What CPS 230 does
CPS 230 outlines a structured approach to operational risk management, encompassing governance, risk assessment, mitigation strategies, and ongoing monitoring. It’s built around four core pillars: operational risk management, identification and management of critical operations, business continuity planning, and third-party risk management. The standard aims to ensure financial institutions maintain resilience and minimise the impact of operational failures. It requires documented processes, clear accountability, and regular review of operational risk profiles.
CPS 230 in Australian tenants today
AU mid-market financial institutions must now consider CPS 230’s requirements when evaluating their technology and service provider arrangements. The standard mandates registration of material service providers and sets expectations for tolerance levels related to critical operations. Cloud providers, including Microsoft, and managed service providers delivering services to APRA-regulated entities are considered ‘third-party’ and fall squarely within the scope of CPS 230. Alignment with the Australian Voluntary AI Safety Standard is also increasingly relevant given the growing use of AI in operational processes.