top of page
  • Writer's pictureMathew Theobald

CPS 230 | Are you meeting APRA’s proactive transition expectations in 2024?

Unique to CPS 230, APRA has introduced a concept of ‘proactive transition’, which sets the expectation for implementation well before commencement. 

Procurement leaders of APRA regulated entities should be implementing elements of CPS 230 now, with the expectation that all “material service providers” (under the broader definition) and “material arrangements” are identified by mid-2024. This means assessing service providers against the expanded definition, which may capture additional vendors. 

CPS 230 is about more than just risk management and requires co-operation across the organisation.  Procurement teams will play a key role in helping to identify and manage material service providers and material arrangements. 

What needs to be done by mid-2024?

There are two key steps that Procurement leaders should be taking now. 

  1. Reviewing ‘material arrangements’ and ‘material suppliers’ before mid-2024. CPS 230 expands the definition of material suppliers, which now includes activities that could not be done in-house.   It also introduces the concept of material arrangements.  So, it is not enough to rely on existing policies and registers of suppliers for regulated entities.  Procurement teams need to review all service providers against the new definition before mid-2024. 

  2. Outsourcing Policy review. Now is the time to review your outsourcing policies and requirements to determine if existing practices need to change based on the differences between CPS 231 and CPS 230.  The new obligations will affect policies, the level of due-diligence, agreements and reporting that applies.   For example, the supplier onboarding process will need to consider financial and non-financial due diligence.  Risks for Material Service Providers including fourth-party suppliers will need to be identified, tracked and managed regularly. 

What does CPS 230 cover? 

 The Standard is designed to embed operational resilience for APRA regulated entities, including as it relates to: 

  • Management of operational risks 

  • Maintenance of critical operations through disruptions 

  • Management of risk arising from service providers 

The key requirements of the Standard are that the entity must: 

  1. Identify, assess and manage its operational risk, with effective internal controls, monitoring and remediation 

  2. Be able to continue to deliver its critical operations within tolerance levels through severe disruptions, with a credible Business Continuity Plan (BCP) 

  3. Effectively manage risks associated with service providers, with a comprehensive service provider management policy, formal agreements and robust monitoring 

Some preliminary questions to consider: 

  • Do you know the obligations under CPS 230? 

  • Do you know who your material service providers are? 

  • Do you manage critical contracts and understand the key risks? 

  • Can you access the latest Business Continuity Plans for your material service providers? 


Meeting CPS 230 obligations isn't just required by APRA, it also makes good business sense.  Synerga can help you get started with a value driven diagnostic, plan and deliver approach or help accelerate your plan leveraging our knowledge and resources to meet the deadlines. 

We are working now with many clients to meet their CPS 230 requirements and we are happy to share our knowledge and experiences to make your program successful. Please do not hesitate to reach out to Mathew TheobaldRichard Bradbury or George Knight at Synerga  for more information.


Commenting has been turned off.
bottom of page