APRA Prudential Standard CPS 230
APRA's operational-risk-management standard, including business continuity and service-provider management obligations.
What CPS 230 actually is.
CPS 230 consolidates and strengthens APRA's expectations on operational risk - including resilience of critical operations, management of service provider arrangements, and scenario testing of recovery against severe-but-plausible disruption. For cybersecurity programs, the tie-in is strong: cyber incidents sit inside operational risk, and "critical operations" must be identified and their disruption tolerances documented, measured and tested. Boards approve tolerances; internal audit provides independent assurance.
All APRA-regulated entities - ADIs, insurers, superannuation trustees and RSE licensees. Non-significant financial institutions had an additional 12-month transition window.
The control areas the framework covers.
Summary of the control families and outcomes the framework drives. Always validate against the official publication for the authoritative wording.
-
01
Critical operations
Identify operations whose disruption would have a material adverse impact on beneficiaries, members, policyholders or the financial system.
-
02
Tolerance for disruption
Establish, and have the Board approve, tolerance levels for each critical operation (maximum period and extent of disruption).
-
03
Scenario testing
Regularly test the ability to operate within tolerance through severe-but-plausible scenarios.
-
04
Service provider management
Maintain a register, undertake due diligence, manage service-provider risk and notify APRA of material arrangements.
-
05
Business continuity plan
Maintain a Board-approved plan aligned to critical operations and tolerances.
-
06
Operational risk incidents
Notify APRA of operational-risk incidents likely to have a material impact and maintain an incident register.
Read it from the issuing body.
For anything with a regulator or certification body behind it, the authoritative text is what counts - not our summary.
APRA Prudential Standard CPS 230
apra.gov.au/operational-risk-management
Content on this page is a plain-language summary for programme planning. It is not legal or regulatory advice, and it does not replace a current copy of the issuer's publication.
How Vectra delivers against CPS 230.
Assessment, engineering and operational services that line up with the framework's control areas.
Red & Purple Team Operations
Intelligence-led adversary simulation measured in MITRE ATT&CK coverage, detection latency and response gaps - not CVSS scores.
Incident Response Retainer
Contracted response hours with defined SLAs - containment in minutes, not days.
Managed Detection & Response
Sovereign Australian XDR powered by nine global SOCs, AWS Australia hosting and 24x7 human-verified response.
Virtual CISO
Fractional security leadership embedded with your executive team.
Where CPS 230 shows up.
Sectors where Vectra most commonly applies this framework. Click through for the industry-specific program view.
Security, engineered around you.
Talk to an engineer - not a call centre. Most Vectra conversations start with a 30-minute technical briefing and end with a written plan.