CPS 230

Prudential Standard CPS 230 Operational Risk Management is issued by the Australian Prudential Regulation Authority (APRA) and commences on 1 July 2025. It applies to all APRA regulated entities, which includes authorised deposit-taking institutions, general insurers, life companies, private health insurers and registrable superannuation entity licensees, as well as certain holding companies of some of these entities.

CPS 230 includes provisions relating to:

• key principles of operational risk management;

• risk management frameworks;

• risk management roles and responsibilities;

• operational risk management;

• business continuity; and

• management of service provider arrangements.

CPS 230 will replace a number of existing APRA prudential standards including CPS 231, SPS 231 and HPS 231 (which deal with outsourcing) and CPS 232 and SPS 232 (which deal with Business Continuity Management.

Draft guidance on CPS 230 was issued by APRA in July 2023.

APRA-regulated entities are already subject to risk management prudential standards. CPS 230 will build on these standards, in relation to operational risk.

The existing risk management prudential standards are CPS 220 and SPS 220 Risk Management. These standards require that an institution have a risk management framework that enables it to develop and implement strategies, policies, procedures and controls to manage material risks, and which provides its Board with a comprehensive view of material risks across the institution.

What is operational risk?

APRA has given “operational risk” a specific definition. For authorised deposit-taking institutions it is found in Prudential Standard APS 001:

“Operational risk means the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk but excludes strategic and reputational risks.”

Legal risk, which APRA specifically includes in operational risk, is also defined in APS 001. It includes, but is not limited to, exposure to fines, penalties or punitive damages resulting from supervisory actions as well as ordinary damages in civil litigation, related legal costs and private settlements.

APRA does not define “strategic” and “reputational” risk, which it specifically carves out of operational risk, but clearly there may be linkages between these kinds of risk. A major operational risk event could have strategic and reputational implications for an institution, as second-order effects.