Client Alert

Learnings from CPS 234 as you adopt CPS 230

By:
Matthew Green,
Daniel Farthing,
Claire Scott,
Jane Stanton
16 May 20245 min read
insight featured image
With the CPS 234 Information Security tripartite review program coming to an end around June 2024, APRA-regulated entities face a pivotal moment.

The looming implementation of CPS 230 Operational Risk Management is closely tied to CPS 234, requiring regulated entities and service providers to prepare for its impact. To ensure you are prepared for these changes, we highlight steps to consider while you plan for the changes, and how CPS 230 and CPS 234 are interconnected in the evolving regulatory landscape. 

The relationship between CPS 234 and CPS 230  

CPS 234 focuses on information security in APRA-regulated entities to enhance their resilience against information security incidents, including cyber threats. While CPS 234 is specific to information security, it complements CPS 230, which sets out minimum standards for managing operational risk across APRA-regulated entities.  

Operational risk covers a wide range of risks beyond information security and while CPS 230 has a broader scope, it aligns with CPS 234’s focus on information security and resilience. Together, they create a comprehensive operational risk framework, with CPS 234 emphasising information security practices and CPS 230 offering a holistic approach to managing operational risks.  

These standards work together to enhance the overall resilience of financial institutions in Australia. 

An overview of how CPS 234 and CPS 230 are interconnected

How should Boards think about CPS 230? 

As Boards and directors are tasked with establishing a robust operational risk management framework, they should prioritise the following key areas: 

1. Operational Risk Management Framework: 

  • Policy and risk appetite: The Board plays a crucial role in establishing an effective risk management framework. This involves determining policy, setting risk appetites, and establishing appropriate processes for monitoring, analysis, reporting, and managing risks and risk events. 
  • Accountability: CPS 230 places accountability for operational risk management squarely on the Board. Directors must actively engage in overseeing operational risk practices within the organisation. 

2. Implementation timeline: 

  • Proactive transition: Entities should start considering the key components of CPS 230 now to ensure preparedness. APRA has introduced a proactive transition period, requiring entities to identify material service providers and critical operations by mid-2024. By the end of 2024, entities should have set tolerance levels. The standard becomes effective on 1 July 2025. 

3. Key alignments between CPS 230 and CPS 234: 

  • Risk event preparedness: Entities must ensure effective processes to support the management and response to risk events, effectively reducing their impact. 
  • Resilience: Organisations should be able to continue operating despite disruptions, providing critical services to customers. 
  • Business continuity planning: Rigorous business continuity planning and exercising are critical to minimize the impact of disruptions to an acceptable/tolerable level. Entities will need to expand their thinking to ‘severe but plausible’ scenarios. 
  • 3rd and 4th party ecosystem: Entities will need to tackle the challenge of updating contracts to include operational risk clauses and obtaining necessary controls assurance. This may not be straightforward and will take time. 

4. Long-term impact: 

  • Boards and executive teams should focus on what the organisation can and should have in place by 1 July 2025. This means considering the resources required for a program of work to achieve a deeper impact for the benefit of customers and stakeholders. 

In summary, boards and directors should actively engage in shaping the operational risk management framework, ensuring resilience, and prioritising risk event preparedness to meet CPS 230 requirements effectively. 

Our financial services industry specialists can help you navigate the changes ahead to meet CPS 230 whether that is uplifting governance arrangements for oversight of operational risk, aligning operational risks, tolerance levels and business continuity plans, assessing material service providers and enhancing supplier management and due diligence procedures. We know the transition is a complex one with many moving parts, contact us today to discuss your needs

WATCH NOW
Gearing up for CPS 230's implementation
This webinar is tailored to equip you and your team with practical steps for CPS 230's implementation. We will dive into the intricacies of the standard, focusing on its design and operational effectiveness to meet regulatory expectations.

Watch on-demand
TAGS  
Authors
  • Matthew Green
    Matthew Green Matthew brings 19 years’ experience in providing IT risk assurance and advisory services to listed, Government and private enterprise. His extensive IT risk assurance and advisory experience covers business and technology across strategy, governance, operations, service delivery, procurement, major projects, data risk management and 3rd party auditing. View Profile
  • Daniel Farthing
    Daniel Farthing Daniel is a cyber security risk and technology controls Partner based in Grant Thornton's Sydney office. With 15 years of experience in the United States and Australia, Daniel is one of the market's leading experts on SOC-2 and technology controls audits more broadly -- including reviews with a focus on cyber/information security, access, change management, data governance and processing integrity. View Profile
  • Claire Scott
    Claire Scott Claire has 17 years of external audit, assurance & advisory experience for financial services clients including superannuation funds, investment managers, ADIs such as credit unions, mutual banks and foreign banks, mortgage funds and other financiers covering residential mortgage funds, personal lending, commercial lending, leasing and specialty finance. View Profile
  • Jane Stanton
    Jane Stanton Jane has over 20 years of financial services industry experience having worked in a variety of senior risk management, internal audit and finance roles for APRA regulated and listed entities. View Profile

Related content

View more

Managing macroeconomic risks through proactive stress testing

Client alert

Proactive stress testing to manage macroeconomic risk, strengthen financial stability and banking

Claire Scott
Tari Makanda
Jamil Saripada
| 4 min read | 01 Apr 2026

Grant Thornton supports AUSTRAC to develop the new AML/CTF Starter Kits

Press Release

Grant Thornton worked with AUSTRAC (the federal Anti-Money Laundering regulator) to support the development of their new AML/CTF Starter Kits released this week, designed specifically for Tranche 2 sectors including lawyers, real estate professionals, accountants, and conveyancers.

3 min read | 02 Feb 2026

What the Australian Clinical Labs privacy case means for cyber governance and M&A risk

Insight

The Federal Court’s $5.8M ACL decision signals a new era for privacy, cybersecurity, and governance in Australia. It reinforces that privacy and cyber obligations start Day 1 of any acquisition, governance failures will be scrutinised, and accountability cannot be outsourced. Boards must ensure robust oversight, deep cyber due diligence, and forensic incident response. With OAIC escalating regulatory enforcement, organisations face heightened legal, financial, and reputational risks.

Daniel Farthing
Matthew Green
| 5 min read | 10 Nov 2025
    View more