top of page

CPS 230 is not a droid from Star Wars

It might sound like it came from the mind of George Lucas and for some Australian companies it may also seem like something imposed from the Empire. There is however only one thing that is certain, it is coming.

From 1 July 2025 APRA’s Operational Risk Management Prudential Standard (CPS 230) will come into force. APRA regulated companies that are deemed non-compliant can expect significant fines, unplanned costs and reputational damage. Even if you are not an APRA regulated company, you may still feel the impacts of the standard if you assist an APRA regulated company realise any of their processes that are deemed a “critical operation”. This also cascades further to “4th parties”, i.e. a company that another company relies on in delivering a service to an APRA regulated company. 😕

There are 3 components of CPS 230 compliance APRA regulated companies need to meet:

  1. Operational Risk - effectively manage operational risks, and set and maintain appropriate standards for behaviour and compliance.

  2. Business Continuity - show you can maintain critical operations within tolerance levels through severe disruptions.

  3. Service Providers - manage the risks associated with the use of service providers.

And this is where it can get messy…

  • Organisations must have effective internal controls, monitoring, and remediation processes to manage operational risks. This requires a centralised system to not only document and track these controls and risks, but also have an accurate and up-to-date reflection of the relationships and dependencies of all systems, processes, owners, users, suppliers, locations…

  • Ensuring that critical operations can continue during severe disruptions necessitates a credible and tested BCP. Many organisations struggle to create and maintain such plans, particularly when integrating them with overall operational risk management frameworks.

  • Managing the risks associated with service providers is complex, involving comprehensive policies, formal agreements, and robust monitoring. This is especially challenging when service providers rely on fourth parties, which adds another layer of risk and complexity.

  • Many companies may have these covered through separate systems or functions. Having disjointed systems and processes though can lead to gaps in compliance and increase the risk of operational disruptions. Other companies may lack the tools and expertise to address these challenges holistically.

To meet this challenge, Willtures has teamed up with Technology Connect to develop a service to that will efficiently demonstrate CPS 230 compliance through a structured and integrated approach using the power of Ardoq. This service ensures that your organisation is well-prepared to meet regulatory requirements and maintain operational resilience through:

A high level diagram of Willtures' CPS 230 service
Overview of the CPS 230 service
  • Understand and manage operational risks across the whole organisation: The Ardoq platform serves as a unified hub for all CPS 230 compliance activities. It centralises data management, operational risk documentation, and governance, ensuring that all relevant information is easily accessible and manageable.

  • Comprehensive BCP and scenario planning: Ardoq enables virtual Business Continuity Planning (BCP) and impact analysis. Organisations can plan, test, and validate their BCPs within the platform, ensuring they meet the stringent requirements of CPS 230. This includes the ability to understand the impacts of disruptions and the effectiveness of mitigation strategies.

  • Effective Service Provider Management: Ardoq facilitates the integration of service provider management into the overall operational risk framework. It helps organisations document and monitor the risks associated with service providers and their dependencies, ensuring comprehensive oversight and management.

To explore this service further you can download the service brochure available below

Or for a free and confidential discussion on this service please contact us directly via or email either of us directly at:


bottom of page