Pillar 1
Operational risk management
CPS 230 expects operational risk to be a board-visible, separately-reported discipline — not a sub-line of cyber. The risk register, the risk appetite, and the reporting cadence to the board all sit here.
Free tool · 5 minutes · APRA CPS 230
APRA CPS 230 —
READINESS.
CPS 230 took effect on 1 July 2025. APRA’s expectation is documented evidence, not aspiration. Score your readiness across operational risk management, critical operations, business continuity and material service provider risk in five minutes.
8 questions · 4 domains
APRA CPS 230 Operational Risk Readiness
Score your APRA CPS 230 readiness across operational risk management, critical operations, business continuity and material service provider risk. The standard took effect 1 July 2025 and APRA's expectation is documented evidence of compliance, not aspiration.
Domain 1
Operational risk management
Risk identification, assessment and reporting; integration with the broader risk management framework; board-level oversight of operational risk.
Is operational risk reported to the board separately from other risk types?
Source: APRA CPS 230 paragraphs 19–24.
Is there a documented operational risk appetite statement approved by the board?
Source: APRA CPS 230 paragraphs 19–24; CPG 230 guidance.
Domain 2
Critical operations
Definition and documentation of critical operations, tolerance levels for disruption, dependency mapping, recovery time objectives.
Is there a documented register of critical operations with named owners?
Source: APRA CPS 230 paragraphs 25–30.
Are tolerance levels for disruption documented and measurable?
Source: APRA CPS 230 paragraph 28.
Domain 3
Business continuity
BCM plan currency, alignment to critical operations tolerance levels, testing cadence, scenario coverage including cyber-incident scenarios.
When was the BCM plan last tested with a documented exercise?
Source: APRA CPS 230 paragraphs 31–36.
Do BCM scenarios include severe but plausible cyber-incident scenarios?
Source: APRA CPS 230 + CPS 234 companion expectations.
Domain 4
Material service providers
Service provider register, materiality assessment, contractual rights including audit and termination, concentration risk monitoring, APRA notification of new material arrangements.
Is there a register of material service providers maintained and reported to APRA?
Source: APRA CPS 230 paragraphs 38–46.
Are contractual rights (audit, termination, exit assistance) in place for material service providers?
Source: APRA CPS 230 paragraphs 40–45.
This is an indicative self-assessment. It is not legal or regulatory advice. For verified results Frontrow runs a CPS 230 + 234 readiness review against your tenant configuration and policy documentation.
What the check covers
Four pillars. One readiness posture.
Pillar 2
Critical operations
An entity must identify which operations are critical (failure has material impact on customers, financial position, or the financial system), and set tolerance levels — measured, defensible, not 'best efforts'.
Pillar 3
Business continuity
CPS 230 BCM replaces CPS 232. Plans must be tested annually with scenarios that include severe but plausible cyber-incident, third-party failure, and people-availability disruption. Test results feed back into the plan.
Pillar 4
Material service providers
The service provider pillar is where most AU APRA-regulated entities have the largest gap. Microsoft and AWS are material service providers for almost every modern ADI and insurer. The register, the contractual flow-down, and the termination plan all need to be APRA-evidence-grade.
Frequently asked questions
What APRA-regulated entities ask.
What is APRA CPS 230?
APRA Prudential Standard CPS 230 — Operational Risk Management — took effect on 1 July 2025. It replaces CPS 232 (Business Continuity Management) and complements CPS 234 (Information Security). Where CPS 234 is cyber-specific, CPS 230 is the broader operational risk discipline: how the entity identifies its critical operations, sets tolerance levels for disruption, manages business continuity, and governs material service providers (including cloud and managed service providers).
Who does CPS 230 apply to?
APRA-regulated entities: Authorised Deposit-taking Institutions (ADIs — banks, credit unions, mutuals), general and life insurers, private health insurers, and Registrable Superannuation Entities (RSE licensees). The standard applies in full to all of these. Subsidiaries and related entities of regulated groups also fall in scope where they provide material services to the regulated entity.
What's the difference between CPS 230 and CPS 234?
CPS 234 (Information Security) is the cyber-security-specific standard. CPS 230 is the broader operational risk discipline. CPS 230 covers cyber-incident scenarios in its BCM requirements and material service provider in its third-party governance, but it also covers people availability, process failures, third-party outages, and physical incidents. The two standards complement each other and the practical AU mid-tier-to-large compliance posture runs both together.
What is a material service provider under CPS 230?
APRA's wording is intentionally broad. A service provider is material if the entity is reliant on the service to deliver a critical operation, or if the failure of the service provider would impact the entity's operations, financial position or reputation. In practice that captures: cloud providers (Microsoft Azure, AWS, Google Cloud), managed service providers, payment processors, core banking platforms, and increasingly any SaaS vendor handling material data. Microsoft, as a hyperscaler running M365 and Azure, is a material service provider for every APRA-regulated entity that runs on it.
What does APRA expect to see in a CPS 230 review?
Documented evidence, not aspiration. APRA wants to see: a current critical operations register with named owners and tolerance levels; a current material service provider register with materiality assessment and concentration risk; a current BCM plan tested in the last 12 months with documented exercise outcomes; board-level operational risk reporting with KRIs and trend analysis; documented appetite statement reviewed annually.
How does Microsoft 365 help with CPS 230 evidence?
Practical mapping: Critical operations register in Microsoft Lists / Dataverse with Purview audit trail. Service provider register in the same pattern, with Microsoft's compliance documentation (Service Trust Portal) linked as evidence. BCM testing via Azure Site Recovery for VM workloads + Microsoft 365 Backup for SharePoint/OneDrive/Exchange/Teams. Operational risk telemetry via Microsoft Sentinel + Defender XDR for cyber-adjacent operational risk events. Board reporting via Power BI dashboards on top of the risk register.
What is the Frontrow CPS 230 readiness review?
A documented review against CPS 230 + CPS 234 expectations. Output: gap report against each standard's paragraphs, prioritised remediation plan with named owners and target dates, draft board reporting templates, and the Microsoft stack evidence map. Most engagements take 4-6 weeks for a mid-tier APRA entity. Indicative pricing on request.
How is this self-assessment validated?
Every scoring threshold cites a primary source: APRA CPS 230 standard paragraphs, CPG 230 guidance, CPS 234 companion expectations. Methodology authored by Daniel Brown (5x Microsoft MVP), Graeme Lodge (Managing Director), and Sam Williams (Investor & Executive Consultant). This is not legal or regulatory advice — material readiness questions should engage an APRA-experienced legal advisor or risk consultant.