Cross-industry Prudential Standard (CPS) 230 on operational risk management commenced application to banks, insurers and superannuation funds on 1 July 2025.

APRA-regulated entities that are non-significant financial institutions (non-SFIs) have an additional period of 12 months to 1 July 2026 on requirements relating to business continuity and scenario analysis. Background.

CPS 230 requires APRA-regulated entities to be well-prepared to ensure continuity of critical services to the community and respond to business disruptions by:

• identifying important business services and determining the extent to which these services can continue during severe disruptions;
• testing their business continuity planning to identify vulnerabilities to ensure they are positioned to overcome severe disruptions; and
• enhancing third-party risk management by ensuring risks from material service providers are identified and appropriately managed.

To meet the notification requirements of CPS 230 APRA has developed and released electronic forms that should be completed by entities when notifying APRA of the following:
• Operational Risk Incident (para 33)
• Breach of Critical Operation Tolerance (para 42)
• New or change to a material arrangement and/or offshoring (para 59 (a) and (b))

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.