Frontrow Technology
← All insights & guides
Guide

APRA — CPS 230

APRA CPS 230 readiness: the operational risk checklist for AU financial services in 2026

APRA Prudential Standard CPS 230 took effect 1 July 2025 — the operational risk management, critical operations, business continuity and third-party risk obligations, and the Microsoft 365 stack mapping for AU APRA-regulated entities.

Daniel Brown · Last reviewed 23 May 2026 · 8 min read

APRA Prudential Standard CPS 230 — Operational Risk Management — took effect 1 July 2025. It replaced CPS 232 (Business Continuity Management) and complements CPS 234 (Information Security). Where CPS 234 is cyber-specific, CPS 230 is the broader operational risk discipline: how the entity identifies its critical operations, sets tolerance levels for disruption, manages business continuity, and governs material service providers (including cloud providers and managed service providers). Twelve months in, APRA is now asking material questions about board-level oversight and the practical evidence of compliance. The standard has teeth.

The four pillars in summary

  1. 1Operational risk management — identify, assess, manage and monitor operational risks; integrate operational risk into broader risk management; report meaningfully to the board.
  2. 2Critical operations — identify which operations the failure of would have material impact; document them in a register; set tolerance levels for disruption.
  3. 3Business continuity — maintain plans aligned to tolerance levels; test them; demonstrate that the entity can continue critical operations under disruption.
  4. 4Service providers — maintain a register of material service providers; assess and manage their risks; have contractual rights including audit and termination; report material service provider relationships to APRA.

What's in scope as a material service provider

APRA's wording is intentionally broad. A service provider is material if the entity is reliant on the service to deliver a critical operation, or if the failure of the service provider would impact the entity's operations, financial position or reputation. In practice, that captures: cloud providers (Microsoft Azure, AWS, Google Cloud), managed service providers, payment processors, core banking platforms, and increasingly any SaaS vendor handling material data. Microsoft, as a hyperscaler running M365 and Azure, is a material service provider for every APRA-regulated entity that runs on it.

The Microsoft 365 + Azure mapping

  • Critical operations register — Microsoft Lists or Dataverse with a documented record-keeping schema; Purview Audit for the audit trail of changes.
  • Service provider register — same pattern, with Microsoft's compliance documentation (Service Trust Portal, the Microsoft Australia Privacy Act + APRA mapping documents) linked as evidence.
  • Business continuity testing — Azure Site Recovery for VM workloads, Microsoft 365 Backup for SharePoint/OneDrive/Exchange/Teams, documented runbooks in SharePoint with retention managed by Purview.
  • Operational risk monitoring — Microsoft Sentinel for cyber-adjacent operational risk telemetry; Power BI dashboards on top of the risk register for board reporting.
  • Third-party risk — Compliance Manager templates for CPS 234 already exist; the equivalent CPS 230 templates ship with the Microsoft Compliance Manager assessment library.

The board reporting cadence

CPS 230 explicitly requires board oversight of operational risk and critical operations. The expected cadence in mid-tier ADIs and insurers is quarterly reporting to the Risk Committee, with annual deep-dive on critical operations and material service providers. The practical Microsoft reporting stack is: Sentinel + Defender XDR security events feeding the cyber risk metric, Defender for Cloud Secure Score feeding the platform risk metric, Compliance Manager CPS 230 + 234 scores feeding the regulatory risk metric, all surfaced in a Power BI workspace that the Chief Risk Officer or Head of Operational Risk owns.

The 90-day readiness checklist if you are behind

  1. 1Confirm the critical operations register is current — interview business owners, not just IT.
  2. 2Confirm the material service provider register includes Microsoft, AWS or Google Cloud as the platform provider, not just SaaS vendors.
  3. 3Confirm BCP plans have been tested in the last 12 months for each critical operation, not just the IT-disaster scenarios.
  4. 4Confirm tolerance levels exist for each critical operation — and they are specific, not 'within reasonable time'.
  5. 5Confirm service provider termination plans exist — what happens if Microsoft Azure becomes unavailable for 7 days?
  6. 6Confirm the board has seen the operational risk profile in the last quarter — not just heard the CISO summary.

Try it

Score your CPS 234 readiness alongside CPS 230

CPS 230 and CPS 234 are companion standards. Score your CPS 234 posture as the starting point for the CPS 230 mapping.

Want us to run this with your team?

30 minutes. No deck. We'll walk through your tenant, your priorities, and the next sensible move.

Book a chatEmail Frontrow1300 012 466