AU: CPS 230 Operational Risk Management
|
|
| Regulator |
APRA |
| Jurisdiction |
AU |
| Status |
live |
| Applicability |
Platform |
APRA Prudential Standard CPS 230 Operational Risk and Resilience, effective 1 July 2025, is the
primary standard for operational risk, business continuity, and service provider management for
all APRA-regulated entities. It supersedes CPS 231 (Outsourcing) and CPS 232 (Business Continuity
Management). It requires a comprehensive operational resilience framework with defined impact
tolerances for critical operations, annual scenario testing, a material service provider register,
and contractual protections for outsourcing arrangements.
The risk management platform (MOD-150) is the primary platform control — it auto-captures loss
events, operates the operational risk register, monitors third-party health continuously, and
routes SLA breach incidents. The observability platform (MOD-076) monitors uptime against
impact tolerances and triggers alerts. Impact tolerance setting, scenario testing, BCP
documentation, and APRA self-assessment are institutional obligations.
Compliance register
This register maps every material obligation under the standard to the platform control or
institutional process that satisfies it. It is the static traceability layer for the Totara
compliance report — dynamic data (module build status, test evidence, control test dates) is
overlaid at runtime.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — training programmes, board governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
Part 2 — Operational risk management framework
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Para 15 |
Operational Risk Management Framework (ORMF) — board-approved; covers identification, assessment, mitigation, and monitoring |
🏛 Institutional |
OPS-004 |
ORMF is a board-approved governance document. MOD-150 (AUTO) operationalises the risk monitoring and register obligations; the framework document is institutional. |
🔨 |
| Para 16 |
Operational risk event capture — material operational losses and near-misses must be captured and classified |
🤖 Automated |
OPS-004 |
MOD-150 (AUTO) — risk events from all system domains are auto-classified against the risk taxonomy and written to the operational risk register continuously; no manual entry required |
🔨 |
| Para 17 |
Operational risk reporting to board and senior management |
🤖 Automated |
OPS-004 |
MOD-150 (AUTO) — board risk report generated automatically; RAF dashboard continuously computed; operational risk metrics available to board at any time without manual assembly |
🔨 |
| Para 18 |
Incident notification to APRA — material operational incidents notified within 72 hours |
🤖 Automated |
OPS-003, REP-009 |
MOD-058 (AUTO) — regulatory incident notification engine manages the incident register, routes notifications to the correct regulator within required timeframes, and tracks acknowledgement receipts; MOD-150 (AUTO) — incidents auto-detected and routed through notification assembly |
🔨 |
| Para 19 |
Severe but plausible scenario analysis — operational risk scenarios tested at least annually |
🏛 Institutional |
OPS-004 |
Scenario test programme is planned and executed by the COO and CRO. MOD-150 provides the operational risk data inputs; scenario testing exercise is institutional. |
— |
Part 3 — Business continuity and critical operations
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Para 20 |
Critical operations — identify and document all critical operations and their dependencies |
🏛 Institutional |
OPS-001, OPS-002 |
Critical operations identification is a COO process. MOD-150 (AUTO) monitors the health of designated critical operations; the identification and classification exercise is institutional. |
🔨 |
| Para 21 |
Impact tolerances — board-approved maximum tolerable disruption (in hours) for each critical operation |
🏛 Institutional |
OPS-001 |
Impact tolerances are board-approved thresholds. MOD-076 (ALERT) monitors actual availability against configured impact tolerance thresholds; threshold setting is institutional. |
🔨 |
| Para 22 |
Business Continuity Plan (BCP) — documented BCP for all critical operations; reviewed and updated at least annually |
🏛 Institutional |
OPS-001 |
BCP is a governance document. MOD-104 and MOD-103 provide the multi-AZ infrastructure resilience that underpins BCP recovery capability; the BCP document itself is institutional. |
🔨 |
| Para 23 |
BCP testing — annual tabletop and live testing; results documented |
🏛 Institutional |
OPS-001 |
Annual test programme is executed by the COO. MOD-076 (ALERT) provides real-time availability monitoring used during live tests; test design and execution are institutional. |
— |
| Para 24 |
Availability monitoring — ongoing monitoring of critical operations against impact tolerances |
🤖 Automated |
OPS-002, OPS-003 |
MOD-076 (ALERT) — uptime and latency monitored against impact tolerance thresholds; breach triggers alert to on-call team and feeds MOD-150 incident creation |
🔨 |
Part 4 — Service provider management
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Para 25 |
