APRA CPS 230 — the operational risk readiness checklist for Microsoft 365 estates (2026)

APRA Prudential Standard CPS 230 Operational Risk Management took effect 1 July 2025 across APRA-regulated entities in Australia — banks, insurers, super funds and the broader prudentially regulated sector. CPS 230 is the operational-risk counterpart to CPS 234 (information security): where CPS 234 governs how you protect information assets, CPS 230 governs how you operate critical business functions resiliently — including the technology systems they depend on. Most APRA entities had a 12-month grace period to formally embed the framework; that grace has now expired, and the framework has its first round of supervisory letters out.

For any APRA-regulated entity running on Microsoft 365, Azure, or Microsoft Dynamics, CPS 230 has direct implications. The framework expects four named registers, scenario testing, and demonstrable business continuity — and Microsoft's tenant must be evidenced as part of the control set. Below is the readiness checklist for Microsoft 365 estates.

What CPS 230 actually requires

CPS 230 codifies five operational-risk pillars. (1) Operational risk management framework — a documented framework covering identification, assessment, treatment and monitoring. (2) Critical operations register — a list of the business activities the entity considers critical (the threshold is loss of which would materially affect customers, members or financial stability). (3) Tolerance for disruption — for each critical operation, the maximum acceptable disruption duration. (4) Service provider register — every material service provider supporting a critical operation, with risk treatment plans. (5) Scenario analysis and business continuity — scenarios tested at least annually, BCP and recovery plans documented and tested.

Where Microsoft 365 fits in the registers

Microsoft 365 (Exchange Online, SharePoint Online, OneDrive, Teams) is almost always a material service provider for at least one critical operation in an APRA-regulated entity — usually customer communications, internal collaboration, and document management. Microsoft Entra ID is universally on the register as the identity provider supporting every critical-operation application. Microsoft Azure underpins many entity-specific applications. Each Microsoft service that supports a critical operation needs an entry in the service provider register with risk treatment.

The Microsoft 365 readiness checklist

1. Service provider register entries

• Microsoft 365 (Exchange Online, SharePoint Online, OneDrive, Teams) — categorise as material service provider; document the critical operations supported; risk treatment includes Microsoft's SOC 2 / ISO 27001 / IRAP attestations as third-party assurance.
• Microsoft Entra ID — identity provider for every critical-operation app. Material by definition.
• Microsoft Azure — for entity-specific applications running in Azure. Per-app entry.
• Microsoft Defender XDR and Microsoft Sentinel — security service providers; document monitoring coverage.
• Any third-party SaaS integrated with M365 (DocuSign, Salesforce, AdobeSign, etc.) supporting a critical operation — separate entry per provider.

2. Tolerance for disruption — Microsoft 365 outages

Microsoft's SLA on M365 is 99.9 percent uptime — roughly 8.76 hours of permitted unavailability per year. APRA's expectation is that critical operations have a documented tolerance for disruption. Define explicitly: what's the maximum we can be without Exchange before customer-facing service degrades meaningfully? What's the maximum without Teams before incident-response coordination is compromised? Document the tolerance, then check whether Microsoft's SLA falls inside it. For most APRA entities, the SLA is acceptable for the longest-tolerable single outage but does not cover repeated short outages or workload-specific incidents.

3. Scenario analysis

CPS 230 expects scenario testing at least annually. The Microsoft-relevant scenarios to test: tenant-wide M365 outage (Microsoft has had multi-hour outages), regional Azure outage affecting the entity's Azure-hosted apps, Entra ID identity outage (most-impactful — affects every app federated to Entra), ransomware encrypting M365 data, insider abuse of a privileged Entra role. Each scenario needs a documented run-through with business and IT, an after-action review, and updates to the BCP.

4. Business continuity — Microsoft 365 specifics

• Microsoft 365 backup — Microsoft's native retention does not constitute a backup for CPS 230 purposes. Deploy a third-party M365 backup (AFI, Veeam, Spanning, Druva) covering Exchange, SharePoint, OneDrive and Teams.
• Break-glass identity — two break-glass Global Admin accounts with phishing-resistant MFA, credentials physically secured, monitored for any sign-in, and tested quarterly.
• Out-of-band communications — Microsoft 365 cannot be the only communications channel during an M365 outage. Document an OOB channel (SMS distribution, third-party notification tool, or a competing comms platform for the duration of the incident).
• Documented restore runbook — for each critical operation, the documented restore path. Where the Microsoft service is the bottleneck (e.g. SharePoint outage), the restore path may involve switching to alternate sites or temporary workflows.

5. Monitoring — Microsoft service health and security signals

Wire Microsoft Service Health alerts to the incident management channel. Microsoft Sentinel ingestion of Defender XDR, Azure Activity and Entra ID sign-in logs gives the security operations team visibility. APRA notifiable cyber incidents (CPS 234) pathway is documented separately but operates from the same signal set.

What APRA supervisors are asking for

Early supervisory feedback on CPS 230 in 2026 has surfaced consistent themes. Supervisors want to see the registers as living documents, not annual artefacts. They expect scenario analysis to be specific (named scenarios, named participants, named decisions) not generic (table-top BCP run-through). They look for evidence that material service provider risk treatments are actually monitored — not just signed-off attestations from the provider, but ongoing monitoring of incidents, outages and security events. For Microsoft 365 specifically, supervisors are looking for tenant-specific tolerance for disruption, not just acceptance of Microsoft's general SLA.

How CPS 230 interacts with CPS 234

CPS 234 covers information security; CPS 230 covers operational risk and resilience. They overlap on cyber incidents — a ransomware incident is both an information security event (CPS 234) and a critical-operation disruption (CPS 230). APRA's expectation is that both frameworks are exercised through the same incident — not a separate cyber incident process and separate operational risk process. Pair them in your scenario tests.

Microsoft 365 control evidence map for CPS 230

Most CPS 230 controls map onto Microsoft 365 capabilities that the tenant has already paid for: Entra ID conditional access, PIM, sign-in logs as identity-control evidence; Defender XDR and Sentinel as monitoring evidence; Purview audit log retention as change-history evidence; third-party backup as restore evidence; Microsoft Service Health as outage evidence. The work is wiring these into the operational risk framework, not buying new tools.