CPS 230 – from Compliance to Capability

APRA’s new operational risk management requirements are now in full swing. In this article, we explore how transitioning from implementation to business alignment can lead to improved performance outcomes.

It was a long time coming, but CPS 230 Operational Risk Management (CPS 230) is now in effect from 1 July 2025. For many organisations, reaching that date might have felt like the end, but it’s just the start. The question shifts from “Are we ready?” to “Is it working?”.

It’s now time to embed the changes, maintain momentum and prove value. This is where real operational risk management begins – where operational frameworks enable risk-based decision-making, resilience to disruptions and performance via core teams and material service providers.

For leaders, it’s an opportunity to reframe CPS 230 and treat it as a springboard, not just another compliance requirement. Making the most of CPS 230 can help strengthen how your organisation operates, delivers and improves day by day. The journey ahead is demanding, yet the upside can be significant for those who embrace it.

In this article, we explore regulator expectations, the potential benefits of CPS 230, common challenges and why it’s important to integrate operational risk needs across the business.

What APRA expects now

Getting to 1 July wasn’t easy for many organisations. Teams worked under pressure to update frameworks, document processes and meet deadlines. But the Australian Prudential Regulation Authority (APRA) has been clear that implementation isn’t the end goal – resilience is.

As CPS 230 takes effect, it’s no longer about being ready but whether your operational risk frameworks are effective, sustainable and embedded. More than having plans in place, entities need to prove that those plans work when tested. It's not just knowing who your service providers are, but knowing that they are robust in performing their critical function.

This is a step up in expectations. In the words of APRA Member Therese McCarthy Hockey, “In an environment where one crashed server or ransomware attack could leave millions without access to these essential services, effective operational risk management is vital for financial stability and community wellbeing.”

As APRA noted in its July 2024 Policy Priorities Update, the financial system’s increasing reliance on digital technologies and outsourcing arrangements has created new forms of interconnected risk. In response, regulators expect regulated entities to do more than respond – they must anticipate, prevent and recover from disruptions.

Then there are also firm deadlines. By 1 October 2025, entities must submit their register of material service providers. Going forward, entities also need to use APRA’s new CPS 230 notification forms for incidents, breaches and changes to arrangements. APRA says it will monitor implementation closely, focusing on how entities demonstrate compliance and continuous improvement over time.

This next phase is a chance to make the hard work worth it by building systems that don’t just meet expectations but deliver real confidence and capability.

Operational risk management as a driver of capability

When all the focus is on meeting deadlines, it’s easy to miss the bigger picture. Applied with intent, CPS 230 can do more than meet regulatory expectations. It can help leaders understand, strengthen and improve how their business operates.

Here’s how operational risk management can support capability and performance in practice:

#1 Deeper insight into how your business creates value

CPS 230 encourages you to trace how critical outcomes are delivered – from internal systems through to third-party providers – bringing the full picture into view. For example, you might discover a customer-facing process depends on a vendor three steps removed. Or that critical knowledge sits with one person who is about to go on long service leave.

#2 Clearer ownership and shared accountability

When everyone knows their role in managing risk, people are more likely to raise issues early for fast resolution. Let’s say a technology issue arises during a system upgrade. Instead of delays and finger-pointing, clear ownership means the right team escalates the issue quickly, supported by predefined contingency plans.

#3 Better decisions backed by stronger frameworks

Strong frameworks give people confidence to act when it matters. When there’s clarity around roles, thresholds and contingencies, decisions are less likely to stall or bounce between teams. That’s especially important during pressure points like product launches and outages.

#4 Continuous improvement through better visibility

CPS 230 requires regular reviews of incidents, processes and service provider performance. These reviews often highlight repeat issues, emerging risks and opportunities for change. Testing of contingency and continuity plans often reveals ways to improve the plans and the underlying processes they protect.

The benefits of operational risk management are real, but only if you move beyond compliance. With the right mindset, it can become a powerful enabler of resilience, clarity and performance.

Common challenges limiting the value of CPS 230

Regulated entities have done the work to meet the initial CPS 230 requirements. But as implementation efforts mature, several challenges may surface, particularly in maintaining momentum and ensuring the work delivers long-term value.

Areas where gaps could emerge include:

• Minimum compliance mindset: With so much effort going into meeting the initial requirements, there’s a risk the focus narrows to just doing ‘enough’. That can make it harder to embed real change or adapt over time.

  
  

• Fragmented implementation: Some teams may approach CPS 230 and the Financial Accountability Regime (FAR) as separate obligations. While each has distinct requirements, treating them in isolation could lead to duplication or missed opportunities for alignment. More on that shortly.

