CPS 230 - Business Continuity
Introduction
This is the fourth article in our series on APRA Prudential Standard CPS 230 Operational Risk Management, which commences in July 2025.
In previous articles we have covered:
In this article we will look at business continuity.
Existing requirements under CPS 232
APRA-regulated entities are already subject to a prudential standard dealing with business continuity – Prudential Standard CPS 232 Business Continuity Management.
CPS 230 will replace this standard, so that business continuity requirements are folded into a broader prudential standard on operational risk management.
Under CPS 232, an APRA-regulated entity must identify, assess, manage, mitigate and report on potential business continuity risks to ensure that it can meet its financial and service obligations. CPS 232 refers to this as business continuity management (BCM), a whole of business approach to ensure that “critical business operations” can be maintained or recovered with minimal consequences from disruption.
Critical business operations are defined in CPS 232 as business functions, resources and infrastructure which may have a material impact if disrupted.
BCM under CPS 232 includes a BCM policy, a business impact analysis (BIA), recovery objectives and strategies, a business continuity plan (BCP), and programs for reviewing, testing and audit of the BCP.
Critical operations
CPS 230 requires entities to formally define and maintain a register of their “critical operations.”
Critical operations are processes which, if disrupted beyond an acceptable level, would materially impact customers, beneficiaries, or the entity's role in the financial system. CPS 230 provides that some operations must be classified as critical unless otherwise justified. These include payments processing for banks, claims handling for insurers, and investment management for superannuation funds. If the entity decides these are not critical operations, the justification should be documented, and APRA would expect these to be exceptional cases.
APRA also has the power to deem certain operations as critical for an individual entity or an entire industry class.
In its draft guidance on CPS 230, APRA recommends assessing all business operations within the entity and not relying on those prescribed by APRA. It says that a prudent entity would consider business operations that, if disrupted, would have either a direct or indirect material adverse impact on stakeholders, or impact the broader financial system or economy. In APRA’s view, a prudent entity would also consider lessons learned from past disruptions and scenario analysis, and business operations previously identified as critical under CPS 232. The focus should be on “outward-facing” services needed to support external stakeholders. APRA expects that critical functions important to the financial system under Prudential Standard CPS 900 Resolution Planning would be classified as critical operations under CPS 230.
Critical operations under CPS 230 differ from critical business operations under CPS 232 in that they have the concept of disruption “beyond an acceptable level”. This leads to another new concept with CPS 230 - the “tolerance levels” which APRA-regulated entities must set for every critical operation.
Tolerance levels
The tolerance levels which must be set are of 3 different kinds:
the maximum acceptable disruption period;
the maximum acceptable extent of data loss as a result of a disruption (typically measured by how far back data can be reconstructed); and
the minimum service levels that would be maintained while operating under alternative arrangements during a disruption.
APRA can adjust the tolerances if it deems the levels set by an APRA-regulated entity to be inadequate.
When setting tolerance levels, APRA says that better practice is to use plausible disruption scenarios. Factors to consider include the impact on customers and other external stakeholders, the entity itself and the broader financial system, as well as legal or regulatory requirements, learnings from previous disruptions and scenario analysis, and recovery objectives previously defined under CPS 232.
Enhancing BCPs
Having defined tolerance thresholds is significant, as BCPs under CPS 230 must then demonstrate how critical operations will remain within those parameters for severe but plausible disruption scenarios. This shifts the focus toward ongoing resilience capabilities rather than just recovery activities.
Entities may have a single BCP or multiple BCPs.
At a minimum, BCPs must include:
The register of critical operations and their tolerance levels.
Triggers for plan activation and processes for directing resources.
Step-by-step actions to maintain critical operations through disruptions.
Assessments of execution risks, dependencies and preparatory requirements.
A communications strategy to coordinate an effective incident response.
Entities must also maintain the requisite staffing, technologies and other resources to operationalise their BCPs when needed. To reduce key person risk, the level of detail in a BCP should be sufficient for execution of the BCP without reliance on the knowledge and experience individual staff.
CPS 230 allows for capabilities to execute the BCP to be maintained via an agreement with a third-party. These arrangements must meet the CPS 230 requirements for management of service providers.
APRA’s draft guidance says that a prudent entity would link the BCP to other management plans dealing with incidents, such as disaster recovery and liquidity management.
BCP testing and review
CPS 230 requires more rigorous BCP testing and assurance processes than under CPS 232.
Annual exercises are mandatory, using severe but plausible scenarios that could breach tolerance levels. APRA can also direct an entity or industry to test against particular scenarios.
Internal audit functions must review BCPs periodically and provide assurance to the Board that plans are credible and testing is adequate. APRA has the power to commission independent reviews as well.
BCP reporting and approval
CPS 230 compels a critical role for the Board of an APRA-regulated entity in business continuity management. The Board must approve the BCP and tolerance levels for disruptions to critical operations, review the results of BCP testing, and oversee the execution of any findings.
Reporting to APRA
CPS 230 requires notification to APRA as soon as possible (and no later than 24 hours) after a disruption to a critical operation outside tolerance levels. This will need to include a description of the event as well as the action being taken, the likely impact on business operations and the timeframe for resumption of normal operations.
A Raised Bar for Operational Resilience
While the fundamentals of BCM are consistent across CPS 232 and its replacement CPS 230, CPS 230 will raise the bar in several ways:
Depth of planning: BCPs must now evidence in detail exactly how critical operations will keep running through major disruptions. Resilience needs to be proven, not just planned for.
Board accountability: By mandating criticality assessments and tolerance setting, APRA embeds operational resilience as a strategic issue requiring Board oversight.
Tailored requirements: BCPs and capabilities must align with each entity's unique critical operations.
Continuous improvement: The updated testing and notification rules, backed by supervisory scrutiny, drive a more vigorous cycle of identifying and remediating gaps.
Action steps to prepare for CPS 230 business continuity
For APRA-regulated entities, successfully implementing the new business continuity requirements in CPS 230 will demand an updated methodology and likely significant work. Actions to prepare for CPS 230 may include:
Critical operations: Conduct robust criticality assessments across the whole business and establish a critical operations register.
Tolerance levels: Set tolerance levels for each critical operation.
Update BCPs: Review and update BCPs as required to be tolerance-based and scenario-focused, with sufficient detail to be used by persons without relying on knowledge of individual staff.
Resilience capabilities: Establish resilience capabilities spanning people, processes and technology.
BCP testing: Enhance testing programs to prove resilience, not just recovery.
Board: Secure Board oversight of BCM with approval of the BCP and tolerance levels, and effective reporting to the Board on incidents and BCP issues.
Entities should view this work as not just as a compliance exercise, but an opportunity to enhance their operational resilience more broadly.
Need help with CPS 230?
We advise many APRA-regulated entities on regulatory compliance. Please get in touch with us if you need help with CPS 230 implementation.
Kathleen Harris and Patrick Dwyer
Legal Directors