(Re)in Summary
• APRA has published its finalised cross-industry prudential practice guide CPG 230 to aid in the implementation of CPS 230, effective from 1 July 2025.
• The guide includes a “day one” checklist and a three-year forward plan for supervising CPS 230.
• Non-Significant Financial Institutions will have an additional 12 months to comply with certain CPS 230 requirements.
The Australian Prudential Regulation Authority (APRA) has published its finalised its cross-industry prudential practice guide to aid in the implementation of Prudential Standard CPS 230 Operational Risk Management (CPS 230).
The Prudential Practice Guide CPG 230 is intended to help insurers, banks, and superannuation trustees navigate the requirements of CPS 230 The new regulatory standard was finalised in July last year and is set to take effect from 1 July 2025.
In a media release, APRA said the guidance has been shortened and is more tightly focused on meeting the standard’s expectations.
The regulator also said that entities classified as non-significant Financial Institutions will now have an additional 12 months to comply with certain requirements in CPS 230 relating to business continuity and scenario analysis.
The guide also includes a “day one” checklist for entities to assist in their implementation of CPS 230. Additionally, APRA has provided a three-year forward plan of its intended approach to supervising CPS 230 to assist the industry with implementation and planning.
John Lonsdale
APRA ChairAPRA Chair John Lonsdale highlighted the growing importance of operational resilience in the digital financial age.
“Disruptions to financial services can have a major impact on people who rely on them to save, spend, recover from financial loss or support themselves in retirement,” Lonsdale said.
“CPS 230 is designed to ensure entities safeguard the resilience of their operations and are well prepared to respond to disruptions. By amending the accompanying guidance, we aim to keep industry standards high while also being mindful of the compliance burden on smaller entities so they can remain competitive.”
Industry experts spoke to (Re)in Asia last year, highlighting the importance of CPS 230 in addressing cyber risks and managing non-financial risks. The new standard will require insurers to scrutinise third-party relationships, including reinsurance treaties, and ensure oversight of fourth and fifth-party outsourcing (see story below).





