With Australian Prudential Regulation Authority (APRA) CPS 230 coming into effect on 1 July 2025, the focus for organisations regulated by APRA is operational resilience.
APRA CPS230 covers a number of key areas, including your risk management framework, roles and responsibilities, operational risk management, business continuity and service provider arrangements
In this blog we’re talking to Shannon Slater, Principal Consultant and Jodie Rugless, Senior Consultant at 9Yards about working with service providers, suppliers and partners to support your organisation’s compliance with CPS 230.
Key Dates For Compliance
CPS 230 comes into effect on 1 July 2025. APRA has provided a Day One Compliance Checklist on their website. It explains which of the CPS 230 requirements are new and provides some detail about how to approach compliance.
The Risks of Non-compliance
It’s important to remember that compliance with APRA CPS 230 is not a list of items to tick off. It’s about demonstrating that your organisation is controlling your operational risk, relative to your risk tolerance.
“APRA compliance isn’t just about ticking boxes – it’s an opportunity to gain deeper insights into your business, align teams on what truly matters, and strengthen your processes and systems. 9Yards helps organisations turn compliance into a strategic advantage, driving clarity, efficiency, and long-term resilience.” Shannon Slater, Principal Consultant
APRA’s role is to audit, checking you’re doing what you should be doing and letting you know if you’re not. Getting feedback from APRA is very helpful to ensuring that your operational risk management profile is appropriate.
Failing to comply with CPS 230 does carry a real risk of a ‘material finding’. This is where APRA has conducted an audit and identified that you have an issue. 9Yards Senior Consultant Jodie Rugless notes that if APRA identifies an issue it’s actually a valuable opportunity.
“Non-compliance can of course carry a component of reputational risk but APRA is not the enemy by any stretch of the imagination. These regulations are designed to help you make sure that your controls are in line with your risk appetite—and that you’re actually doing what you said you were going to do.”
Top tip: being audited and receiving recommendations for change can be extremely helpful.
As part of an audit, APRA doesn’t only give findings around non-compliance. They may also provide recommendations for improvement. Because CPS 230 specifically looks to strengthen aspects of your business such as operational risk management, business continuity, third party risk management and material service providers, recommendations for improvement can help you achieve the kind of the key changes that CPS 230 supports.
Working With MSPs to Ensure Their CPS 230 Compliance
APRA talks about suppliers as material service providers (MSPs).Your existing relationship with MSPs (your partners, suppliers and vendors) will be the main consideration for how to work with them. Having open honest relationships where you support and engage a vendor through their own compliance journey is critically important.
Remember, these changes will probably mean that you’re increasing the obligation you place on your vendors to demonstrate their alignment with your commitment to compliance.
You’ll also need to think about how you factor this compliance into existing and new contracts.
And it’s important to understand what evidence you actually need from your vendors to demonstrate that they’re doing the right thing.
What Happens After You’ve Demonstrated CPS 230 Compliance?
After achieving basic CPS 230 compliance, there will be ongoing tasks that ensure your approach to operational risk management continues to align with the regulations. For organisations that are CPS 230 ready, operational tasks could include updating documentation, refining governance structures, or automating compliance processes.
If your organisation is less ready, there may be significant work involved to just meet the basics.
Regardless of where on this continuum you sit, aligning with CPS 230 is not just about meeting a regulatory deadline. It’s about ensuring operational resilience in a broader, complex risk environment.
Engaging 9Yards Experts to Help With CPS 230 Compliance
If you’re managing changed expectations, having an expert working with you can make a world of difference.
“Any time you’re potentially facing an audit or any kind of new compliance requirement, it can feel a little daunting. Sometimes it’s just about one step at a time. Break it down into actionable tasks and do those actionable tasks. Remember that APRA simply want to see that you’ve clearly considered the requirements for compliance and you’ve implemented controls relative to your own risk.” -Jodie Rugless
9Yards can provide confidence and support as you work towards compliance and operational resilience. We have extensive experience working with organisations to check their assurance posture. We can work with you to understand how you are documenting and capturing your assurance posture and help you identify any holes. We can also provide practical support with identifying your third parties and understanding which of those are classified as material service providers. We’re also able to help you frame the questions you should be answering so that your assurance posture and your MSPs’ assurance posture are supporting your governance activities.
If you’re an APRA regulated organisation facing CPS 230, contact us at 9Yards and find out how we can help with your operational resilience journey.
