AIRiskAware
What IsAustralian Prudential Regulation

What Is APRA CPS 230?

APRA Prudential Standard CPS 230 Operational Risk Management (effective 1 July 2025) applies to all APRA-regulated entities and has direct implications for how they govern AI systems.

Effective date
1 July 2025
Applies to
ADIs, insurers, RSE licensees
Replaces
CPS 231 and CPS 232
Regulator
APRA

What CPS 230 requires

CPS 230 consolidates and significantly strengthens APRA's operational risk requirements. It requires regulated entities to identify material business processes, set disruption tolerances, maintain critical resources, and manage third-party risks — all of which have direct implications for AI governance.

Material business processes
Regulated entities must identify material business processes — those that, if disrupted, would cause significant harm — and maintain resilience for each, including AI systems used within them.
Disruption tolerance settings
Boards must approve tolerance settings for how long and to what extent material processes can be disrupted. AI system failures must be factored into these tolerances.
Material service providers
Third-party AI providers used in material processes are material service providers. Due diligence, contracts with audit rights, and transition plans are required.
Critical resources
AI systems that are critical to material business processes are critical resources — requiring maintenance, monitoring, and resilience at a level consistent with disruption tolerances.
Board accountability
Boards must approve the Operational Risk Management framework and receive regular reporting on operational risk — including AI incidents and near-misses.
Notification obligations
Material operational risk incidents must be notified to APRA within 72 hours of becoming aware. Disruptions to critical operations that fall outside tolerance must be notified within 24 hours. Regulatory reporting obligations apply to AI-related operational risk events.

Why CPS 230 matters for AI governance

AI systems embedded in credit decisioning, fraud detection, underwriting, customer service at scale, and investment management are likely to be material business processes — triggering CPS 230's most demanding resilience requirements.

Third-party AI providers used in these processes are material service providers. APRA expects due diligence before engagement, contracts with audit rights and incident notification requirements, adequate liability provisions, and transition plans for exit.

Boards that have not explicitly addressed AI within their operational risk appetite and governance frameworks — including board approval of disruption tolerances that account for AI failure scenarios — are not meeting CPS 230 expectations.