From 1 July 2025, APRA’s cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230) will come into effect, setting a higher bar for how insurers manage operational risk, third-party arrangements, and business continuity. As the deadline looms, insurers falling behind must accelerate their readiness and embed sustainable processes that meet both the letter and spirit of the mandatory standard.
In this article, our Risk and Resilience team explore:
- Common implementation challenges, including vendor assessments, contract reviews, and data limitations
- What insurers should be doing now to close gaps and embed good practice
- The uplift needed in business continuity and resilience planning under the new metrics (MTPD, RPO, MSL)
- The difference between BCP and Operational Risk scenario analysis
- The importance of strong incident management, training, and documentation
Who Does CPS 230 Apply To?
CPS 230 applies to all APRA-regulated entities, which includes:
- Banks and ADIs (Authorised Deposit-taking Institutions)
- Life, general, and private health insurers
- Reinsurers
- RSE licensees (superannuation trustees)
Importantly, CPS 230 also applies to intra-group service arrangements. Even where services are provided internally within a corporate group, entities must ensure that such arrangements are subject to the same level of governance, due diligence, monitoring, and exit planning as third-party providers.
This marks a notable shift, particularly for insurers who have historically relied heavily on group shared services or head office functions.
CPS 230 is a Catalyst for Building Resilience
While some feel that the focus of CPS 230 may be compliance, its intent is clear: to build genuine operational resilience across the financial services industry. For insurers, this is an opportunity to:
- Improve visibility and control over third-party dependencies
- Build capabilities in identifying and managing non-financial risks
- Strengthen the ability to withstand and recover from disruptions
- Align operational processes with risk appetite and strategic priorities
Insurers that take a proactive, integrated, and business-led approach to implementation will not only meet APRA’s requirements, but also enhance long-term resilience and stakeholder confidence.
CPS 230 Challenges Experienced in Implementation
Despite widespread awareness, many insurers are encountering similar roadblocks as they prepare for CPS 230. Some of the most common challenges include:
1. Identifying Material Service Providers
Identifying material service providers is proving difficult for many insurers. Applying consistent materiality criteria across business areas is challenging, particularly when vendor data is fragmented across multiple systems. In some cases, insurers are struggling to justify why certain providers have not been deemed material, exposing them to regulatory scrutiny.
2. Contract Reviews and Negotiations
Contract reviews and negotiations have emerged as another pressure point. Many legacy agreements lack critical provisions such as audit rights, sub-outsourcing controls, and exit terms that support resilience. Renegotiating contracts is often slow and complex—smaller or offshore vendors may resist changes, while in-house legal and procurement teams are stretched thin trying to manage the volume. These challenges are compounded by the heightened expectations around due diligence and ongoing monitoring, which are now more intrusive and resource-intensive than ever before.
3. Siloed Risk and Continuity Practices
A long-standing issue in many insurers is the siloed nature of operational risk, business continuity, and vendor management. These areas have historically operated independently, with limited cross-functional coordination. CPS 230 demands integration across these domains—an organisational and cultural shift that is both significant and resource-intensive. Further complicating matters, insurers are finding that critical operations do not always align neatly with existing business units or reporting lines, requiring rethinking of roles and responsibilities.
4. Underdeveloped Scenario Analysis
Scenario analysis is another area where insurers are still finding their footing. Many have limited experience in designing and executing operational risk scenarios, particularly ones that are both severe and plausible. Some struggle to engage the business meaningfully in defining these scenarios, while others lack the data and methodologies to assess financial and operational impacts with confidence.
5. Board and Executive Readiness
Board and executive readiness is variable. While some organisations have invested in targeted education, others are still bringing their Boards up to speed. There is a risk that senior leaders perceive CPS 230 as a compliance exercise, rather than a driver of resilience and strategic capability. Bridging this perception gap is essential to unlocking the full value of the standard.
6. System and Data Constraints
Technical and data limitations also persist. Many insurers continue to rely on legacy systems that do not support an integrated view of operational risk or enable effective ongoing monitoring. Risk registers are often inconsistent or incomplete, and insights may be limited due to a lack of automation, data visualisation, or access to timely information. These constraints hinder the ability to track emerging issues and manage risks proactively. In some cases, the design of the risk register itself is a limiting factor—too high-level to be useful, failing to capture critical details such as root causes, risk events, and consequences. The absence of robust quality control further undermines the reliability and value of these tools in decision-making and assurance.
