APRA's CPS 230 and Protecht ERM

Need to meet CPS 230? Meet our solution.

Q: When do the CPS 230 compliance deadlines take effect?

CPS 230 takes effect on 1 July 2025. However, APRA required regulated entities to identify their critical operations and material service providers by 31 July 2024. Entities must also define tolerance levels for critical operations in advance of full implementation. Meeting these deadlines is essential for ensuring compliance readiness and avoiding regulatory scrutiny.

Cover all the requirements of the upcoming CPS 230 standards with Protecht’s single, off-the-shelf ERM software solution. Ensure that risk stakeholders, executives and the board have insight into critical operations, material service providers, risks and controls.

Visualise and monitor critical operations.

Identify, understand and monitor your critical operations.

Purpose-built tool lets you visually map critical operations end-to-end – to identify potential gaps, weaknesses and points of failure
Know what processes, resources and managed services providers are necessary to deliver the critical operation with integrated data
Define and monitor tolerances in critical operations registers – time, data loss and service levels
Integrated data links critical operations to the plausible scenarios that may disrupt your business, so you can plan continued operation

Elevate your governance with robust controls.

Strengthen your controls program to enhance board and senior management oversight.

Analytic dashboards and reports help you identify areas of concern and remediation
Controls design, implementation, review and assurance in a structured library that captures rich controls data linked to risks, obligations, incidents and frameworks
Ensure robust controls testing with testing templates and automation
Link controls to the CPS 230 Framework library for compliance oversight

Simplify business continuity management.

Streamline your business continuity management and deal with incidents effectively.

The resilience and BCM module’s registers and dashboards delivers a single source of truth for business impact analysis, business continuity plans, recovery testing
Integrate incident management data with risks, controls and business continuity records throughout the system
Track and manage all APRA communications in register of regulator communications with automated workflow notifications

Manage service providers with confidence.

Monitor and manage your material service providers.

Identify and risk-manage material service providers (plus other third party service providers) in a dedicated workspace of registers, analytics, risk intelligence and metrics
Ensure CPS 230 compliance with our APRA-aligned report, making it easy to submit your material service provider register
Streamline due diligence with a portal for your vendors to complete questionnaires and complete follow up actions supported with workflow notifications
Know where MSPs impact critical operations through integrated data
Dashboard to identify fourth parties and their concentration risk
Consolidate contract information in the workspace

Protecht ERM CPS 230 brochure.

How Protecht's integrated CPS 230 solution can streamline your journey towards not just compliance, but operational excellence and resilience.

CPS 230: How to apply the operational risk management standard.

Our eBook is a guide to compliance and a blueprint for enhancing operational risk management.

CPS 230 readiness checklist.

Assess your compliance with APRA’s CPS 230 using our structured readiness checklist.

Operational resilience eBook.

How to integrate risk management, governance and continuity planning to protect your organisation and respond effectively to crises.

Product tour

Meeting CPS 230 with Protecht.

APRA’s CPS 230 standard is raising the bar for how financial institutions manage operational risk, ensure business continuity, and govern third-party relationships. But aligning your systems, processes and reporting with the standard doesn’t have to be a compliance burden.

In this short product tour video, you’ll see how Protecht ERM streamlines CPS 230 compliance by unifying all requirements in a single platform. Watch now to discover how our dashboards, registers and automated workflows give you the clarity and control you need without the complexity.

Updated eBook

CPS 230: How to apply the operational risk management standard.

Our CPS 230 eBook is both a guide to compliance and a blueprint for enhancing operational risk management. It lists the key requirements of CPS 230 and shows you how you can address them with Protecht ERM. Ensure your organisation is ready to meet the deadline.

Protecht ERM and CPS 230 requirements:

Key principles

Protecht ERM helps entities to manage their operational risks, maintain critical operations, and manage service provider risks:

• Core ERM registers and dashboards
• BCM and operational resilience
• Vendor risk management

Operational risk management

Ensure you’re not only compliant but equipped with real-time insights and views of your risk landscape:

• Conduct risk assessments across the organisation, linked to controls management and assurance
• Consolidate policy, obligations and risk management
• Understand and monitor your risk profile
• Integrate controls management and assurance
• Monitor, escalate and manage incidents and manage incidents.

Roles and responsibilities

Delineate roles, streamline processes, and make informed decisions in line with CPS 230 mandates:

• Users can be assigned as owners, reviewers, or be assigned actions in the system
• Automated notifications and reminders to achieve follow-up
• Analytics and dashboards provide actionable insights to make better and faster decisions
• Drill down to divisions and business units as required

Risk management framework

Ensure that your risk strategies are in harmony with your overarching objectives requirements:

• Governance, continuity plans and service provider management
• Consistent taxonomies and categorisation allow you to aggregate information for different audiences

Business continuity

Always be prepared, with tools for visual mapping, tolerance level capturing, and recovery testing:

• Identify and manage critical operations and their disruption tolerance levels
• Identify and evaluate disruption scenarios, and link them to impacted processes, to critical operations and their tolerance levels
• Manage business impact analysis, business continuity planning and testing
• Map critical operations to supporting processes, people, resources and technology

Management of service provider arrangements

Ensure you and your vendors can meet material service provider requirements:

• Identify and risk-manage all third-party service providers, including material service providers
• Streamline service provider due diligence with capabilities such as SIG questionnaires and integration with cyber risk ratings
• Consolidate contract information
• Find out where service providers impact your critical operations

On demand

Thought leadership webinar

The road to CPS 230: Bringing resilience to life through scenarios.

Join David Tattam and Michael Howell as they explore practical strategies to enhance your CPS 230 scenario and exercising capability. Learn how to identify vulnerabilities, improve response coordination, and protect your stakeholders from real-world disruptions.
Watch on demand
On demand

Product demonstration webinar

Need to meet CPS 230? Meet Protecht ERM.

