Map your critical operations
How to identify your critical operations and the people, processes, technology and service providers each one depends on, end to end. The step most firms underdo.
CPS 230 · effective 1 July 2026
CPS 230 is operational-risk regulation: identify your critical operations, set tolerances the board approves, prove your controls work, and manage the service providers (and the technology, including AI) those operations depend on. We wrote the guide to what you’ll need to evidence by 1 July 2026.
The problem
Most institutions can name their critical operations. Far fewer can show, on request, the tolerances they run to, that their controls have been tested and hold, that business continuity covers a severe-but-plausible disruption, and that every material service provider (including the technology and AI those operations now depend on) is on the register with compliant contracts. That gap between knowing and evidencing is exactly what supervision probes.
What it does
How to identify your critical operations and the people, processes, technology and service providers each one depends on, end to end. The step most firms underdo.
Setting board-approved tolerance levels, and the control and business-continuity evidence a supervisor expects to see that your operations hold under disruption.
The material service provider register, the mandatory contract terms, and the concentration and fourth-party risk CPS 230 expects you to govern.
CPS 230 readiness check
These are the questions a supervisor will ask about your critical operations under CPS 230. Answer honestly: your score shows what you still need to evidence before 1 July 2026.
Q1
We have identified and documented our critical operations: the ones that, if disrupted, would materially harm us, our customers, or financial stability.
Q2
For each critical operation, we have mapped the people, processes, technology, and service providers it depends on, end to end.
Q3
We have set, and the board has approved, tolerance levels for each critical operation (maximum disruption, data loss, and minimum service levels).
Q4
We maintain controls that manage operational risk across these operations, and we test whether those controls actually work.
Q5
We have a business continuity plan that would keep each critical operation within its tolerance through a severe-but-plausible disruption.
Q6
We test our business continuity plan at least annually, including scenarios severe enough to threaten a critical operation.
Q7
We maintain a register of material service providers and can show which critical operations each one supports.
Q8
Our material service provider arrangements meet CPS 230 requirements, and we actively manage concentration and fourth-party (sub-contractor) risk.
Q9
We can detect, respond to, and notify APRA of an operational risk incident or material service disruption within the required timeframes.
Q10
Accountabilities for operational risk and business continuity are clearly assigned, and the board sees evidence the framework works, rather than attestations that it does.
Answer all 10 questions to see your score.
Free guide
Free guide
What CPS 230 expects of your critical operations by 1 July 2026: tolerances, tested controls, business continuity, and material service provider management, plus where to start closing the gaps.