Following the CPS243 Tripartite Assessments blog, we want to reiterate the upcoming deadline of the Prudential Standard CPS230 Operational Risk Management.
With CPS 230 on Operational Risk Management kicking in from July 1, 2025, it’s definitely the right time to start shaping some guidance around what’s coming next.
This new standard expands on existing requirements like CPS 234 to ensure organisations can withstand and recover from severe disruptions while maintaining critical operations and protecting customers.
Infotrust’s Principal GRC Consultant Sheena Shrivastava provides her commentary on the implementation challenges, transition planning, and how this standard links with existing standards like CPS 234:
- Implementation and Readiness: Key steps entities should take to comply with CPS 230 by July 2025 – for example, ensuring an effective operational risk management framework is in place, identifying “critical operations” and “material service providers” (which APRA expected by mid-2024), setting appropriate impact tolerance levels by end-2024, and updating contractual arrangements with service providers to meet the new requirements. This can include practical tips for achieving these milestones and avoiding common pitfalls.
- Transition Planning: Guidance on transitioning from the current state to the new CPS 230 regime. Many firms have existing processes from CPS 234 and other standards; we can discuss how to leverage work done under CPS 234 (information security controls, board engagement, etc.) and existing risk management practices to satisfy CPS 230. This might cover aligning business continuity plans and outsourcing/vendor management policies with CPS 230’s expectations, since those older standards are being absorbed into CPS 230’s broader operational resilience mandate.
- Relationship with CPS 234: An explanation of how CPS 234 (Information Security) fits within the broader CPS 230 framework. While CPS 234 remains focused on cyber security and information security resilience, CPS 230 has a wider scope that includes all operational risks – yet the two standards are complementary. Together they form a comprehensive risk management posture, with CPS 234 drilling into cyber/infosec controls and CPS 230 ensuring holistic operational continuity and risk oversight. We should reassure readers that compliance efforts for CPS 234 have not been in vain; rather, they form a component of the larger operational resilience picture that CPS 230 requires .
- Operational Resilience and Governance: Emphasising the outcomes that CPS 230 is driving towards – robust internal controls and risk identification, the ability to continue critical operations through severe disruptions (effective business continuity and disaster recovery planning), and strong oversight of third-party providers. We can highlight that CPS 230 places accountability squarely on senior management and boards to achieve these outcomes. For instance, boards are expected to actively oversee operational risk and resilience efforts, meaning governance and risk culture are key. It would be useful to mention APRA’s focus on “severe but plausible” disruption scenarios and the need for regular testing/exercising of plans. This section can be solutions-oriented by sharing best practices or a brief checklist (e.g. governance structures, scenario testing, continuous improvement cycles) to help organisations boost their operational resilience in line with CPS 230.
As the July 2025 deadline for CPS 230 compliance approaches, entities must take proactive steps to ensure readiness.
Transitioning to CPS 230 offers organisations a stronger, more holistic approach to operational resilience by going beyond cyber security to cover critical operations and third-party risks.
Do you need support in transitioning to CPS 230? Don't wait until the deadline approaches. Reach out to the cyber security experts at Infotrust today and confidently navigate your path to CPS 230 compliance.
