How GuardianERM helps you meet APRA CPS 230
APRA’s CPS 230 raises the bar for operational resilience as it requires regulated entities to:
- Manage operational risks with effective controls,
- Maintain critical operations within tolerance through severe disruptions, and
- Manage risks from service providers.
CPS 230 commenced on the 1st of July 2025 (with legacy service-provider contracts captured by the next renewal or 1 July 2026).
Let’s explore how GuardianERM turns CPS 230 from policy into practice – bringing risks, controls, critical-operations tolerance, incidents and service-provider oversight into one audit-ready system so you can evidence compliance with confidence.
1) Operational risk & controls
CPS 230 expects these core aspects of risk management to be embedded in your risk framework
- Governance
- Risk-appetite indicators and limits
- Internal controls, monitoring and incident escalation
GuardianERM provides an integrated Enterprise Risk Management (ERM) platform to help record, assess, monitor and manage risks and controls across units, processes and projects – supporting AS ISO 31000 practices and consistent risk treatment.
Independent control evaluation and follow-up is also supported through GuardianERM’s Audit & Assurance module and workflow reminders – helping you evidence design and operating effectiveness with remediation tracking. This provides an complete management solution to CPS 230’s expectations to design, test and remediate internal controls.
2) Incident & near-miss management (incl. 72-hour trigger)
CPS 230 requires:
- identification, escalation, recording and timely remediation of operational risk incidents and near misses
- APRA needs to be notified within 72 hours for incidents likely to have material financial/critical-operations impact.
GuardianERM centralises issues, near misses and incidents (e.g., complaints, regulatory breaches), supports root-cause analysis, assigns and tracks actions to completion, and provides dashboards and reports for management and Board visibility.
3) Business continuity: critical operations & tolerance levels
CPS 230 requires you to maintain a register of critical operations, set tolerance levels (e.g., maximum outage, data loss, minimum service levels), keep a credible BCP with triggers, communications and resourcing, and run regular severe-but-plausible testing.
GuardianERM lets you document business-continuity risks and response strategies by scenario, align BCM with your risk framework, and store BCP artefacts off-site for access in a disruption – supporting evidence of plans, roles and exercises.
4) Service-provider (third & fourth-party) risk
CPS 230 requires a comprehensive service-provider management policy; a register of material providers; due diligence (inc. concentration and geography risk); and formal agreements that cover data ownership/control, audit access, subcontractor oversight, liability and force-majeure, among others.
GuardianERM supports a vendor & contract register, captures key contractual details, and stores due-diligence artefacts (e.g., risk assessments, questionnaires, audit reports, insurance, BCPs). It also improves visibility over contract management and renewals and obligations for ongoing contract monitoring.
5) Governance, roles & Board reporting
CPS 230 makes the Board accountable for overseeing operational risk, approving the BCP and tolerance levels, and approving the service-provider policy – backed by regular management reporting.
GuardianERM provides executive/Board reporting and supports periodic attestations to stakeholders and regulators, giving leaders real-time access to risk, control, incident, audit and vendor information in one place.
Why GuardianERM
One secure, web-based platform brings risk, incidents, BCM, vendor management, audit, workflow and reporting together, streamlining your CPS 230 “line-of-sight” from risk appetite to controls, incidents, continuity and third-party management.
Ready to Take the Next Step?
Ready to turn CPS 230 from a one-off project into a repeatable capability? If you’re an APRA-regulated entity or a third party to an APRA related entity, we’d love to show you how GuardianERM brings risks, controls, incidents, business continuity and service-provider oversight into one platform.
Contact us today for a personalised demo and discover how your organisation can improve reporting efficiency, strengthen governance, and reduce operational risk.