From www.claytonutz.com: APRA’s CPS230 Operational Risk Management standard, effective from July 1, 2025, will replace the existing CPS231/SPS231 standards and introduce new requirements for managing operational risks, particularly related to outsourcing and third-party engagements.

Regulated entities must establish a comprehensive service provider management policy, conduct due diligence on material service providers, and maintain a register of these providers, among other obligations.

The standard also emphasizes the importance of managing fourth parties, which are subcontractors relied upon by service providers, and requires documented risk management processes for these entities.