AU: CPS 232 Business Continuity (Superseded by CPS 230)¶
| Regulator | APRA |
| Jurisdiction | AU |
| Status | superseded |
| Applicability | Platform |
SUPERSEDED — effective 1 July 2025. All obligations are now in CPS 230 Operational Risk and Resilience.
APRA CPS 232 Business Continuity Management required ADIs to maintain a business continuity plan (BCP) for all critical business functions, define Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs), conduct annual BCP testing (tabletop and live), maintain a crisis management plan, and complete an annual APRA self-assessment. Board annual attestation was required.
CPS 232 has been superseded by CPS 230 Operational Risk and Resilience, effective 1 July 2025. Business continuity obligations are now embedded within CPS 230, framed around "impact tolerances" (maximum tolerable disruption for each critical operation) rather than the older RTO/RPO language.
Compliance register¶
This register is retained for historical traceability. All active compliance obligations are tracked under au-cps-230.
Scope legend¶
| Symbol | Meaning |
|---|---|
| 🤖 Automated | Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced | Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional | Obligation is met by a process entirely outside the platform — training programmes, board governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
| N/A | Obligation does not apply to this deployment configuration. |
Build legend¶
| Symbol | Meaning |
|---|---|
| ✅ | Module built and deployed |
| 🔨 | Module planned — not yet built (build_status: Not started) |
| ❌ | Uncontrolled gap — no module attributed |
Historical obligations (now in CPS 230)¶
| Obligation | Previous scope | Absorbed into CPS 230 | Platform controls (under CPS 230) | Build |
|---|---|---|---|---|
| BCP covering all critical business functions — documented and board-approved | 🏛 Institutional | Para 22 | BCP is a governance document; MOD-104 and MOD-103 provide multi-AZ infrastructure resilience that underpins BCP recovery capability | 🔨 |
| Recovery Time Objectives (RTOs) defined per critical function | 🏛 Institutional | Para 21 (impact tolerances) | MOD-076 (ALERT) monitors availability against configured impact tolerance thresholds; RTO setting is institutional | 🔨 |
| Recovery Point Objectives (RPOs) defined | 🏛 Institutional | Para 21 | MOD-103 (Neon multi-region continuous replication) and MOD-102 (Snowflake multi-region) provide the technical RPO capability; RPO setting is institutional | 🔨 |
| Annual BCP testing — tabletop and live; results documented | 🏛 Institutional | Para 23 | Annual test programme is COO-led; MOD-076 provides real-time availability monitoring during live tests | 🔨 |
| Annual board attestation | 🏛 Institutional | Para 24 (via CPS 220) | Board attestation is a governance process; MOD-150 provides supporting evidence | 🔨 |
| Crisis management plan and team activation | 🏛 Institutional | Para 22 | Crisis management is an institutional process; MOD-058 (AUTO) triggers regulatory notifications when incidents meet the material threshold | 🔨 |
| APRA self-assessment — annual operational resilience self-assessment | 🏛 Institutional | Para 19 (ORMF) | Self-assessment is a COO/CRO process; MOD-150 provides risk register data to support the assessment | 🔨 |
Status note¶
SUPERSEDED effective 1 July 2025. For active compliance obligations, refer to au-cps-230. The RTO/RPO framework has been replaced by "impact tolerances" (maximum tolerable disruption) in CPS 230. Existing BCP documentation should be updated to reflect the new terminology and scope on next review.
Any references in policies or module documentation to CPS 232 should be updated to reference CPS 230. The obligation register for this standard is maintained for audit trail purposes only.
Related pages¶
Official documentation¶
Policies referencing this standard¶
(None yet)
Compiled 2026-05-22 from source/entities/regulations/au-cps-232.yaml