Consultation

Operational risk management

This page sets out details of APRA’s Operational Risk Management Prudential Standard CPS 230 for all APRA-regulated entities including related materials.
All industries
Closed
1 June 2025
Risk Management
Last Updated 30 April 2026

Latest updates

On 30 April 2026, APRA released the final targeted amendments to cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230), cross-industry Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230), and the corresponding Material Service Provider (MSP) Register template.  

The amendments to CPS 230 introduce limited exemptions from specific contractual requirements for material arrangements with certain categories of service providers, where contractual compliance is not practicable. Categories of exempt service providers can be found in the attachment to CPS 230. Updates to CPG 230 clarify APRA’s expectations for managing material arrangements with exempt service providers. The updated CPS 230 and CPG 230 commence on 1 July 2026.

The updated MSP Register template includes updated instructions and now accommodates arrangements with exempt service providers. APRA will issue an updated APRA Connect return for the 2026 submission in the coming weeks.  

The media release, response letter, updated version of CPS 230 and CPG 230, and the updated MSP Register template are available below:

Media release

APRA finalises targeted amendments to CPS 230 Operational Risk Management

Response to submissions

Final targeted amendments to CPS 230 Operational Risk Management

Prudential standard

Prudential Standard - CPS 230 Operational Risk Management - clean PDF 282.34 KB 30 April 2026
Prudential Practice Guide CPG 230 - Operational Risk Management - marked up PDF 393.75 KB 30 April 2026

Prudential practice guide

Prudential Practice Guide CPG 230 - Operational Risk Management - clean PDF 386.94 KB 30 April 2026
Prudential Practice Guide CPG 230 - Operational Risk Management - marked up PDF 393.75 KB 30 April 2026

Material Service Provider Register template

CPS230 MSP Register Template - 2026 XLSX 444.69 KB 30 April 2026

Previous updates

December 2025

On 10 December 2025, APRA released a letter that outlined proposals for targeted amendments to CPS 230 to better accommodate the needs of regulated entities that maintain material arrangements with non-traditional service providers (NTSPs). The media release and consultation letter are available below.

Media release

APRA details consultation on targeted changes to CPS 230 for non-traditional service providers

Consultation letter

Consultation on targeted amendments to CPS 230 Operational Risk Management

On 27 June 2025, APRA has released electronic forms that should be completed by entities when notifying APRA of: 

Refer to the table 1 below (information required per notification form) for further details. Once submitted, APRA will contact entities directly should any further information be required.

Table 1. Information required per notification form

Form

Information Required

Operational Risk Incident Form (para 33)​ 
  • Entity name
  • ABN
  • APRA prudential contact name and email
  • Notification submitted by name and email
  • Date of becoming aware of the incident and time
  • Description of the incident
  • Current disruption status
  • Impact on financial and/or critical operations
  • Mitigating action taken or planned
  • Other regulatory agencies that have been notified
  • Other information
Breach of Critical Operation Tolerance Form (para 42) ​
  • Entity name
  • ABN
  • APRA prudential contact name and email
  • Notification submitted by name and email
  • Date of becoming aware of the incident and time
  • Description of the incident
  • Description of the critical operation (s) that have been disrupted
  • Description of tolerance (s) breached
  • Description of the likely impact on the entity’s business operations
  • Current disruption status
  • Actions taken to address the disruption
  • Provide details if disruption has been triggered by a material service provider (if known)
  • What is the expected timeframe to return to normal operations
  • Other regulatory agencies that have or will be notified
  • Other information
New or change to a material arrangement and/or offshoring Form (Paragraph 59 (a) and (b))
  • Entity name
  • ABN
  • Organisation Type
  • APRA prudential contact name and email
  • Notification submitted by name and email
  • Select the reason for the notification
  • Details of the service provider
  • Start and end date of arrangement (where applicable)
  • Does the material arrangement support undertaking of critical operation
  • Select relevant critical operations it supports
  • Does this material arrangement have any exposure relating to operational risk
  • Is this an offshoring arrangement
  • Select the country where the service offerings will take place
  • Other information 

On 17 October, APRA released a material service provider register template as announced in the Response to submissions – CPG Operational Risk Management publication in June 2024.

The use of the template is APRA’s preferred method for regulated entities to submit their registers to APRA for meeting the requirement of paragraph 51 of Prudential Standard CPS 230 Operational Risk Management (CPS 230). A completed material service provider register is to be submitted back to APRA by authorised deposit-taking institutions (ADIs), superannuation trustees, and insurers by 1 October 2025.

