CPS 230: Operational Risk Management, the new Australian prudential standard by APRA, came into effect from 1 July 2025. It aims to increase the bar for operational risk and resilience across the banking, insurance, and superannuation industries (APRA, 2023). While CPS 230 is a welcome consolidation and strengthening of previous APS 231 (Outsourcing) and CPS 232 (Business Continuity Management), it risks being mere “check-box” compliance without deep cultural change.
In this blog, we discuss why CPS 230 is necessary but not sufficient for real operational resilience. The ultimate resilience of an institution depends on people, processes, and cultural habits, not just regulatory frameworks.
The framework CPS 230 should be the minimum operational resilience baseline. Instead of solely relying on frameworks, institutions must focus on building capabilities and muscle memory. The key to building a culture of resilience is empowering people to act decisively during times of uncertainty, not just creating resilient-looking plans.
The new APS 230 did not come in isolation. APRA (2023) states, “Establishing an operational resilience framework will assist entities in preventing, containing, and recovering from incidents” (p.2). This comes in response to a series of major operational disruptions at Australian institutions and internationally:
The aftermath of these events revealed a clear gap between perceived resilience and actual readiness (MinterEllison, 2024). While banks and insurers built business continuity and recovery capabilities, they did not embed sufficient prevention and containment. This is because resilience is as much about people as it is about frameworks.
The critical point here is that CPS 230 aims to bridge the gap between formal governance frameworks and on-the-ground capability to respond to adverse events. However, whether institutions use the opportunity to create living resilience muscle memory, not just impressive policy documents, remains to be seen.
Consolidating the earlier CPS 231 (Outsourcing) and CPS 232 (Business Continuity) frameworks into one standard (along with select elements from CPS 220 Risk Management) is a positive move by APRA (KPMG, 2022). It creates a clearer, cross-industry operating model with:
A key benefit of a single integrated framework like CPS 230 is that APRA can engage with entities across industries on a common theme – “operational resilience” (APRA, 2023, p.2). However, as this new standard gets operationalised, Escode (2025) stresses the danger of firms meeting minimum expectations and then declaring victory.
CPS 230 is intentionally principle-based, leaving scope for entities to interpret what success looks like. The risk here is that firms establish resilient-looking controls, policies, registers, and incident management tools that exist only on paper. Instead, as per APRA’s guidance (2023), they should focus on capabilities that function under real stress.
Compliance is about having controls in place. Resilience is about being able to perform under stress. In a checklist world, ticking the compliance box is easy. Creating resilient muscle memory that functions when fire alarms ring is hard.
The challenge with any standards or regulatory oversight is that they cannot capture everything. Even the most detailed cybersecurity frameworks miss edge cases and unique attack vectors. This is a truism of human affairs and not the failing of any regulator. However, the culture of check-box compliance must not become an excuse for carelessness at the edges.
Regulatory compliance, in reality, has often become a race to the bottom in ticking boxes. After the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (2019) in Australia, many financial institutions rushed to appear “better” by improving processes but did not meaningfully transform.
There is a real danger that APS 230 can trigger the same race to the bottom. Instead of embedding learning and muscle memory for resilience, institutions can end up creating boxes that appear to have been ticked.
APRA recognises the risk of institutions creating compliance mechanisms to check boxes but not prevent incidents (2023). The recent CPS 230 guide by PwC Australia (2025) on building resilient cultures that last beyond check-box compliance highlights this tension. Both stress the need for leadership-driven cultural habits as well as rigorous frameworks to deliver real resilience.
One key benefit of the APS 230 (Section 46) is the new formal expectations for third-party oversight (APRA, 2023). Entities must have a register of material providers, perform due diligence, and monitor risks across the supply chain, including fourth parties. The significance of this reform cannot be overstated.
Modern financial institutions have shifted substantial business-critical operations to material service providers in technology, cloud, infrastructure, payments, and more. However, it raises an open question:
Can financial institutions that outsource to cloud giants like Amazon Web Services or Microsoft Azure really have ultimate control and oversight of these firms?
As per Escode (2025), and Battleground (2025), global firms setting up in Australia may view CPS 230 third-party requirements as a reputational risk. The ultimate buck will stop with banks and insurers, but limited control of global critical service providers may create perverse risk incentives. If a single incident like a cloud outage can shut down multiple institutions, then resilience is a myth in such concentrated dependency chains.
CPS 230 is a strong framework by international standards. It sets out a holistic view of business continuity, governance, and service provider risk management aligned with international guidance from NZSR 231 (NZFSB), BCBS 319, and BSBG (APRA, 2023). However, compared to global guidance like the NIST Cybersecurity Framework (US), ISO 27001 (ISO), and SOC 2 (US), CPS 230 lags, particularly in cybersecurity resilience (MinterEllison, 2024). For international institutions, this creates a potential mismatch.
Meeting APRA and CPS 230 compliance for continuity and operational resilience may not satisfy global counterparts and partners. This leads to an open question: Is APS 230 sufficient for building resilience that last, or is it merely local compliance parochialism?
Let us look at some of the critical events in recent years and how actual resilience, not just regulatory compliance, ultimately determined outcomes:
The critical point in all these real-world events is that true resilience is determined by people and culture, not formal frameworks. The best risk and compliance frameworks can exist only on paper when breached. However, informal capabilities that are built over years through testing, embedding best practices, and rewarding transparency can succeed.
In summary, APRA’s new CPS 230 is a positive and much-needed reform. It consolidates, strengthens, and modernises previous prudential requirements on outsourcing, third parties, and business continuity. As cross-industry guidance, it is a significant step forward from previous standards focused on individual activities.
However, unless institutions go beyond regulatory compliance to building resilient muscle memory across the workforce, the APS 230 risk of becoming an empty resilience myth. The danger of compliance is that once you think you are done, complacency sets in. The real test of CPS 230 will be how firms navigate the next big disruption in the coming years. The proof of resilience will be whether institutions that look good on paper perform well when it matters.
Enjoyed reading this blog? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
This website uses the following additional cookies:
(List the cookies that you are using on the website here.)
More information about our Cookie Policy