Material service provider register — all material service providers documented with classification and risk assessment |
🤖 Automated |
OPS-005, DT-008 |
MOD-150 (AUTO) — all designated critical third parties (Neon, Snowflake, AWS, BPAY, NPP, eIDV providers, card bureau) are registered and continuously health-monitored; SLA breach auto-creates an incident |
🔨 |
| Para 26 |
Due diligence — pre-engagement and annual renewal assessment for material service providers |
🏛 Institutional |
OPS-005, DT-008 |
Due diligence assessment is a COO/procurement process. MOD-150 (AUTO) provides continuous post-engagement monitoring; pre-engagement assessment is institutional. |
— |
| Para 27 |
Contractual requirements — material service provider contracts must include APRA step-in rights, audit access, sub-outsourcing controls, data return on exit, and BCP obligations |
🏛 Institutional |
OPS-005, DT-008 |
Contract negotiation and execution are legal processes. MOD-150 tracks contract expiry dates and triggers review reminders; contract terms are institutional. |
🔨 |
| Para 28 |
Sub-outsourcing — material sub-outsourcing arrangements must be notified to the ADI and assessed |
🏛 Institutional |
OPS-005 |
Sub-outsourcing management is a procurement and legal process. MOD-150 (AUTO) registers sub-provider relationships identified during onboarding; assessment is institutional. |
— |
| Para 29 |
Notification to APRA — material outsourcing arrangements notified to APRA before or within 20 business days of execution |
🏛 Institutional |
OPS-005 |
APRA notification is a Compliance Officer process. Platform has no role in the notification itself. |
— |
Change management
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Para 30 |
Change management — changes to critical operations or material service providers assessed for operational risk before implementation |
📊 Evidenced |
OPS-006 |
MOD-150 (LOG) — CI/CD pipeline deployment events auto-create change records with timestamp, artefact hash, environment, and outcome; post-implementation review auto-scheduled for P1 changes |
🔨 |
| Obligation |
Owner |
Platform evidence input |
| Board approval of ORMF |
Board |
MOD-150 provides risk register and RAF dashboard data inputs |
| Impact tolerance setting (board-approved) |
Board / COO |
MOD-076 monitors against configured thresholds; setting is institutional |
| Critical operations identification and classification |
COO / CRO |
MOD-150 monitors designated critical operations |
| BCP documentation, annual review, and testing |
COO |
MOD-076 provides availability data; MOD-103/MOD-104 provide infrastructure resilience |
| Material service provider due diligence and contract negotiation |
COO / Procurement |
MOD-150 monitors ongoing SLA compliance |
| APRA notification of material outsourcing arrangements |
Chief Compliance Officer |
Platform has no role |
| Annual operational risk scenario analysis |
COO / CRO |
MOD-150 provides risk event data for scenario design |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| Operational risk management |
5 |
3 |
0 |
2 |
0 |
| Business continuity and critical operations |
5 |
1 |
0 |
4 |
0 |
| Service provider management |
5 |
1 |
0 |
4 |
0 |
| Change management |
1 |
0 |
1 |
0 |
0 |
| Total |
16 |
5 (31%) |
1 (6%) |
10 (63%) |
0 (0%) |
CPS 230 has a large institutional component — governance documents, BCP testing, due diligence,
and contract management are all institutional. The platform automates operational monitoring,
risk event capture, incident routing, and third-party health monitoring. All attributed modules
are currently build_status: Not started.
| Policy |
Title |
| OPS-001 |
Business Continuity Policy |
| OPS-002 |
Disaster Recovery Policy |
| OPS-003 |
Incident Management Policy |
| OPS-004 |
Operational Risk Policy |
| OPS-005 |
Third-Party & Critical Service Provider Policy |
| OPS-006 |
Change Management Policy |
| OPS-007 |
Financial Processing Resilience & Idempotency Policy |
| DT-003 |
Technology Risk Management Policy |
| DT-007 |
Change and Release Management |
| DT-008 |
Third-Party & Outsourcing Risk Policy |
| REP-009 |
Regulatory Incident & Breach Notification |
See D09 Operational Resilience for the full risk domain.
Status note
Effective 1 July 2025. Supersedes CPS 231 Outsourcing and
CPS 232 Business Continuity Management. Existing contracts entered under
CPS 231 remain valid until renewal or material amendment.
Official documentation
Policies referencing this standard
- DT-003 — Technology Risk Management Policy
- DT-005 — Model Risk Management Policy
- DT-006 — Cloud & Infrastructure Policy
- DT-007 — Change and release management
- DT-008 — Third-Party & Outsourcing Risk Policy
- DT-010 — Environments and deployment standards
- DT-011 — AI development guardrails
- DT-013 — Model Validation & Audit Policy
- OPS-001 — Business Continuity Policy
- OPS-002 — Disaster Recovery Policy
- OPS-003 — Incident Management Policy
- OPS-004 — Operational Risk Policy
- OPS-005 — Third-Party & Critical Service Provider Policy
- OPS-006 — Change Management Policy
- OPS-007 — Financial Processing Resilience & Idempotency Policy
- REP-009 — Regulatory incident & breach notification
Compiled 2026-05-22 from source/entities/regulations/au-cps-230.yaml