7. Change Fatigue and Competing Priorities
Finally, the broader regulatory landscape is creating significant resourcing and sequencing challenges. CPS 230 is just one of several major reforms impacting the insurance sector. Insurers are also contending with the Financial Accountability Regime (FAR), CPS 511 on remuneration, and evolving expectations around climate and cyber risk management. While CPS 190 (Recovery Planning) has been in place for some time, CPS 900 (Exit Planning) currently applies only to larger, more complex institutions—yet its principles still influence industry expectations. Juggling these overlapping requirements with finite resources is proving difficult for many insurers. The result is mounting change fatigue, blurred priorities, and transformation programs that risk becoming reactive and fragmented rather than strategic and integrated.
What Insurers Should Be Doing Now
By April 2025, insurers should be approaching the final stretch of their CPS 230 implementation journey. This phase should focus on closing identified gaps, embedding new risk management practices into business-as-usual, and stress-testing systems and processes through robust scenario analysis.
1. Hurry up and Finalise the CPS 230 Gap Analysis
An essential starting point is finalising a detailed and well-evidenced gap analysis. Insurers should have already reviewed their existing operational risk frameworks and supporting documentation against the new CPS 230 requirements. This exercise must go beyond simply identifying missing processes—it should also assess whether existing practices are effective, integrated, and appropriately scaled to the organisation’s operational risk profile. A common shortfall is the disconnect between documented operational risk tolerances and the broader risk appetite framework. In some cases, tolerances exist but are not clearly linked to strategic objectives or appetite statements approved by the Board, undermining their usefulness in decision-making.
Additionally, many insurers are still maturing their understanding and articulation of disruption-related thresholds, such as Maximum Tolerable Period of Disruption (MTPD), Recovery Point Objectives (RPO), and Minimum Service Levels (MSL). These parameters are often treated as technical recovery targets rather than key inputs into business continuity planning and resilience assessment. CPS 230 requires insurers to bridge these conceptual and practical gaps to ensure that operational risk tolerances, resilience metrics, and risk appetite are aligned and meaningful in guiding business operations and continuity planning.
2. Executing the CPS 230 Implementation Plan
With gaps identified, a carefully structured and well-governed implementation plan is essential. This roadmap should set out clear priorities, responsibilities, deliverables, and milestones. Crucially, Board and executive buy-in is not optional. Active sponsorship from senior leadership, including regular progress reviews and resourcing decisions, is necessary to ensure momentum is sustained and the program does not become a compliance tick-box exercise.
3. Enhancing the Operational Risk Framework
The operational risk framework itself must evolve into a dynamic, forward-looking system. Insurers should be refreshing their risk definitions, control libraries, and taxonomies to reflect the operational risk profile unique to their business. The framework must clearly articulate who is responsible for identifying, assessing, monitoring, and mitigating operational risks. It should support strategic and operational decision-making, rather than sit in isolation.
4. Material Service Provider Register and Oversight
A core requirement under CPS 230 is the creation and ongoing maintenance of a register of material service providers, but this is just one element of a much broader uplift in third-party risk management. Identifying material providers is not simply a procurement or data exercise—it requires sound judgement, clear and consistently applied criteria, robust documentation of materiality decisions, and the ability to justify these determinations to APRA. Both external and intra-group providers may be material where their failure could significantly impact critical operations. However, beyond the register itself, insurers must also develop or strengthen Business Rules that articulate the minimum standards expected of service providers. These rules should serve as the foundation for legally binding contractual agreements, ensuring alignment with CPS 230 expectations around resilience, audit rights, performance management, data access, sub-outsourcing, and termination provisions.
Additionally, a comprehensive Service Provider Monitoring Framework must be in place to ensure ongoing oversight throughout the lifecycle of each relationship. This includes setting key performance and resilience metrics, monitoring adherence, conducting periodic reviews, and ensuring timely remediation of deficiencies. Together, the register, business rules, contracts, and monitoring arrangements form a cohesive control environment that demonstrates to APRA that third-party risks are being actively managed and governed.
5. Strengthening Business Continuity and Resilience Planning
Business continuity and resilience planning also require significant uplift under the new standard. Insurers must ensure that continuity plans are not only comprehensive and up-to-date but also tested against realistic and severe disruption scenarios. These plans should cover critical operations, supporting systems, data, people, facilities, and third-party dependencies.
CPS 230 introduces a more granular approach to continuity metrics, shifting away from the traditional Recovery Time Objective (RTO) and instead requiring entities to define the Maximum Tolerable Period of Disruption (MTPD or MAO), Recovery Point Objective (RPO), and Minimum Service Levels (MSL) for each critical operation. These parameters must be justified, achievable, and aligned with the insurer’s operational risk appetite and capabilities. Importantly, business continuity plans should not be owned solely by risk teams—they must be embedded in business operations, with clear accountability and awareness across the first line. This cultural shift is critical to ensuring resilience is operationalised and not just documented.
6. Increasing Board and Executive Engagement
Governance plays a pivotal role in the successful implementation of CPS 230. Boards and senior executives are not only expected to be informed and engaged, but also personally accountable for how operational risk is managed within their areas of responsibility. Under the Financial Accountability Regime (FAR), individuals in accountable roles must act with due skill, care, and diligence—and failure to do so may result in personal liability, including civil penalties of up to $1.53 million. As a result, effective oversight is not optional.
Boards must receive regular, high-quality updates on CPS 230 implementation and interrogate whether the organisation’s operational risk exposures are being managed within the established risk appetite. Where needed, targeted upskilling at both Board and executive levels should be undertaken to ensure the necessary capability exists to discharge these responsibilities.
In practical terms, accountable persons under FAR are expected to ensure that operational risks within their domain are identified, assessed, and mitigated; that material control weaknesses and incidents are reported and remediated promptly; and that risks related to service providers and potential disruptions are appropriately managed. This includes maintaining the operational risk management framework and strategy, reviewing and challenging the strength of control environments, facilitating the business continuity management program, and evaluating the operational risk profile against the Board’s stated appetite. Active governance—backed by clear accountability—is central to embedding CPS 230 in a meaningful and sustainable way.
7. Improving Incident Management and Logging
Incident management processes also require strengthening. Beyond logging and resolving issues, organisations must develop a learning mindset. This means analysing root causes, assessing control failures, identifying trends, and sharing insights across the business. Escalation thresholds and communication protocols should be refined to promote timely and appropriate response.
8. Conducting Scenario Analysis
Scenario analysis is another area where many insurers are still developing maturity. Under CPS 230, APRA expects insurers to assess the impact of plausible but severe disruptions on their operations—yet many organisations still treat this as a compliance formality rather than a strategic exercise. It’s important to distinguish between business continuity planning (BCP) scenarios and operational risk (OpRisk) scenarios.
BCP scenarios typically focus on testing the organisation’s ability to respond to and recover from specific disruption events—such as a data centre outage, cyberattack, or critical third-party failure. These exercises tend to be operationally driven and centred on continuity procedures, decision-making processes, and coordination under stress.
In contrast, OpRisk scenario analysis is a forward-looking risk management technique used to identify and quantify the financial and operational impact of extreme but plausible operational risk events. These scenarios are broader in scope, involve cross-functional input, and are often used to support capital assessments and risk appetite calibration.
CPS 230 challenges insurers to bridge the gap between these approaches—ensuring that both types of scenarios are aligned, relevant to the actual business model, and meaningfully integrated into resilience planning. Insurers should be able to demonstrate how scenario outcomes influence control improvements, response strategies, and operational risk capital decisions, rather than treating them as parallel, siloed activities.
9. Training and Awareness
Training and awareness efforts should now shift from general updates to targeted, role-specific education. Operational leaders, risk owners, and vendor managers must understand their obligations under CPS 230 and how these translate into their day-to-day responsibilities. Building a culture of operational resilience will only be possible if staff at all levels understand and own their part in the process.
10. Documenting Everything
Finally, documentation is key. APRA expects a comprehensive and auditable record of all frameworks, policies, registers, assessments, and decision-making processes. Insurers should not only be preparing to evidence compliance in July 2025, but also to demonstrate a process of continuous improvement over time.
Final Thoughts
CPS 230 is not just another compliance standard—it’s a framework for safeguarding trust, reputation, and stability in an increasingly complex risk landscape.
As the July 2025 deadline approaches, insurers must act decisively. A last-minute, compliance-only approach will not be sufficient to meet APRA’s expectations or to build the resilience that CPS 230 is designed to foster. The most effective implementation efforts are those that are embedded, Board-supported, and strategically aligned.
Can We Help?
Working with over 40 APRA regulated entities, the InConsult team has a deep understanding of financial services and the APRA prudential standards. Since the implementation of the revised APRA Prudential Framework in 2001, we have helped our APRA-regulated clients navigate through the myriad of regulatory compliance requirements. We can assist in the review, redesign and uplift of internal policies, procedures, frameworks and training initiatives.
If you have any questions, or would like to know how we can help, contact us to discuss your needs.