengthen third-party risk management for material service providers. Entities must also provide APRA with a list of their most material service providers to support the regulator’s monitoring of concentration risks across the financial services sector, while smaller and less complex entities have been granted an additional 12 months to meet some requirements.
Australian Prudential Regulation Authority 2025-07-01
Australian Prudential Regulation Authority brings CPS 230 operational risk management standard into force for banks, insurers and superannuation funds
The Australian Prudential Regulation Authority has implemented Prudential Standard CPS 230, requiring banks, insurers, and superannuation funds to enhance operational risk management and resilience. CPS 230 mandates identification of critical business services, continuity planning, and strengthened third-party risk management. Entities must submit a list of key service providers to APRA for concentration risk monitoring, with smaller entities given an extra year to comply with certain requirements.