APRA CPS 230 is a prudential standard on operational risk management. It is not simply an outsourcing standard. It requires APRA-regulated entities to manage operational risk, maintain critical operations through disruption, and manage risks from service providers.
Official sources
- APRA Operational Risk Management page
- APRA Prudential Standard CPS 230 Operational Risk Management PDF
The CPS 230 PDF states that the aim of the standard is to ensure an APRA-regulated entity is resilient to operational risks and disruptions. It says an entity must effectively manage operational risks, maintain critical operations through disruptions, and manage risks arising from service providers.
What CPS 230 is trying to do
CPS 230 is APRA's move toward a more integrated view of operational risk. Instead of treating outsourcing, business continuity, and operational risk as separate compliance activities, the standard brings them together. The regulated entity needs to know what operations are critical, what could disrupt them, which controls prevent or limit disruption, which service providers are material, and how the entity would continue operating under stress.
The core question is: can the entity continue critical operations within tolerance during severe disruption, and can it show that the control environment is managed?
What CPS 230 covers
CPS 230 covers:
- operational risk governance and accountability;
- operational risk profile and control environment;
- critical operations and tolerance levels;
- business continuity planning;
- scenario testing and disruption preparedness;
- material service providers;
- service provider management policy and agreements;
- monitoring, issue remediation, and reporting;
- board and senior management oversight.
What entities need to operationalize
An APRA-regulated entity needs a map of critical operations and their dependencies. That map should include people, process, technology, data, facilities, internal teams, service providers, fourth parties, and manual workarounds. It should also show tolerance levels and recovery expectations.
For material service providers, the entity needs a provider management process that covers due diligence, agreements, monitoring, issue management, continuity, and exit. The provider record should connect back to the critical operation it supports.
Evidence teams should maintain
- Operational risk management framework and governance records.
- Critical operations register and tolerance analysis.
- Dependency maps for people, process, technology, data, facilities, and providers.
- Material service provider register, assessments, contracts, and monitoring records.
- Business continuity plans, scenario tests, recovery exercises, and remediation evidence.
- Operational risk incidents, control failures, issues, and root-cause records.
- Board, committee, and management reporting on operational risk and resilience.
Common gaps
- Critical operations are named, but the dependency map is not deep enough to support disruption
response.
- Material service provider records are not connected to tolerance levels or business continuity
plans.
- Scenario tests validate documents rather than realistic provider, cyber, data, and recovery
failures.
- Operational risk issues are tracked separately from provider issues, making reporting incomplete.
- Management reporting focuses on completion status rather than whether the entity can remain within
tolerance during disruption.
How Halbarad helps
Halbarad helps CPS 230 teams connect operational risk, service provider risk, and resilience evidence. A CPS 230 program needs a live map of critical operations, providers, fourth parties, systems, incidents, issues, contracts, continuity evidence, and remediation.
Halbarad can help teams:
- map material service providers to critical operations and business owners;
- identify downstream providers and concentration exposure through Nth-Party Discovery;
- use Spark Assessment to build initial provider evidence from public sources and attestations;
- monitor outages, incidents, advisories, trust-center changes, and provider material changes;
- track continuity evidence, scenario-test findings, issues, remediation, approvals, and reporting;
- preserve an audit trail showing how resilience decisions were made and updated.
Halbarad helps operationalize and evidence CPS 230 work. It does not replace APRA standards, prudential interpretation, or entity-specific legal and compliance review.
Disclaimer
This guide is for general information only and is not legal advice. Review the official regulation, guidance, and supervisory materials, and consult qualified counsel or compliance advisors for your organization's specific obligations.