APRA CPS 230 / CPG 230 — Operational Risk Management

Why it matters for NETEVO

APRA Prudential Standard CPS 230 is the cross-industry operational risk standard that binds every APRA-regulated board — ADIs, insurers, superannuation trustees — and is the load-bearing prudential anchor for the forthcoming CPS 230 executable-edge-controls insight. Three consequences for NETEVO follow.

Three-Lines-of-Defence shape, paired with the AU Three Lines academic substrate. CPS 230 is architecturally Three-Lines-of-Defence-shaped: operational risk management at the front line, risk oversight in the middle, internal audit assurance at the back. The paragraphs on incident notification (para 33), critical-operation tolerance breach (para 42), and material-arrangement notification (para 59) are the regulator-readable form of the runtime telemetry the executable-edge-controls thesis argues for. Cedar is the policy language; CPS 230 is the regulator surface the policy delivers against.

Latest-version citation discipline after the 30 April 2026 targeted amendments. APRA released targeted amendments to CPS 230 on 30 April 2026 that narrow specific contractual requirements for material arrangements with non-traditional service providers and clarify CPG 230 expectations. The updated standard and practice guide commence 1 July 2026. Any NETEVO drafting against CPS 230 cites the latest version unless the citation refers expressly to a pre-amendment moment in time.

Board cascade into ISO/IEC 38507 and the director-duty academic substrate. CPS 230's board obligations cascade directly into ISO/IEC 38507:2022 governance scope and into the Directors' Duties and AI Regulation academic substrate. CPS 230 is the prudential-regulation expression of what those framework-level and academic-level artefacts frame at higher altitudes — the standard against which APRA-regulated boards are scored on operational competence.