  
  

• Unclear accountability across business units: As operational risk frameworks become more detailed, roles and responsibilities may blur – especially when processes span multiple teams or functions.

  
  

• Undefined business processes: Without clear boundaries around who owns what, it can be difficult to respond effectively when something breaks or falls short.

These challenges aren’t inevitable, but they are worth watching for. Leaving them unaddressed could limit the impact of what has already been built – and reduce the value CPS 230 can bring with time.

FAR and CPS 230 – better together

With both CPS 230 and FAR now live, organisations are managing two significant reforms at once. And although FAR and CPS 230 are separate frameworks, they share a common goal: strengthening accountability, risk management and performance across financial services.

As implementation progresses, a useful question to ask is, “Do our frameworks support better decisions and improvement, or just compliance?”.

CPS 230 focuses on operational risk and resilience while FAR sets expectations around individual accountability. When aligned, the two can work together to clarify ownership, improve responses and reduce duplicate processes.

Here are five practical areas where alignment can potentially support better outcomes.

#1 Connect your accountability map to operational processes

FAR requires defined roles and responsibilities. CPS 230 focuses on how those roles play out in day-to-day operations.

Bringing these together can help clarify who owns each part of a critical process – from internal teams to third-party service providers. It also gives accountable persons a clearer view of where their responsibilities start and end.

#2 Use CPS 230 to help demonstrate reasonable steps

FAR requires accountable persons to take ‘reasonable steps’ in managing risk. CPS 230 helps give structure to that expectation across BAU operational risks, business disruptions and service provider relationships.

Issues management, incident reporting, process reviews, and risk controls developed under CPS 230 can all support evidence of how:

• operations, including service providers, are monitored,

• risk-based decisions are made,

• actual or potential problems are escalated and resolved,

• critical operations including member services are protected, and

• continuity arrangements are maintained.

#3 Encourage collaboration across business units

Operational risk doesn’t sit neatly within one function. It’s quite the opposite – and can pervade the entire business. That’s why it’s important to work across business units. Aligning FAR and CPS 230 can prompt more cross-functional collaboration, especially where multiple teams contribute to service delivery or manage different aspects of the service provider ecosystem.

This can also help shift operational risk management beyond compliance teams, making them part of how the business works every day.

#4 Identify overlaps and streamline reporting

Working across both frameworks can highlight duplication, such as when similar information is collected or reviewed for separate obligations.

Bringing reporting cycles and review processes into one view may help free up capacity and reduce friction.

#5 Shift from reactive to proactive incident response and planning

CPS 230 places more weight on how organisations prepare for and respond to disruption. As mentioned, that includes testing plans, not just writing them. Bringing these expectations together with FAR can help ensure that the right people are prepared to act – at the right time.

Rather than relying on reactive fixes, organisations can treat incident response as an ongoing learning opportunity to refine plans and clarify escalation pathways. This can help reduce the impact of future disruptions and support more confident decision-making under pressure.

Reframe your approach

CPS 230 marks an ongoing shift in mindset. One that asks leaders to move from compliance to capability and from reacting to planning. Over time, it can shape how risk is understood, decisions are made and the business builds resilience. But only if it's embedded in the right places.

That means integrating operational risk management into business planning, assurance cycles and operational reviews, not keeping it separate.

Consider these questions as you move forward:

How CPS 230 is applied matters as much as what it requires. That starts with asking the right questions – and being willing to act on the answers.

How we can help

Whether you're testing what you've built, looking to strengthen the links between FAR and CPS 230, or resolving practical implementation issues, Hall Advisory is here to help.

We work with boards, executives and senior leaders to:

• Review and refine operational risk frameworks to meet best practice standards.

• Review and uplift business continuity and information technology disaster recovery plans, including enhancement of frameworks to manage critical operations and respond to cyber risk incidents.

• Review and enhance service provider management frameworks, including provider classification and tiering, materiality assessments, tender management, periodic review and performance assessment, and ensuring compliance of contractual agreements for material service providers.

• Link CPS 230 and FAR in a way that supports clarity and ownership.

• Provide assurance, practical advice and hands-on support during and after implementation of revised frameworks, policies, procedures, plans and playbooks.

We understand the pressure to comply – and the opportunity to do more. Our approach is tailored, collaborative and focused on what matters most: making your frameworks useful, usable and sustainable.

CPS 230 can drive real value, but only if you make it work for your business. We'd love to help you get there. Contact our team today to see how we can support you.