APRA · Effective 1 July 2025
APRA CPS 230.
Operational risk management for APRA-regulated entities.
What it is
CPS 230 took effect 1 July 2025 and consolidates operational risk requirements across banking, super, and insurance. Boards must demonstrate operational resilience, identify critical operations, set tolerance levels, and maintain a register of material service providers. Fydis captures operational incidents with reviewable rationale, supports the 72-hour APRA notification under §33, and feeds the annual material service provider register submission.
Who it affects
All APRA-regulated entities, ADIs, RSEs, GIs, life companies.
Regulators ask for specifics: the cell, the row, the captured-at hash, the named approver, and the clause a figure answers. Fydis returns those for every figure under CPS 230.
Coverage by stage
CPS 230 §32–33, Operational risk incidents identified, escalated, recorded, and addressed in a timely manner. Material incidents notified to APRA within 72 hours.CPS 230 incident register entry with severity grade, recovery time objective, and the 72-hour APRA notification draft.
CPS 230 §49 + §53(b), Register of material service providers with assessment of risks associated with geographic location and concentration.Sub-processor lineage with geographic concentration risk score.
CPS 230 §22, Board oversight of operational risk management and the effectiveness of key internal controls, with regular updates on the operational risk profile.Quarterly board pack with incident roll-up, trend, and tolerance breaches.
CPS 230 §51 + §59(a), Annual submission of material service provider register to APRA; 20-business-day notification of material changes.APRA submission pack · PDF + JSON · regenerates deterministically.
Example artefact
What Fydis produces on a real analysis:
Frequently asked
Does Fydis replace our GRC tool?
No. Fydis produces the evidence chain that feeds your GRC tool of record (ServiceNow, Diligent, RSA Archer). The chain is the artefact; your GRC stores the program.
How does this fit with CPS 234 (information security)?
CPS 234 governs the security of the platform itself; CPS 230 governs operational resilience. Fydis aligns to both. Our trust report sits at /trust.
Before the briefing
Score your current outputs against the 12-question audit-readiness checklist. Most teams find a few gaps the first time through. Bring them to the briefing and we will work the CPS 230 clauses directly.
Open the audit-readiness checklist →
See CPS 230 on a real analysis.
The live demo runs the pipeline on sandboxed data. No signup. The same chain runs on your data when you book a briefing.