Join Protecht’s Adel Fakhreddine for a 20-minute demo and find out how Protecht gives you the tools you need to manage your critical operations and suppliers, strengthen governance, and integrate controls and risk management into a single source of truth.
Watch on demand
On demand

Partner webinar with LexisNexis

Setting the scene: Mastering CPS 230 tolerance levels and BCP frameworks.

Join Michael Nelson of LexisNexis Regulatory Compliance and Michael Howell of Protecht as they address the challenges organisations will face in meeting these regulatory demands and provide solutions to enhance operational resilience
Watch on demand
On demand

Thought leadership webinar

The road to CPS 230: Getting your operational risk controls in order.

Effective controls management is a key component of CPS 230. Join Protecht’s Research & Content Lead, Michael Howell, and our Senior Risk Consultant, Hela Ebrahimi to explore how you can develop your controls capability to enable effective management of your organisation's operational risk profile.
Watch on demand
On demand

Thought leadership webinar

The road to CPS 230: Getting intimate with your material service providers.

CPS 230 puts pressure on regulated entities to lift their game when it comes to material service providers – pressure that may have commercial implications for service providers who aren’t ready to step up. This webinar unpacks how entities and providers can work together to achieve resilient outcomes across the financial services sector.
Watch on demand
On demand

Thought leadership webinar

The road to CPS 230: Getting your critical operations and tolerance levels in order.

Are you ready for CPS 230? The full standard doesn’t come into effect until mid-2025, but APRA’s July 2024 date for entities to define critical operations, and identify material service providers is rapidly approaching, with defining tolerance levels set to follow.
Watch on demand

Trusted by well known regulated financial services providers

APRA CPS 230: Frequently Asked Questions.

These are some of the most common questions we receive from people around Protecht ERM and APRA's CPS 230 standard. We have a wealth of additional resources available, so please get in touch if you don’t see your question answered here.

1. What is APRA CPS 230 and who does it apply to?

CPS 230 is a prudential standard issued by the Australian Prudential Regulation Authority (APRA) to strengthen operational risk management. It applies to all APRA-regulated entities, including banks, insurers, and superannuation funds. The standard sets out requirements to identify and manage critical operations, maintain business continuity, and manage risks related to service providers, enhancing operational resilience across the financial services sector.

2. What are the key requirements of CPS 230 for APRA-regulated entities?

CPS 230 requires entities to identify critical operations, define disruption tolerance levels, and implement effective business continuity plans. It mandates risk-based assessments of material service providers, robust operational risk controls, and board oversight. Entities must also maintain comprehensive registers, scenario testing, and assurance processes to demonstrate resilience and ongoing compliance with APRA's operational risk expectations.

3. When do the CPS 230 compliance deadlines take effect?

CPS 230 takes effect on 1 July 2025. However, APRA required regulated entities to identify their critical operations and material service providers by 31 July 2024. Entities must also define tolerance levels for critical operations in advance of full implementation. Meeting these deadlines is essential for ensuring compliance readiness and avoiding regulatory scrutiny.

4. How does CPS 230 define a material service provider?

A material service provider is a third party whose failure would significantly disrupt an APRA-regulated entity’s ability to deliver its critical operations. Under CPS 230, entities must identify, assess, and manage the risks associated with these providers. They must also maintain a register of material service providers and perform due diligence, monitoring, and contractual oversight to meet compliance obligations.

5. What are ‘critical operations’ under CPS 230 and how do you identify them?

Critical operations are functions that, if disrupted, would materially impact an entity’s financial or operational resilience. CPS 230 requires regulated entities to identify these operations through structured mapping of processes, resources, and dependencies. Identification includes assessing impact, assigning tolerance levels (e.g., maximum outage duration), and linking operations to plausible disruption scenarios.

6. What is the role of business continuity planning in CPS 230?

Business continuity planning (BCP) is a core component of CPS 230. Entities must maintain and test continuity plans that ensure critical operations can continue within defined tolerance levels during disruptions. The standard emphasizes scenario-based testing, integration with risk and controls data, and alignment with governance structures to enhance operational resilience.

7. How can I assess CPS 230 compliance in my organisation?

To assess CPS 230 compliance, organisations should review their risk management framework, critical operations mapping, business continuity plans, and third-party risk controls. Using a CPS 230 readiness checklist can help benchmark current practices against APRA’s requirements. Gaps should be identified and addressed through updated processes, technology solutions, and board engagement.

8. What are the board and executive responsibilities under CPS 230?

CPS 230 places ultimate responsibility for operational risk and resilience on an entity’s board and senior executives. They must ensure that governance frameworks, risk assessments, and resilience strategies are in place and effective. Boards are expected to review tolerance levels, approve material service provider arrangements, and oversee testing and assurance activities.

9. What are the differences between CPS 230 and CPS 234?

CPS 230 focuses on operational risk, business continuity, and service provider management. In contrast, CPS 234 targets information security, requiring entities to maintain cyber resilience. While both standards require third-party oversight, CPS 234 is narrower, dealing specifically with protecting information assets, whereas CPS 230 addresses broader operational disruptions and critical function continuity.

10. How can software help automate CPS 230 compliance?

Software like Protecht ERM streamlines CPS 230 compliance by centralising registers, controls, risk assessments, and reporting. It enables automated workflows for monitoring material service providers, mapping critical operations, testing business continuity plans, and producing APRA-aligned reports. This reduces manual effort, enhances accuracy, and provides real-time assurance for boards and regulators.

Need to meet CPS 230? Meet our solution.

Visualise and monitor critical operations.

Elevate your governance with robust controls.

Simplify business continuity management.