Material Service Provider Register Template

CPS230 MSP Register Template XLSX 545.40 KB 14 October 2024

On 13 June, APRA released the final cross-industry Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230).

CPG 230 provides guidance to assist entities with the implementation of, and compliance with, Prudential Standard CPS 230 Operational Risk Management.

A Response to submissions on the consultation on draft CPG 230, the final version of CPG 230 and non-confidential submissions are available below:

Media release:  APRA finalises cross-industry guidance on operational resilience

Response to submissions

Response to submissions - CPG 230 Operational Risk Management

Prudential standard

Prudential Practice Guide CPG 230 Operational Risk Management PDF 434.99 KB 13 June 2024

Non-confidential submissions

Submission ABA 13 October 2023 PDF 542.34 KB 12 June 2024
Submission AFMA 13 October 2023 PDF 313.63 KB 12 June 2024
Submission Amazon Web Services 13 October 2023 PDF 369.67 KB 12 June 2024
Submission ANZ 13 October 2023 PDF 167.68 KB 12 June 2024
Submission ASFA 13 October 2023 PDF 378.69 KB 12 June 2024
Submission AustralianSuper 12 October 2023 PDF 715.60 KB 12 June 2024
Submission CALI 10 October 2023 PDF 679.69 KB 12 June 2024
Submission COBA 20 October 2023 PDF 146.04 KB 12 June 2024
Submission Deloitte 13 October 2023 PDF 1.51 MB 12 June 2024
Submission FSC 13 October 2023 PDF 1.85 MB 12 June 2024
Submission ICA 11 October 2023 PDF 229.35 KB 12 June 2024

On 17 July, APRA released the final new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230).

The new standard is designed to strengthen the management of operational risk, respond to business disruptions and manage the risks from the use of service providers for all APRA-regulated entities.

APRA has also released for consultation a draft of Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230) to accompany the new standard. APRA will consult on this draft until 13 October 2023.    

A response to consultation on CPS 230, the clean and marked up versions of CPS 230, the draft CPG 230 and non-confidential submissions are available below:

Media release: APRA finalises new prudential standard on operational risk.

Response paper

Response paper - Operational Risk Management

Prudential standard

Prudential Standard CPS 230 Operational Risk Management - clean PDF 389.26 KB 17 July 2023
Prudential Standard CPS 230 Operational Risk Management - marked up PDF 272.73 KB 17 July 2023

Prudential practice guide

Draft Prudential Practice Guide CPG 230 Operational Risk Management - Integrated version PDF 1.66 MB 17 July 2023

Non-confidential submissions

CPS 230 non-confidential submissions ZIP 14.94 MB 17 July 2023

On 13 April, APRA released an updated timeline for the implementation of new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230).

APRA received a range of feedback from regulated entities and other stakeholders during consultation, including a request for more time for preparation before the requirements come into effect. Accordingly, APRA intends to:

move the effective date for the new standard to 1 July 2025; and

provide transitional arrangements for pre-existing contractual arrangements with service providers, with the requirements in the standard applying from the earlier of the next contract renewal date or 1 July 2026.

APRA plans to release a final version of the standard, together with draft supporting guidance, in mid-2023.

On 28 July, APRA released for consultation a new prudential standard designed to strengthen the management of operational risk in the banking, insurance and superannuation industries.

APRA proposes to introduce a new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230) which will set out minimum standards for managing operational risk, including updated requirements for business continuity and service provider management.

Written submissions are requested by 21 October 2022.

The discussion paper and draft CPS 230 are available below:

Media release: APRA consults on new prudential standard to strengthen operational resilience.

Discussion paper:

Discussion paper - Strengthening operational risk management

Prudential standard

Draft Prudential Standard CPS 230 Operational Risk Management PDF 399.07 KB 27 July 2022

Note on submissions

It is APRA's policy to publish all submissions on the APRA website unless the respondent specifically tells APRA in writing that all or part of the submission is to remain confidential. An automatically generated confidentiality statement in an email does not satisfy this purpose. If you would like only part of your submission to be confidential, you should provide this information marked as 'confidential' in a separate attachment.

Submissions may be the subject of a request for access made under the Freedom of Information Act 1982 (FOIA). APRA will determine such requests, if any, in accordance with the provisions of the FOIA. Information in the submission about any APRA-regulated entity that is not in the public domain and that is identified as confidential will be protected by section 56 of the Australian Prudential Regulation Authority Act 1998 and will therefore be exempt from production under the FOIA.