APRA’s new Operational Risk Management Standard (CPS 230) takes effect 1 July 2025 (1 July 2026 for non-significant financial institutions). Here’s what managing executives need to know.

Key Objectives

CPS230 ensures regulated entities (banks, insurers, superannuation funds) can i) effectively manage operational risks;  ii) maintain critical operations during severe disruptions; and iii) mitigate risks from service providers.

Why it matters

APRA cites global banking data showing 65,000 loss events totalling nearly $600 billion between 2016–2021. Beyond losses and financial penalties, operational failures erode stakeholder trust and market stability.

A Board Agenda Item

The Board is ultimately accountable for oversight of operational risk management, including business continuity and service provider arrangements. Senior management is responsible for implementation and providing clear information to the Board.

What needs to be done

With accountability established, here are some of the practical steps for implementation:

1. Assess operational risk profile and define risk appetite – Enhance identification, assessment and management of operational risk. Business and strategic decisions (including those relating to new products, services, geographies and technologies) will need to be assessed for their impact on the operational risk profile and resilience. This includes robust assessments for new products, services, geographies and technologies.

2. Identify critical operations – Ensure these can be maintained within defined tolerance thresholds during major disruptions.  

3. Develop Business Continuity Plans (BCPs) – Conduct annual testing using realistic worst-case scenarios (e.g. extended cyber-attacks) to quantify potential operational impacts and identify gaps requiring uplift to strengthen resilience.

4. Implement oversight of Material Service Providers (MSPs) – Maintain a register of MSPs (e.g. tech services, fund administration, risk management) and submit this to APRA. Also Implement robust due diligence before outsourcing critical operations; review agreements; monitor and manage associated third-party risks; and take reasonable steps to know fourth parties supporting MSPs 

5. Prioritise technology resilience – APRA sets clear expectations for technology resilience, mandating robust technology systems capable of supporting critical operations and risk management (see also Prudential Standard CPS 234 for information security). It requires technology infrastructure to be monitored for age and health, with disaster recovery plans integrated into BCPs. 

Conclusion

Prudential regulations are a strategic safety net for your business, not a proverbial ‘ball and chain’; they should not hinder your business’s ability to soar. As businesses prepare for the July 2025 CPS 230 deadline, consideration needs to be given to ensuring that future risk management processes will be manageable, cost-efficient and effective. The use of AI and Machine Learning solutions will be at the forefront of operational risk management, and businesses will need to innovate in the Risk and Compliance technology space to keep ahead of a complex risk landscape and ever-evolving regulatory requirements. Does your business have a Risk and Compliance Technology Strategy that helps you deliver business growth? Do you have ‘smart’ Risk and Compliance policies that are proportionate, agile and efficient?

Feel free to share your experiences or reach out if you’d like to discuss further.

About the author

Mark de Araujo is a Principal at ParagonFortis, a consultancy based in Sydney, Australia, specialising  in risk and compliance solutions. We provide strategic insights and solutions to help organisations navigate the complex landscape of risk management and regulatory compliance.