Amstelveen Amstelveen

CPS 230: Moving from Implementation to Operating Discipline

Poppy Fassos, Lauren Daluz & Meet Vyas

Follow us on LinkedIn

18 Jun 2026
Topics
  • Business Risk and Resilience
  • Compliance and Regulation

A new phase of regulatory expectations

Since 1 July 2025, APRA‑regulated entities have been implementing CPS 230 Operational Risk Management (the Standard). This has involved identifying critical operations, establishing tolerance levels, uplifting business continuity arrangements, and strengthening service provider governance. The 1 July 2026 milestone marks a shift in expectations. With transition arrangements now complete, regulated entities must demonstrate that resilience frameworks are not only established but embedded and operating effectively in practice. The recent amendments do not fundamentally redesign the standard. This next phase of CPS 230 is about how operational risk, business continuity, and service provider management are managed consistently on an ongoing basis so organisations can manage disruption in practice.

Key changes effective 1 July 2026

Completion of contract remediation: A key milestone is the end of the transition period for pre‑existing contractual arrangements with material service providers (MSPs). For existing contracts with MSPs, CPS 230 requirements apply from the next renewal date, or by 1 July 2026 at the latest. This includes provisions relating to audit rights, business continuity obligations, subcontracting controls and termination rights. The focus is no longer only on negotiating contractual provisions but on how they operate in practice, requiring organisations to actively monitor service provider performance, enforce contractual rights and demonstrate effective governance over these arrangements.

“The amendments introduce limited exemptions from specific contractual requirements in CPS 230 for material arrangements with certain categories of non-traditional service providers (NTSPs), like central banks and clearing and settlement facilities, where contractual compliance is not practicable.” - APRA (April, 2026)

Service provider exemptions: APRA has introduced targeted amendments to better accommodate arrangements with NTSPs, including situations where full contractual compliance is not practical. Limited exemptions apply to certain service providers listed in the Attachment to the Standard (‘Categories of exempt service providers’), including government agencies, regulators, central banks, financial market exchanges, clearing and settlement facility operators, payment system and scheme operators, and financial messaging infrastructure providers, where arrangements use standardised terms or are not documented in a formal agreement. These exemptions apply only to specific CPS 230 contractual and service-level requirements (including paragraphs 53, 54, 55(d) and 59(c)) relating to formal agreements, audit and access rights, business continuity, subcontracting, termination and service-level obligations. While exemptions provide practical relief where full contractual compliance is not feasible, organisations are still required to actively manage the operational risks associated with these arrangements and demonstrate appropriate oversight.

Exempt service provider classification: The amendments clearly set out which service providers can be treated as exempt under paragraph 27 of the Standard and the Attachment. The clarification requires organisations to implement a consistent approach to identifying these providers, assessing associated risks and applying appropriate governance across the business. APRA has also introduced a provision allowing it to exempt an arrangement that does not meet the defined criteria; however, the onus lies with the organisation to apply to APRA.

Guidance and reporting updates: Updates to supporting guidance, including CPG 230 and the Material Service Provider Register template, reinforce the need for organisations to maintain a clear and current view of service provider dependencies, and to demonstrate how risks are actively managed across the ecosystem. APRA expects entities to apply exemptions on a targeted basis, limited to specific paragraphs that cannot reasonably be satisfied, and to take all reasonable steps to manage the operational risks of NTSP arrangements within practical constraints.

What does CPS 230 look like going forward

The July 2026 milestone and updated Standard reflect a progression in core obligations. As APRA has noted, the limited exemption is intended to “provide relief that is narrowly targeted, administratively efficient and responsive to industry concerns, while preserving the core objectives of CPS 230.” Organisations are expected to demonstrate that resilience capabilities are credible, controls operate as intended and disruptions can be managed within established tolerance levels.

While the amendment addresses one of the practical difficulties experienced by APRA-regulated entities in applying service provider governance requirements, broader implementation challenges remain across the Standard. Based on our experience supporting CPS 230 implementations and conducting embedment reviews, a number of consistent themes continue to emerge.

Key opportunities to strengthen resilience include:

  • Deepening of service provider oversight: Organisations should strengthen service provider oversight by monitoring performance against SLAs, assessing the impact of partial outages on tolerance levels, and improving visibility of upstream and downstream dependencies, including fourth-party risk. Where gaps exist, formal risk acceptance and mitigation strategies should be clearly defined.
  • Validation of tolerance levels: Organisations should leverage scenario-based testing and real incident analysis to validate tolerance levels, ensuring they are practical, measurable and aligned to system capabilities. This includes reassessing tolerance levels post-disruption to confirm they remain appropriate and achievable.
  • Establishment of reporting capability: Organisations should strengthen resilience reporting by addressing data fragmentation and integrating insights across risk domains, enabling end-to-end visibility of dependencies, risks and control effectiveness aligned to critical operations. Reporting should clearly link to accountability across the Three Lines of Defence.

These were explored in more detail in our earlier analysis, ‘Six Months of CPS 230: What does the next phase of resilience look like?’, which remains relevant as organisations transition to operating effectiveness.

Conclusion

CPS 230 is now operating as an embedded discipline rather than an implementation program. Organisations must demonstrate that resilience is integrated into day-to-day decision making, service provider oversight is ongoing and risk-based, and disruption response arrangements are tested and effective. This requires clear accountability, operating controls and resilience capabilities that can be relied upon in practice.

CPS 230: Moving from Implementation to Operating Discipline
Download the article

You may also like

Audit and Assurance

Internal Audit Focus Areas for 2026

Organisations continue to face heightened regulatory oversight, rapid technological change, and growing expectations around governance, risk management, and operational resilience. Internal Audit plays a critical role in providing assurance that risk and control frameworks are effective and aligned to strategic objectives. The IIA Global Internal Audit Standards (GIAS) raise the bar on risk-based planning, technology […]

Read the article
Business Risk and Resilience

Six Months of CPS 230: What does the next phase of resilience look like?

As APRA sharpens its focus on operational risk and organisations continuously embed regulatory requirements, the evolving business continuity landscape has exposed key areas where organisations can evolve to build true operational resilience. CPS 230 Embedment Retrospective It has now been six months since the Australian Prudential Regulatory Authority (APRA) has enforced Prudential Standard (CPS) 230 […]

Read the article
Risk Transformation

Measuring Risk Culture

In our article ‘Clarifying Risk Culture’, we described our framework for considering Risk Culture and the basic requirements for measuring it. In this article, we examine the critical success factors for successfully executing a Risk Culture Assessment, and we provide guidance on interpreting results and driving uplift actions. Critical Success Factors Risk Culture Assessments are […]

Read the article
Compliance and Regulation

Submission to the Mandatory Guardrails for AI in High-Risk Settings

Amstelveen welcomes the opportunity to provide feedback on the proposed Mandatory Guardrails for AI in High-risk Settings.
Amstelveen is a specialist risk and compliance consultancy which operates across Australia and New Zealand. Our clients include public and private sector organisations at the forefront of AI deployment and which generally have a high degree of exposure to technology and data-related risks, such as those in financial services, government, telecommunications and energy.
In this submission, we have responded to a subset of the questions listed in the proposals paper titled “Proposals paper for introducing mandatory guardrails for AI in high-risk settings”.

Read the article
View All

Let us tell you more

Risk management expectations are evolving rapidly. How well is your organisation equipped to respond?

Get in touch