§25 · Lane 7 — Australian Regulatory Primary Instruments
APRA CPS 230 / CPG 230 — Operational Risk Management operational risk obligations as executable controls
APRA (2023, amended 2026) · CPS 230 / CPG 230
Bibliographic data
- Title
- APRA Prudential Standard CPS 230 (effective 1 July 2025; targeted amendments 30 April 2026) — Operational Risk Management; and Prudential Practice Guide CPG 230
- Authors / Issuing body
- Australian Prudential Regulation Authority (APRA)
- Venue / Publisher
- Australian Prudential Regulation Authority
- Year
- 2023
- Designation
- Regulatory
- Licence
- Stable URL — refer to publisher for full licence terms.
- Canonical link
- https://www.apra.gov.au/operational-risk-management
How to cite
APRA (2023, amended 2026). APRA Prudential Standard CPS 230 (effective 1 July 2025; targeted amendments 30 April 2026) — Operational Risk Management; and Prudential Practice Guide CPG 230. Australian Prudential Regulation Authority. https://www.apra.gov.au/operational-risk-management.
Cross-industry prudential standard for operational risk management applying to all APRA-regulated entities — ADIs, insurers and superannuation trustees. It requires boards to maintain operational risk management capability, business continuity, and service-provider management, including a register of material service providers and notification of operational risk incidents. CPG 230 sets out APRA's stated implementation expectations.
Why it matters for NETEVO
APRA Prudential Standard CPS 230 is the cross-industry operational risk standard that binds every APRA-regulated board — ADIs, insurers, superannuation trustees. It requires boards to maintain operational risk management capability, business continuity, and service-provider management, including a register of material service providers. Three features of the standard bear directly on how those obligations can be engineered rather than merely documented.
Three-Lines-of-Defence shape. CPS 230 is architecturally Three-Lines-of-Defence-shaped: operational risk management at the front line, risk oversight in the middle, internal audit assurance at the back. Its notification obligations — operational risk incidents (paragraph 33), breach of tolerance for a critical operation (paragraph 42), and material service-provider arrangements (paragraph 59) — define the regulator-readable form of the signals an engineered control emits at runtime. Where authorisation policy is expressed in a language such as Cedar, CPS 230 is the prudential surface the resulting controls must report against.
Targeted amendments of 30 April 2026. APRA released targeted amendments to CPS 230 on 30 April 2026 that narrow specific contractual requirements for material arrangements with non-traditional service providers and clarify CPG 230 expectations. The updated standard and practice guide commence on 1 July 2026, so any reading of CPS 230 turns on which version was in force at the relevant date.
Board obligations that connect to the wider governance stack. CPS 230's board obligations cascade directly into the governance scope of ISO/IEC 38507:2022 and into the directors' duties analysis in Directors' Duties and AI Regulation. CPS 230 is the prudential-regulation expression of what those framework-level and academic treatments address at higher altitudes — the standard against which APRA-regulated boards are assessed on operational competence.
Where NETEVO applies this
- AI Governance in ANZ Whitepaper — central prudential citation
- Listed Leaders ICP — APRA-regulated boards — CPS 230 vocabulary