CPS 230 · effective 1 July 2026

CPS 230 makes you accountable for your critical operations.
Can you evidence resilience?

CPS 230 is operational-risk regulation: identify your critical operations, set tolerances the board approves, prove your controls work, and manage the service providers (and the technology, including AI) those operations depend on. We wrote the guide to what you’ll need to evidence by 1 July 2026.

Knowing your critical operations isn’t the same as evidencing resilience.

Most institutions can name their critical operations. Far fewer can show, on request, the tolerances they run to, that their controls have been tested and hold, that business continuity covers a severe-but-plausible disruption, and that every material service provider (including the technology and AI those operations now depend on) is on the register with compliant contracts. That gap between knowing and evidencing is exactly what supervision probes.

The work, done for you.

Map your critical operations

How to identify your critical operations and the people, processes, technology and service providers each one depends on, end to end. The step most firms underdo.

Tolerances and tested controls

Setting board-approved tolerance levels, and the control and business-continuity evidence a supervisor expects to see that your operations hold under disruption.

Manage your service providers

The material service provider register, the mandatory contract terms, and the concentration and fourth-party risk CPS 230 expects you to govern.

Where do you stand on CPS 230?

These are the questions a supervisor will ask about your critical operations under CPS 230. Answer honestly: your score shows what you still need to evidence before 1 July 2026.

0/10

Q1

We have identified and documented our critical operations: the ones that, if disrupted, would materially harm us, our customers, or financial stability.

Q2

For each critical operation, we have mapped the people, processes, technology, and service providers it depends on, end to end.

Q3

We have set, and the board has approved, tolerance levels for each critical operation (maximum disruption, data loss, and minimum service levels).

Q4

We maintain controls that manage operational risk across these operations, and we test whether those controls actually work.

Q5

We have a business continuity plan that would keep each critical operation within its tolerance through a severe-but-plausible disruption.

Q6

We test our business continuity plan at least annually, including scenarios severe enough to threaten a critical operation.

Q7

We maintain a register of material service providers and can show which critical operations each one supports.

Q8

Our material service provider arrangements meet CPS 230 requirements, and we actively manage concentration and fourth-party (sub-contractor) risk.

Q9

We can detect, respond to, and notify APRA of an operational risk incident or material service disruption within the required timeframes.

Q10

Accountabilities for operational risk and business continuity are clearly assigned, and the board sees evidence the framework works, rather than attestations that it does.

Answer all 10 questions to see your score.

Get the plain-English guide.

Free guide

CPS 230 Critical Operations: 2026 Readiness Guide

What CPS 230 expects of your critical operations by 1 July 2026: tolerances, tested controls, business continuity, and material service provider management, plus where to start closing the gaps.

  • What counts as a “critical operation”, and how to identify yours
  • Setting tolerance levels your board can approve
  • Material service providers: register, contracts, concentration risk
  • The fastest gaps to close before 1 July 2026

Get the guide

Tell us where to send it. No spam, just the guide and the occasional useful update on the 2026 rules. Unsubscribe anytime.