For many organisations, CPS 230 felt like a sprint.

Critical operations were mapped.
Material service providers were identified.
Policies were updated.
Boards were briefed.

And then, on 1 July 2025, CPS 230 went live.

What we're seeing now is the next phase – often referred to as ‘Day 2' compliance – where the question is no longer “are you ready?” but “can you prove this actually works?”

APRA's expectations are clear: operational resilience and service provider management must be embedded, monitored and maintained, not just documented.

---

From Implementation to Evidence

CPS 230 requires entities to:

• manage operational risk on an ongoing basis
• maintain critical operations within approved tolerances
• effectively manage risks arising from service providers through formal agreements and robust monitoring

In other words, compliance doesn't end when the framework is approved. It starts when the business is operating under it.

This is where many organisations are now feeling the strain.

---

Why ‘Day 2' Is So Challenging

During implementation, the focus is often on design:

• policies and registers
• governance structures
• risk frameworks

Day 2 compliance is different. It's operational.

It requires organisations to demonstrate that:

• service providers are performing in line with contractual obligations
• risks are being monitored and escalated
• issues are identified early and addressed
• the Board receives meaningful, defensible reporting

This shift exposes gaps that were easy to overlook during implementation.

---

Contracts Are Now Living Compliance Tools

Under CPS 230, contracts are no longer just commercial documents. They are a primary control mechanism for managing operational risk arising from service providers.

Formal agreements with material service providers must support:

• operational resilience
• business continuity obligations
• information sharing and notification
• audit and assurance rights
• performance monitoring

For pre‑existing contracts, these requirements apply from the earlier of renewal or 1 July 2026 – which means many organisations are now working through significant contract uplift programs.

---

The Role of Ongoing Contract Management

One of the most common ‘Day 2' gaps we see is this:
the contract exists, but no one is actively managing against it.

Effective CPS 230 compliance requires ongoing contract management, including:

• monitoring performance against agreed SLAs and KPIs
• tracking compliance with resilience and continuity obligations
• ensuring incident notification and escalation processes are followed
• managing changes to services, subcontracting and fourth‑party reliance
• documenting issues, remediation and outcomes

Without this, organisations may struggle to demonstrate that risks arising from service providers are being actively managed.

---

Supplier Management Is Not Set and Forget

CPS 230 explicitly lifts expectations around service provider monitoring and reporting.

This includes:

• prioritising material service providers
• regularly assessing provider performance and risk
• ensuring senior management receives appropriate reporting
• escalating issues where performance or resilience falls short

In practice, this means supplier management must be:

• structured
• repeatable
• aligned to risk

Ad hoc reviews and informal conversations are unlikely to be sufficient where a provider supports a critical operation.

---

Reporting That Actually Helps the Board

Another ‘Day 2' pressure point is board reporting.

Boards are accountable for oversight of operational risk and service provider management under CPS 230. That requires reporting that goes beyond high‑level assurance statements.

Effective reporting typically:

• focuses on material service providers and critical operations
• highlights emerging risks and trends
• links performance issues to contractual obligations
• shows how issues are being managed and resolved

This is where legal, risk and contract management functions need to work closely together.

---

The Capacity Challenge for In‑House Teams

For many in‑house legal and risk teams, the challenge isn't understanding what CPS 230 requires – it's having the capacity to sustain it.

Ongoing obligations include:

• contract reviews and variations
• supplier performance reviews
• supporting risk and compliance reporting
• responding to incidents and remediation activities

These tasks don't replace BAU work. They sit alongside it.

Without additional support, Day 2 compliance can quickly become reactive.

---

How MM Legal+ Supports CPS 230 Day 2 Compliance

At MM Legal+, we support organisations beyond initial CPS 230 implementation by helping embed compliance into day‑to‑day operations.

Our ongoing support includes:

• contract uplift and ongoing contract management for material service providers
• supplier management support, including SLA and KPI tracking
• assistance with reporting frameworks and documentation
• overflow legal support for in‑house teams managing regulatory change
• practical alignment of contracts, policies and risk frameworks

We work as an extension of your team – focused on making compliance sustainable, not theoretical.

---

Final Thought

CPS 230 was never meant to be a one‑off project.

‘Day 2' compliance is where regulators will look to see whether operational resilience is truly embedded – and whether organisations can evidence how they manage risk arising from service providers over time.

Strong frameworks matter.
But it's ongoing contract and supplier management that keeps CPS 230 alive.