CPS 230 in action: Why BAU is the real test. AU

CPS 230 has been in force since 1 July 2025.¹ The deadline mindset got a lot of foundational work over the line, but it also pushed many organisations into a familiar pattern:

Publish the framework, refresh the policy suite, run a program, then move on.

The problem is that CPS 230 was never intended to sit neatly in a ‘delivered’ folder. It’s an ongoing operating discipline: managing operational risk end-to-end, maintaining critical operations within tolerance, and proving you can do it when the disruption is real.²

The conversation in 2026 has moved from ‘are you compliant?’ to ‘is it operationalised?’.

PwC captured it neatly at commencement: CPS 230 sets a new baseline, but the real value comes from building resilience as a capability that’s embedded in BAU, not treated as a compliance finish line.³

This piece is for organisations that are behind, partially compliant, or still treating CPS 230 as a one-off milestone. It’s a practical state of play: what’s commonly been implemented, where shortcuts are emerging, and what still needs attention ahead of the July 2026 service provider transition pressure point.⁴

^{Download our CPS 230 eBook for practical guidance on closing implementation gaps, improving controls testing and embedding resilience into BAU: Download now}

The shift since July 2025: from compliance to capability

A lot of entities did the right things initially. Governance updates. New registers. Revised BCP documents. Vendor workstreams. New reporting packs.

But post-commencement, the real test is whether they connect to the way the organisation runs.

Three forces are pushing this shift:

APRA’s expectation is inherently operational: CPS 230 is about resilience of critical operations and uplift in third-party risk management, with specific notification and tolerance requirements
‘Policy on paper’ isn’t enough: Despite the commencement date passing, the work is not over, especially for pre-existing service provider agreements that still need uplift by renewal or July 2026
Operational dependence on third parties keeps rising: Companies are increasing reliance on third parties and increasing regulatory focus across jurisdictions, with third-party risk repeatedly ranking as a top concern.

The net effect is that CPS 230 increasingly tests governance maturity. It’s not just ‘do you have the framework?’ It’s ‘can you run it consistently, prove it, and improve it?’.

What are entities actually implementing?

1) Governance exists but the operating model is often fragile

CPS 230 pushes accountability upward. Boards must oversee operational risk management, business continuity, and service provider arrangements, and that oversight has to be supported by timely, targeted information.

Because CPS 230 moves operational risk oversight firmly into BAU governance, the fragility often appears in the operating model rather than the documented framework:

Ownership is unclear across Line 1 and Line 2 once the project team disbands
Board reporting relies on manual aggregation and point-in-time narratives
Changes in people and structure slowly desynchronise roles, registers, and approvals.

This is how ‘compliance drift’ begins: not with a dramatic failure, but with quiet misalignment.

2) Critical operations and tolerances: the shortcuts are predictable

Most entities have defined critical operations, but shortcuts blunt the usefulness of the exercise.

Some define critical operations at too high a level, which makes tolerances vague.

Others set tolerances without documented rationale, so they can’t explain why those numbers are right.

APRA’s framing is clear: the intent is to maintain critical operations through disruptions and ensure BCPs align to board-approved tolerance levels. If tolerances don’t influence resourcing, investment, provider choices, scenario design, or escalation, they’re unlikely to stand up when challenged.

3) Controls and assurance: design bias still dominates

This is a common maturity gap: control libraries exist, but the evidence of operating effectiveness is patchy.

The CPS 230 standard itself is explicit that controls must be tested (design and operating effectiveness) commensurate with risk, results reported, and gaps rectified in a timely manner.

It’s not a documentation requirement. It’s a living rhythm: test, learn, fix, evidence, repeat.

The message translates directly to controls: if you can’t demonstrate control effectiveness and closure discipline, you’re exposed, even if your framework reads well.

4) Incidents and escalation: the BAU reality check

CPS 230 has time-bound notification requirements. The CPG 230 guidance issued by APRA alongside the standard says that entities must notify APRA as soon as possible and not later than 72 hours after becoming aware of an operational risk incident likely to have a material impact (and 24 hours for a disruption outside tolerance). ⁵

Plenty of organisations can describe their incident process. Fewer have done deep exercises pressure-testing whether they can reliably meet those expectations when the incident is messy, information is incomplete, and third parties are involved.

The state of play signal here is simple: if you can’t meet CPS 230’s notification expectations without heroics, it isn’t yet business as usual.

Where scrutiny is increasing

Without speculating on supervisory action, we can see where this action is heading through public signals.

At commencement, APRA was quoted as warning entities not to cut corners, and describing a staggered supervisory approach starting with the largest entities.⁶ That’s consistent with the idea that CPS 230 will be assessed over time, through evidence and outcomes, not initial program artefacts.

