APRA’s CPS 230 Tweaks: Small Amendment, Big Governance Signal

APRA has not reopened the whole CPS 230 debate — but it has made a clear point: operational risk governance is still being tightened, tested and adjusted.

For boards and executive teams, that means the work does not stop at implementation. The real issue is whether your organisation can show that CPS 230 is embedded, evidenced and working on an ongoing basis across the business, not just on paper.

The release was APRA’s final targeted amendments to CPS 230 Operational Risk Management, published on 30 April 2026. It is directed at APRA-regulated entities, with relevance for superannuation, governance, risk management and privacy/data arrangements where operational resilience and control ownership intersect.

Board-Level Take

This is a refinement release, but it still matters.

When a prudential standard is amended in a targeted way, the signal is usually that APRA has seen a need to sharpen expectations rather than leave interpretation to industry drift. That can affect how entities document controls, allocate accountability, and demonstrate the quality of their operational risk framework.

For senior leaders, the question is not whether the change is dramatic. The question is whether any “minor” amendment quietly changes how evidence must be assembled, who owns remediation, or how assurance is reported to the board.

What Is Actually Changing and Why It Matters

Targeted amendments usually mean targeted pressure points

The update indicated APRA focused on specific parts of CPS 230 rather than issuing a wholesale rewrite. That matters because targeted amendments often sit where regulators have identified ambiguity, implementation friction or the need for clearer supervisory expectations.

Boards should read that as a cue to revisit any assumptions that the original implementation work is automatically sufficient.

A targeted amendment can still alter the practical burden on governance documents, operational risk records, outsourced arrangements or control assurance.

Operational risk is not just a compliance exercise

CPS 230 sits at the intersection of risk, operations, technology, third-party management and accountability. In practice, that means the update is relevant to teams managing control environments, incident escalation, business continuity and evidence for committee and board oversight.

For organisations with complex operating models — especially superannuation entities — the challenge is making sure the framework is joined up. If responsibilities are split across risk, compliance, operations and privacy functions, the amendment may expose gaps in ownership or duplicate evidence gathering.

Privacy and data controls may need to be viewed through an operational resilience lens

The change includes consideration of privacy and data, which is a reminder that data handling and operational risk are increasingly linked.

If controls over data use, storage, access, incident handling or vendor dependencies are already under review, this release may strengthen the case for integrating those reviews into the CPS 230 program.

That is important because fragmented control reviews create blind spots.

Boards should be asking whether privacy, cyber and operational risk narratives are aligned, or whether separate governance tracks are still being managed in silos.

Questions Boards, Executives and Risk Teams Should Ask

  • Which parts of our CPS 230 implementation plan are affected by APRA’s targeted amendments, and have we re-tested those assumptions?
  • Do we have clear ownership for updating policies, procedures, control maps and board reporting if the amendment changes our interpretation of obligations?
  • Where do our operational risk, privacy/data and third-party risk frameworks overlap, and are those overlaps documented consistently?
  • What evidence would we produce if asked to show how the amended requirements have been assessed, approved and embedded?
  • Are any superannuation-specific governance or operating model issues making implementation harder than the standard suggests on its face?
  • Have we confirmed that our assurance plan will still be meaningful after the final targeted changes are applied?

Why This Needs Attention

The fact APRA has issued final targeted amendments means organisations should treat this as active change, not background reading.

The sensible move is to update the gap assessment now, then work through documentation, testing and assurance before the issue becomes a supervisory question. Finally, identify what mechanisms you have to assess maturity on an ongoing basis, and are they simple and easy to use.

Waiting usually creates avoidable rework. If the amendment affects how evidence is gathered or how accountability is shown, late discovery can be more expensive than early course correction.

Keeping the Board Ahead of the Curve

If your board or risk team wants a practical way to assess maturity, identify evidence gaps and prioritise uplift without defaulting immediately to a large consulting exercise, that is where we can help.

The immediate task here is simple: work out whether these targeted CPS 230 amendments change your governance story, your control evidence, or your readiness to explain the framework to APRA or the board.

More from the Reading Room

The Qantas privacy finding: a positive lesson in third-party oversight

A serious data breach does not automatically mean governance failed. The more important question is whether an organisation can demonstrate that it understood the risks,...

“Cheap and Out of Date”, a Board-Level Resilience Question

A practical risk maturity article using a current event to test ownership, evidence, controls, challenge and decision quality.

Everyone Passed. That’s Not the Point.

APRA's inaugural System Risk Stress Test found four major banks and six super funds individually resilient, but exposed concentration risk and a super-fund liquidity mechanism that could amplify a system-wide shock.

APRA finalises reinsurance framework changes

APRA's finalised reinsurance framework eases access to catastrophe bonds and shifts capital-treatment decisions to the appointed actuary, changing what boards need to evidence before the 1 January 2027 start date.