APRA's CPS 230 (Operational Risk Management) came into force in July 2025 for Australian banks, insurers, and superannuation funds. The standard is broad — it covers all material operational risks — but its implications for AI-driven systems are particularly sharp.
Most institutions we work with are working through what the standard requires of their existing AI and what it'll demand of their next AI investment. This is what we're seeing.
What CPS 230 actually requires
The standard has a few key planks that matter for AI:
Management of operational risk
APRA-regulated entities must "manage operational risk in accordance with the principles of operational resilience". AI systems making material decisions are operational risk. They need explicit risk management, not implicit assumption that "the model will sort it".
Critical operations identification
Each entity must identify its "critical operations" — services whose disruption would cause material harm to customers or financial stability — and ensure resilience for them. Many AI deployments touch critical operations (fraud detection, credit decisioning, customer service triage, anti-money laundering). The implications: AI in any of these areas is a CPS 230 obligation, not an optional feature.
Third-party service provider management
CPS 230 places extensive obligations around third-party providers, including AI vendors. You need due diligence, contractual rights to audit, contingency plans for provider failure, and ongoing monitoring.
What it means in practice: using OpenAI, Anthropic, or Azure OpenAI for production decisions in a regulated context is now a board-level governance question, not a developer choice.
Business continuity and tolerance for disruption
You need to define explicit tolerance levels for disruption to critical operations, and demonstrate that you can recover within those tolerances. AI-driven decision systems need fallback paths: human reviewers, simpler rule-based systems, manual workflows that activate when the AI is unavailable or untrustworthy.
Incident management
CPS 230 requires explicit incident management for operational risk events. An AI model producing biased outputs, drifting accuracy, or recommending fraud cases incorrectly is a CPS 230 incident — even if it didn't cause downtime.
Where the standard bites for AI
In practice, four areas are where we see institutions doing the most work:
1. Model governance documentation
CPS 230 isn't satisfied by "we trained a model and tested it". It requires evidence of structured model risk management: model purpose, design decisions, training data provenance, validation methodology, ongoing performance monitoring, and change control.
For each material AI deployment, expect 40–80 pages of model documentation. Most institutions we work with hadn't been producing this before CPS 230.
2. Human oversight architecture
Pure end-to-end AI decisions are increasingly hard to justify in regulated contexts. The institutions getting CPS 230 right are designing for human-in-the-loop at the moments that matter: high-value transactions, novel pattern detection, customer complaint outcomes, anything affecting credit access.
This isn't anti-AI — it's the deliberate design choice that AI augments, not replaces, the regulated decision-maker.
3. Vendor management of foundation models
The big change. Using a hosted LLM in production now requires contractual documentation, security review, data handling agreements, business continuity planning, and exit strategies. Most of the off-the-shelf "let's add a chatbot" deployments from 2023–2024 are now revisiting their vendor relationships.
Realistic implications: smaller AI vendors will struggle to meet CPS 230 due diligence requirements; larger vendors (AWS, Microsoft, Google) are investing heavily in CPS 230–aligned offerings; some workloads will move on-premise or to sovereign cloud.
4. Bias and fairness monitoring
CPS 230 read together with ASIC's guidance on algorithmic fairness means institutions need active monitoring for bias in AI outputs, not just at deployment but on an ongoing basis.
The data infrastructure for this — separate evaluation sets, fairness metrics, segment-by-segment performance tracking — is non-trivial. Most institutions are building it in 2025–2026, not 2024.
Where this lands operationally
For the institutions we work with, CPS 230 has produced three observable shifts:
- AI initiatives now require risk committee sign-off before development starts, not just before launch. The cost of late-stage rejection is too high.
- Model documentation is now part of the build, not a post-hoc artefact. Treated as deliverable equal to the code.
- Foundation model choice is a procurement decision. Vendor agreements, data residency, audit rights matter as much as model capability.
What to do now
If you're at an APRA-regulated entity and AI is anywhere on your roadmap:
- Treat AI deployments as material operational risks from inception. Get risk team involved at scoping, not at release.
- Build documentation infrastructure — templates, review processes, sign-off gates — that scales as AI volume grows. The marginal cost of doing this properly should approach zero.
- Audit your existing AI for CPS 230 compliance. Most institutions have at least one production model that wouldn't pass review under the new standard.
- Be deliberate about foundation model vendors. The choice in 2025 is different from 2023.
How we help
We work with APRA-regulated institutions on AI projects from scoping through to production deployment, including the documentation and governance work that CPS 230 demands.
If you're working through a CPS 230 implementation and want a senior team's view, book a discovery call.
