Red Yellow BlueContact

APRA

Navigating CPS 230: ten months in, what's actually changed

Tom Leyden · 28 April 2026

APRA’s Prudential Standard CPS 230 — Operational Risk Management went live on 1 July 2025. It’s been the regulatory weather event of the year for Australian financial services. Ten months in, the dust has settled enough to be useful about it.

Here’s what we’re seeing across the firms we work with.

What CPS 230 actually requires (in plain English)

  • Identify and manage operational risks end-to-end — not just inside IT.
  • Maintain critical operations through a defined set of severe-but-plausible disruption scenarios. The word that does the work here is defined: hand-waving doesn’t count.
  • Manage material service providers, including the third-party register requirement (which expanded in scope on 1 July 2026 — APRA has been clear on this).
  • Demonstrate accountability through clear roles, controls, and board-level reporting.

The shift, in one sentence: operational resilience moved from a documented capability to a demonstrated, evidenced one.

What's working

Three patterns from the firms who handled the transition well:

1. They treated the third-party register as a living asset, not a checklist. The firms still struggling are the ones who built a register in March 2025 and haven’t updated it. The ones thriving wired their register into their procurement and renewal workflows so it updates itself.

2. They invested in the data plumbing first, the dashboard second. The board pack matters, but it’s downstream. The firms that started with control evidence flowing reliably from the source systems (incident management, change management, monitoring) had clean board reports as a near-free side effect. The firms that started with the dashboard ended up with a polished view of bad data.

3. They named the human accountability before the tooling. CPS 230 is, ultimately, about people being able to point at who is responsible for what. Tools without owners produce the worst kind of evidence: thorough, but unattributable.

What's tripping firms up

Three patterns from the laggards:

1. Treating it as an IT project. CPS 230 is an enterprise-wide operational risk standard. If your CRO and your COO aren’t in the room, the project is already off-track.

2. Trying to over-tool the response. A handful of firms have spent more on point-solution “CPS 230 compliance platforms” than the entire program needed. The standard doesn’t require new tooling; it requires evidenced operation. The right answer is usually to make existing tools work harder, not to add more of them.

3. Stopping at go-live. Some firms hit 1 July 2025 with a celebratory email and treated the program as done. Now, ten months later, their evidence is stale, their register is out of date, and APRA’s post-implementation review questions are uncomfortable to read.

Where AI genuinely helps

The vendor noise around “AI for CPS 230” has been deafening. Cutting through it:

  • Continuous evidence collection — automated aggregation of artefacts (control attestations, incident records, third-party performance) that would otherwise burn weeks of analyst time per board cycle.
  • Anomaly detection in operational data — patterns that slip past sampled manual review.
  • Audit-trail generation — clear reasoning chains for any AI-assisted decision, which the standard implicitly requires.
  • Scenario testing — generating and rehearsing severe-but-plausible disruption scenarios faster than humans can dream them up.

That’s the genuine list. It’s real, but it’s narrower than the marketing claims.

Where AI doesn't help

Two cautions worth restating:

  1. AI doesn't replace governance. If your incident management is broken, automating it just produces faster broken outputs.
  2. Black-box vendor AI is a CPS 230 liability. If you can’t explain why a system made a decision, you can’t defend the decision to APRA — and you certainly can’t evidence it.

Any AI introduced into a CPS 230-relevant workflow needs the same governance you’re applying to the underlying process: clear ownership, traceable decisions, exceptions handled by humans.

The bigger picture

Twelve months ago, CPS 230 looked like overhead. Today, the firms who took it seriously are operationally cleaner — better data, better registers, better incident discipline — than they were before. The compliance work was the resilience work.

The firms still treating it as a tickbox are about to learn that lesson the hard way, because the post-implementation reviews are now arriving in earnest.

If you’re unsure where you stand, a short, honest review with someone outside the program is usually the cheapest way to find out.

← All posts

Want to talk about this?

Book a conversation