Every year, APRA’s Corporate Plan sets the tone for supervision. This year, the message is unmistakable: resilience and cyber risk are not optional extras, they’re at the core of financial system stability.
For regulated entities, the Corporate Plan signals closer inspection of CPS 230 and CPS 234 compliance, along with sharper focus on operational resilience, third-party dependencies, and AI risk.
In this blog, we will cover:
- APRA’s strategic objectives
- Supervision in focus
- Taking an integrated approach
- How Protecht can help
Want to go deeper on CPS 230 and operational resilience? Download our CPS 230 eBook: your practical roadmap for turning compliance into lasting capability.
APRA’s strategic objectives for 2025-2026
APRA’s strategy on a page outlines their four primary strategic objectives in order to deliver on three primary outcomes:
Source: APRA
Each of these strategic objectives is supported by policy and supervisory priorities, with some having a more direct impact on regulated entities. For example, entities should benefit from APRA’s ongoing commitment to improving its supervisory capability – but are going to be more interested in the specific focus of that supervision.
In a world where regulatory complexity always seems to increase, there is one silver lining. APRA (along with other regulators) has been given ministerial mandate to reduce compliance costs. This doesn’t mean entities can kick back and relax: that reduction can’t come at the cost of safety or stability objectives.
Supervision in focus
The full plan is available to read at the APRA website[1], but below are some of the key supervision points that will affect the majority of entities.
Financial stability and operational resilience
Overseas bank failures and geopolitical uncertainty have sharpened focus on crisis preparedness. APRA increased focus on recovery and exit planning, and resolution planning at the entity level. On their side of the fence, APRA itself will conduct crisis simulations in collaboration with other regulators.
After more than two years of build-up, CPS 230 came into effect on July 1. It should surprise nobody that ensuring entities are meeting these requirements will be a key focus for APRA.
A minor but perhaps telling slip is that APRA refers to the standard in the Plan as ‘Prudential Standard CPS 230 Operational Resilience’ (emphasis added), rather than the correct ‘Operational Risk Management’[2]. This reinforces the message that APRA is interested in outcomes, not ticking the box, and that operational risk and resilience are intrinsically linked. If hitting 1 July was a scramble, now is the time to digitise and enhance your operational risk practices to improve resilience.
System-wide risks
As part of its focus on emerging risks, APRA will be assessing preparedness across the financial system for geopolitical events. The focus may be on financial risk, but don’t overlook its potential effect on operational disruption, especially for entities relying on overseas third-party providers or resources.
Results of the first system-wide stress test are also due, which considers a combination of financial market disruption alongside a major operational risk event.
Cyber resilience
Another obvious focus is on cyber resilience, which continues APRA’s recent approach to providing frequent targeted advisories on specific areas of uplift. Regulated entities will need to enhance their own capability, while APRA works with other agencies to improve system-wide response.
Entities are required to submit their material service provider register by October 1. Notably this is linked to cyber, rather than the CPS 230 section. This highlights APRA’s apparent intent (at least initially) to use the MSP register to highlight sector wide third-party concentration risk through a cyber lens.
APRA also intend to assess the risks of artificial intelligence, again notably listed under the theme of cyber resilience. This is understandable, as it is more likely to represent disruption and fall within APRA’s purview. However, entities should not sleep on other risks related to the use of AI, such as bias and fairness. While these types of failures are more likely to fall within ASIC’s remit, urgently disabling AI systems that are causing harm may also result in operational disruption.
Taking an integrated approach
While each of the supervisory focuses is distinct, the Plan implies overlaps where entities should consider how some of these processes are integrated in their own organisation. This includes:
- How geopolitical drivers can influence operational risk and resilience outcomes
- Aligning exit planning and recovery with business continuity requirements under CPS 230
- The APRA system-wide stress test considers financial risk alongside a major operational risk event. This reinforces the requirement for mapping of critical operations, and having a comprehensive understanding of their operations. If you aren’t already, ensure your disruptive scenarios consider how you would respond to system-wide disruption, beyond scenarios that affect only you.
- Entities are required to submit their register of material service providers by 1st October, with APRA taking a cyber focused lens. This reinforced that CPS 230 and CPS 234 are intertwined, and information security should be considered as part of operational risk management. Ensure you’ve understood your third party landscape.
Conclusions and next steps for your organisation
APRA’s plan makes resilience and cyber inseparable, and compliance with CPS 230 and CPS 234 is just the starting point. The challenge now is embedding these practices into your organisation in a way that delivers real-time assurance and confidence to boards, executives and regulators.
With Protecht ERM you can:
- Meet CPS 230 expectations with critical operations mapping, continuity planning, and material service provider oversight.
- Strengthen CPS 234 alignment with centralised IT control libraries, assurance workflows, and cyber risk reporting to boards.
- Connect resilience and cyber into a single, integrated framework — so you’re managing risk, not just ticking boxes.
See how Protecht ERM streamlines CPS 230 and CPS 234 compliance while building stronger operational resilience and cyber capacity across your business:
References
[2] Correct as of September 2025