Australia’s superannuation industry is navigating one of the most significant regulatory shifts in recent history: APRA’s Prudential Standard CPS 230 Operational Risk Management.

This new standard, which came into effect on July 1, 2025, (along with its accompanying Prudential Practice Guide, CPG 230) marks a major change in how superannuation trustees must manage risk—from the board level down to the intricate web of third-party service providers.

It’s a direct response to a series of high-profile operational failures, including cyber-attacks and service provider disruptions, that have impacted not just financial markets but also the everyday lives of Australians. For super funds, the goal is clear: move beyond simple risk management and build a culture of genuine operational resilience.

This guide breaks down what CPS 230 means for superannuation fund trustees and managers, and provides a clear roadmap to ensure your fund is not just compliant, but robust enough to withstand future shocks.

What is CPS 230 and Why Was It Introduced?

At its core, CPS 230 is designed to ensure that APRA-regulated entities—including banks, insurers, and superannuation funds—are resilient to operational risks and disruptions. It replaces and consolidates five previous prudential standards relating to outsourcing and business continuity management, creating a single, comprehensive framework.

The standard was born out of a stark realisation: a complex, interconnected financial system is vulnerable. Operational failures, whether from a critical system outage, a cyber-attack, or the collapse of a key service provider, can have a catastrophic impact on the financial system and, most importantly, on members.

For a super fund, a disruption to critical operations—such as investment management, fund administration, or member services—could lead to significant financial loss, reputational damage, and a breakdown of trust.

CPS 230 shifts the focus from merely having a business continuity plan to actively ensuring a fund’s critical operations can continue to function effectively even during a severe disruption. It’s a shift from a “check-the-box” compliance mentality to a proactive, outcomes-based approach.

The Three Pillars of CPS 230

The standard is built on three main pillars, each with specific requirements for superannuation funds.

Pillar 1: Operational Risk Management

This pillar requires super funds to have an effective framework for identifying, assessing, and managing all operational risks. It goes beyond the general notion of risk and requires a granular approach.

Key Requirements:

  • Define Critical Operations: Super funds must identify their “critical operations”—those services that, if disrupted, would have a material adverse impact on members or the fund’s role in the financial system. For superannuation, this explicitly includes investment management and fund administration.
  • Set Tolerance Levels: For each critical operation, the fund must set and maintain clear disruption tolerance thresholds. These are the maximum levels of disruption the fund can tolerate. This includes:
    • Maximum Tolerable Period of Disruption (MTPD): The maximum amount of time a critical operation can be unavailable.
    • Recovery Point Objective (RPO): The maximum amount of data loss the fund is willing to accept.
    • Minimum Service Levels: The absolute minimum level of service required during a disruption.
  • Scenario Testing: Funds must conduct severe but plausible scenario testing to ensure they can operate within these tolerance levels. This testing must be rigorous and involve scenarios like cyber-attacks, natural disasters, and key service provider failures. The results must be reported to the board.

Pillar 2: Business Continuity Management

CPS 230 requires a robust and regularly tested business continuity plan (BCP). This is not just a document; it’s a living framework that must be embedded into the fund’s operations.

Key Requirements:

  • Proactive Planning: The BCP must be designed to prevent, prepare for, respond to, and recover from disruptions, linked directly to critical operations and their tolerance levels.
  • Regular Testing: The BCP must be tested regularly using realistic, stress-tested scenarios to identify vulnerabilities.
  • Board Oversight: The board is explicitly responsible for approving the BCP and the results of all testing, elevating it to a strategic issue.

Pillar 3: Service Provider Management

This pillar is arguably the most significant for super funds, given their heavy reliance on outsourced providers for critical functions like administration, custody, and investment operations.

Key Requirements:

  • Material Service Provider Register: Funds must maintain an up-to-date register of all material service providers (MSPs). An arrangement is “material” if it supports a critical operation or exposes the fund to material operational risk.
  • Due Diligence: Funds must conduct comprehensive due diligence on all MSPs before entering into or renewing an arrangement, assessing their own operational resilience.
  • Contractual Safeguards: All contracts with MSPs must contain specific provisions, including the fund’s right to audit, clear performance metrics, and provisions for managing sub-outsourcing (also known as fourth-party risk).
  • Ongoing Monitoring: The fund must have a robust framework for monitoring the performance and risk exposure of each MSP on an ongoing basis, with regular reports to the board.

Key Implications and Challenges for Super Funds

The implementation of CPS 230 is not a simple compliance exercise; it requires a fundamental shift in a fund’s operating model and governance.

  • Board Accountability: The standard places ultimate accountability for operational risk and resilience squarely on the board.
  • Increased Costs: Rigorous scenario testing and renegotiating contracts will require significant investment in technology, resources, and expert advice.
  • Third-Party Scrutiny: Funds must now take a much more active and intrusive role in the risk management of their service providers.
  • Culture Change: Ultimately, CPS 230 is about fostering a culture of resilience, requiring all staff to understand their role in managing operational risk.

A Roadmap for CPS 230 Compliance

With the July 1, 2025 deadline now in effect for all APRA-regulated entities (with some exceptions), here are the key steps for super funds to ensure ongoing compliance:

  • Form a Dedicated Project Team: Establish a cross-functional team with representation from governance, risk, compliance, IT, and legal.
  • Conduct a Gap Analysis: Assess your current operational risk framework, BCPs, and service provider contracts against CPS 230 requirements.
  • Identify Critical Operations and MSPs: Systematically map all business functions to identify which are critical and which service providers support them.
  • Define and Set Tolerance Levels: Work with the board and senior management to define clear, measurable tolerance levels.
  • Update Policies and Frameworks: Revise your operational risk management framework, BCP, and service provider management policy.
  • Remediate and Renegotiate: Address gaps in your service provider contracts. Note that the transitional period for existing contracts extends to July 1, 2026, or the next renewal date (whichever is sooner).
  • Test and Report: Conduct comprehensive scenario testing and report the results and any remediation actions to the board.

By following these steps, superannuation fund trustees can not only meet their regulatory obligations but also build a more resilient and secure organisation that is better positioned to protect members’ retirement savings.

Take Your Next Step

To learn more about how CPS 230 impacts your business and what your next steps should be, contact MIntegrity today.

Want to earn CPD points for reading this article? Sign up with our partner Think Caddie today to claim your points and access more expert financial content.

Back to Blog