Three areas are especially hard to ‘fake’ as 2026 reporting progresses:

1) End-to-end operational risk view, including third and fourth parties

CPS 230 expects an end-to-end view that includes operations delivered by service providers. As ORX notes, dependency chains are expanding, and third-party risk is increasingly material and strategically important.⁷

A vendor register alone won’t cut it unless it connects to critical operations mapping, scenario analysis, controls assurance, incident processes, and exit planning.

2) Evidence quality and closure discipline

APRA’s guidance includes very practical expectations around documentation and the quality of information supplied to boards. At a market level, this tends to separate ‘we can talk about CPS 230’ from ‘we can evidence CPS 230’.

If issues arising from testing and scenarios aren’t tracked to closure with owners, dates, and proof of remediation, the program is effectively stalled.

3) Service providers as the compliance bottleneck

This is where the next wave of catch-up effort is concentrating.

By 1 July 2026, service provider requirements will apply for all contracts. Post-commencement commentary has repeatedly reinforced that this is where many entities are still doing the heavy lifting.⁸ The same applies to the temporary exception granted to non-SFIs for some business continuity requirements, which will also become mandatory for all entities on 1 July⁹.

In late 2025, APRA acknowledged a practical friction point. It consulted on targeted amendments for arrangements with non-traditional service providers (NTSPs): market-mandated providers such as exchanges, payment schemes, and clearing houses, where contracts are standardised or non-negotiable. The proposed change would exempt certain NTSP arrangements from the strict contractual and service-level uplift requirements. ¹⁰

This is not a relaxation of risk expectations, but rather a recognition that some providers cannot be negotiated with in the usual way. The question here becomes less about whether you inserted the right clauses and more about whether you can demonstrate that you understand and manage the dependency.

The July pressure point: contracts, uplift plans, and exit reality

For organisations behind or partially complete, the service provider work is often where CPS 230 stops being theoretical.

The reality is structural. Contract cycles rarely align with regulatory deadlines. Some material arrangements will not renew before July 2026. Some providers, particularly NTSPs, will not accept negotiated changes. Some dependencies sit across multiple services and fourth parties, embedded in core operations.

Even where contractual exemptions apply, the underlying exposure remains. You still need to demonstrate that you understand which critical operations rely on which providers, how those dependencies are monitored, and what your contingency position looks like if disruption occurs.

This is why the focus needs to be practical:

Can you clearly identify which providers are material and which critical operations they support?
Do you have a structured uplift plan based on renewal dates, gaps, and risk?
Can you monitor service levels and resilience in a way that isn’t manual and ad hoc?
Do you have an exit strategy that is credible, not aspirational?

If your program can’t answer those questions with evidence, you’re at risk of being compliant on paper but operationally exposed.

A practical catch-up pathway for organisations who’re lagging

The goal isn’t to ‘do CPS 230 again’. It’s to make the components you’ve built behave like an operating system:

Re-baseline ownership and reporting: Decide what BAU ownership looks like across critical operations, tolerances, testing, incidents, and provider oversight. Then make reporting less dependent on manual collation and individual effort. If the board view is only accurate when someone builds it by hand, drift is inevitable
Make tolerances and testing operational: Re-check that tolerances are meaningful and defensible. Align scenarios and BCP testing to those tolerances. Build a rhythm of control testing and issue closure that produces evidence without scrambling
Pull forward contract uplift and exit planning: Treat 1 July 2026 as an operational deadline, not a legal date. Build the uplift plan around renewals, identified gaps, and provider realities. Where terms are non-negotiable, document the approach, monitoring plan, and risk acceptance decisions with the right governance.

This is the shift from ‘compliance delivery’ to ‘operational discipline’.

Conclusions and next steps for your organisation

CPS 230 is in force. Post-July 2025, the market is moving past implementation theatre and into operating reality.

If CPS 230 still feels like something you completed last year, your drift has already started.

The catch-up opportunity is to make CPS 230 BAU: stable ownership, meaningful tolerances, systematic testing, credible incident execution, and service provider management that stands up even when the disruption isn’t convenient.

Protecht integrates critical operations mapping, tolerance monitoring, controls testing, service provider oversight, and incident management in a single, purpose-built platform designed for Australian financial services.

Moving from compliance delivery to operational discipline requires more than policies and registers. You need a clear, connected view of critical operations, controls testing, incidents and service provider oversight.

In our short product tour, you’ll see how Protecht helps organisations operationalise CPS 230 by bringing risk, resilience and third-party management together in a single platform, with dashboards, automated workflows and board-ready reporting.

Ready to explore how this could work in your organisation? Speak with one of our product specialists to see how Protecht can help you meet and go beyond CPS 230: