Home / Regulations / CPS 230

APRA · Effective 1 July 2025

APRA CPS 230.

Operational risk management for APRA-regulated entities.

What it is

CPS 230 took effect 1 July 2025 and consolidates operational risk requirements across banking, super, and insurance. Boards must demonstrate operational resilience, identify critical operations, set tolerance levels, and maintain a register of material service providers. Fydis captures operational incidents with reviewable rationale, supports the 72-hour APRA notification under §33, and feeds the annual material service provider register submission.

Who it affects

All APRA-regulated entities, ADIs, RSEs, GIs, life companies.

Regulators ask for specifics: the cell, the row, the captured-at hash, the named approver, and the clause a figure answers. Fydis returns those for every figure under CPS 230.

Coverage by stage

Stage 01Retrieve● Full
CPS 230 §32–33, Operational risk incidents identified, escalated, recorded, and addressed in a timely manner. Material incidents notified to APRA within 72 hours.
Artefact produced

CPS 230 incident register entry with severity grade, recovery time objective, and the 72-hour APRA notification draft.

Fydis-CPS230-008
Stage 02Verify● Full
CPS 230 §49 + §53(b), Register of material service providers with assessment of risks associated with geographic location and concentration.
Artefact produced

Sub-processor lineage with geographic concentration risk score.

Fydis-CPS230-014
Stage 03Evidence● Full
CPS 230 §22, Board oversight of operational risk management and the effectiveness of key internal controls, with regular updates on the operational risk profile.
Artefact produced

Quarterly board pack with incident roll-up, trend, and tolerance breaches.

Fydis-CPS230-021
Stage 04Evidence● Full
CPS 230 §51 + §59(a), Annual submission of material service provider register to APRA; 20-business-day notification of material changes.
Artefact produced

APRA submission pack · PDF + JSON · regenerates deterministically.

Fydis-CPS230-029

Example artefact

What Fydis produces on a real analysis:

Severity and recovery time for incident #4118?
Severity 2
RTO 4h · 17 eventsCPS 230 §32

Frequently asked

Does Fydis replace our GRC tool?

No. Fydis produces the evidence chain that feeds your GRC tool of record (ServiceNow, Diligent, RSA Archer). The chain is the artefact; your GRC stores the program.

How does this fit with CPS 234 (information security)?

CPS 234 governs the security of the platform itself; CPS 230 governs operational resilience. Fydis aligns to both. Our trust report sits at /trust.

Before the briefing

Score your current outputs against the 12-question audit-readiness checklist. Most teams find a few gaps the first time through. Bring them to the briefing and we will work the CPS 230 clauses directly.

Open the audit-readiness checklist →

See CPS 230 on a real analysis.

The live demo runs the pipeline on sandboxed data. No signup. The same chain runs on your data when you book a briefing.