Operational resilience in Australia: CPS 230 compliance Are you prepared to anticipate and recover from the unexpected? As organisations place more reliance on technology to support ongoing operations, a sound understanding of how to minimise the impact of a disruption to your external stakeholders and the broader economy is of paramount importance. APRA’s Prudential Standard CPS 230 (Operational Risk Management), aims to reinforce the importance of maintaining a clear focus on customer outcomes in firms’ management and oversight of their risk and control environments, and sets minimum operational resilience requirements that must always be maintained to ensure any disruptions minimise consumer harm. CPS 230 implementation timeline 1 July 2026: Full commencement for non-significant financial institutions1 July 2025: CPS 230 goes into effect (revised enforcement date)With the CPS 230 compliance deadline fast approaching, organisations are entering the final phase of implementation—prioritising the completion of outstanding requirements and actively responding to Board feedback.CPS 230 day one checklist: Have you met all requirements? ThemeDay one artefacts1. Operating modelOperating model – Integration of operational risk disciplines with clear accountabilities and responsibilities defined2. Board oversightComprehensive MI reporting for Board and key committees3. Operational risk management and frameworkRefreshed risk management frameworkUpdated risk appetite statement metrics4. Risk profiles & reportingGRC system refreshed with controls for CPS 230, alignment to critical operations and assessment of operational risk profile5. Critical operations (COs)Board-approved critical operations, with clear ownership defined6. Process and resource mappingCritical operations mapped end-to-end, including inter-dependencies7. Tolerance levelsBoard-approved tolerance levels8. Material service providers (MSPs)Board-approved service provider management policyMaterial service providers identified and monitoredAPRA MSP register ready to share9. Incidents and notificationsAPRA notification requirements embedded into operations, including performance of dry-runs10. Business continuity managementBoard-Approved business continuity planning covering all critical operationsLibrary of severe but plausible scenarios definedComprehensive testing strategy and plan in place11. Technology resilienceSystems and infrastructure demonstrating resilience capabilities to remain within tolerance levels set by critical operations Jul 2024 – APRA publishes finalised standardJan 2024 – Original enforcement dateJul 2022 – APRA publishes discussion paper and draft standardHow can Protiviti Australia help with CPS 230 implementation and operational resilience optimisation? We help you take on the challenge to build and sustain processes required to demonstrate resilience. Our program and domain expertise across operational risk, business continuity, and service provider management will help provide your Board with confidence in ability to achieve CPS 230 compliance.Foundational capabilitiesGovernance and oversightOperational riskInformation securityIT disaster recoveryBusiness continuityCrisis managementService provider management Gap assessment and roadmap developmentTarget operating model designCritical operations framework developmentDetermining your CPS 230-readiness, using a requirements traceability matrix. Developing an informed and prioritised roadmap to address gaps against the requirements prior to the regulatory deadline.Working with your management team to develop a bespoke target operating model to manage CPS 230 compliance sustainably for the long term.Tailoring tried and tested methodologies to help you identify critical operations, establish tolerance levels and map end-to-end the processes, resources, risks and controls.Program design and implementationIntegrated resilience testingProgram assurance Designing and implementing a CPS 230 program leveraging Protiviti’s Operational Resilience Framework, with a focus on practical and proportionate delivery and strong governance to demonstrate compliance before the regulatory deadline.Developing and delivering resilience testing; maturing capability from desktop walkthrough through to evidence-based scenarios testing, and integrating the output from other testing such as ITDR and threat-led penetration conducted across your business.Providing an independent expert review of your planned, in-flight, or completed CPS 230 activity, to identify opportunities to improve practices. Why Protiviti? Technology enabled We work closely with leading firms to offer technology enabled solutions to CPS 230 compliance and related initiatives suitable for mid-size businesses through to leading global firmsTools to model processes and capture process attributes offer a range of benefits towards understanding your risk profile for CPS 230 compliance, but also wider strategic business optimisation initiativesWe partner with providers of GRC systems to help firms manage their risk profile sustainably and provide clarity to senior management and the board on where to focus their time and investment. Strong credentials Our CPS 230 and operational resilience clients include global SIFI’s and other leading Australian Banks, mid-size ADI’s, large and mid-size Insurers, key suppliers of insurers and ADIs, such as technology firmsWe have been delivering CPS 230 programs since its inceptionWe have designed CPS 230 and operational resilience target operating models to support sustainable long-term managementWe have provided CPS 230 and operational resilience across the 3 lines of defenceWe have a substantial history of engagements across the foundational areas of cyber, business, technology and third-party resilience. Contact us for more information on these frequently asked questions: Board oversight + What information does our board need to fulfill its oversight accountabilities? Cross-disciplinary Integration + How do we sustainably integrate practices that have traditionally operated in silos – operational risk management, business continuity, service provider management and IT service continuity? Demonstrating resilience + To what extent should we test our ability to remain within tolerance levels, and how do we demonstrate that our technology suite and key suppliers support recovery with defined tolerance levels? Managing competing priorities + How do we meet the new requirements in the face of cost cutting initiatives? How do we manage competing local and international requirements, in particular the EU’s Digital Operational Resilience Act (DORA)? Leadership Hirun Tantirigama Hirun is a managing director with 15 years’ experience in providing risk and regulatory advisory services across a variety of clients and industries. He has led complex, transformational programs across areas such as operational risk, regulatory remediation, operational ... Learn More Mark Burgess Mark is a managing director and Protiviti’s risk and compliance solution lead. With over 17 years of risk and regulatory compliance experience in the financial services industry, he has a proven track record delivering deep insights for his clients.Mark has spent a ... Learn More Matthew Pirera Matt is a managing director in Protiviti Australia’s risk and compliance team and is responsible for leading the delivery of best practice solutions across Protiviti’s key clients. Matt is the national financial services industry lead, also leading the Protiviti ... Learn More Find out more about Protiviti Australia’s service offerings: Operational Resilience Improve resilience through a robust testing program, building on existing business continuity management activities, IT disaster recovery, and cybersecurity incident response. We bring knowledge across the four domain areas of operational resilience: business, technology, cyber, and third-party. Regulatory Compliance Disruptive technologies, regulatory pressures, evolving customer loyalty, and pressure to enhance economic returns are just some of the challenges organisations need to overcome by innovating and managing their compliance risks to succeed over the next decade. Risk Management Consulting Protiviti helps organisations around the world assess risk and develop tech-enabled solutions to manage risk in an agile manner and minimise potential losses. We bring leading insights and innovative capabilities to help you meet future challenges. CPS 230 – APRA’s new standard to improve operational risk and resilience On 17 July 2023, the Australian Prudential Regulation Authority (APRA) released the final new prudential standard CPS 230 Operational Risk Management, which is mostly aligned to requirements in other jurisdictions, including the United States, the United Kingdom, Hong Kong, and Singapore. Read more
