Skip to main content
Image coming soon

APRA CPS 230 Operational Risk for Financial Executives

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

APRA CPS 230 Operational Risk for Financial Executives

Build the cross-divisional tolerance framework and board attestation structure a diversified financial group actually needs under CPS 230.

The Board Risk Committee agenda has the CPS 230 operational risk tolerance statement on it for the third quarter running. Not because no one is working on it. Because the cross-divisional alignment on which operations qualify as "critical" and what disruption window is genuinely acceptable keeps hitting the same walls: each division has different answers, and none of them map cleanly to what APRA's prudential standard actually requires.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Large, diversified financial groups face a CPS 230 implementation problem that smaller ADIs do not have. A mono-line bank can define critical operations in a morning workshop. A group running commodities trading, infrastructure lending, retail banking, and asset management under a single APRA-regulated umbrella runs into four different answers to every definitional question. What disruption period is genuinely tolerable? Commodities says two hours. Banking says four. Asset management says it depends on the product. None of those answers are wrong on their own terms. But CPS 230 requires a single board-approved tolerance statement that covers all of them, and a single board paper that demonstrates the cross-divisional calibration was done with methodology, not compromise. The governance layer adds another dimension. The board must approve the tolerance statement, the BRC must review it annually, and executive management must maintain the evidence trail that shows APRA the process was real and not retrospectively assembled. For group executives who already have risk appetite frameworks, the temptation is to retrofit. APRA has been clear that a risk appetite framework does not meet the CPS 230 tolerance statement requirement. A distinct document, with specific content, is needed. Building it from the right starting point saves six to twelve months of supervisory feedback loops.

What you walk away with

  • Write a CPS 230 critical operations inventory that passes APRA's materiality test across all your regulated entities.
  • Draft operational risk tolerance statements that align commodities, banking, and asset management thresholds into a single board-approvable document.
  • Structure the board paper on operational risk governance so the BRC gives substantive, not procedural, sign-off.
  • Build the third-party and intragroup service level commitment register CPS 230 requires, including the substitutability assessment for each critical dependency.
  • Design the annual review and board attestation cycle so the prudential standard requirement is met without last-minute sprint work.
  • Facilitate the cross-divisional calibration workshop that produces aligned tolerance thresholds instead of negotiated compromises.

The 12 modules

Module 1. CPS 230 Scope: What APRA Actually Requires
CPS 230 applies to APRA-regulated entities, but the standard's requirements land very differently at a large, diversified financial group than at a mono-line bank. This module maps the five categories of obligation under CPS 230, identifies which apply at the group level versus at the individual ADI or RSE licensee level, and builds the scoping decision tree that determines what your board must attest to.
Module 2. Defining Critical Operations Across Business Lines
APRA defines critical operations as those whose disruption would have a material adverse impact on customers, counterparties, or the financial system. For a group running commodities trading, infrastructure lending, and retail banking under one prudential umbrella, materiality thresholds are not uniform. This module builds the business-line-by-business-line impact assessment matrix and runs the criteria through APRA's own guidance to produce a defensible critical operations inventory.
Module 3. Operational Risk Tolerance Statements: Drafting for Board Sign-Off
APRA requires the board to approve an operational risk tolerance statement before the entity can attest compliance. This module covers what APRA expects to see in that document, the difference between a risk appetite framework and a CPS 230-compliant tolerance statement, and the six sections every board-ready tolerance document must contain. You draft your entity's first compliant statement as a module deliverable.
Module 4. Cross-Divisional Calibration: Resolving Threshold Divergence
When commodities and banking have different answers to how many hours of outage is acceptable before it is a CPS 230 breach, the group executive's job is to surface the methodology that resolves the divergence rather than averaging it away. This module covers the calibration workshop facilitation method, the escalation decision tree for threshold disagreements, and how to document the resolution so it holds up in an APRA supervisory review. You produce the workshop artefact.
Module 5. Third-Party Dependencies and Service Level Commitments
CPS 230 requires entities to identify and manage operational risks arising from reliance on third parties, including intragroup dependencies. For a group that relies on shared technology services, offshore operations centres, and external data vendors, this module builds the third-party risk register format CPS 230 demands, the service level commitment review process, and the substitutability assessment each critical third party needs. You produce the register template and a sample substitutability analysis.
Module 6. Business Continuity Plans: Minimum Viable Operations
CPS 230 requires each critical operation to have a documented plan that can restore minimum viable operations within the tolerance period. This module covers how to set the minimum viable operations threshold for each business line, how to structure the plan document APRA expects distinct from a traditional BCP, and how to test the plan without interrupting the operations it is designed to protect. You build the BCP template for one of your designated critical operations.
Module 7. Scenario Analysis for Operational Risk
CPS 230 expects entities to use scenario analysis to test whether their tolerance statements and continuity plans are adequate against plausible severe events. For a group active in energy trading, infrastructure, and banking, relevant scenarios span cyber incidents, natural catastrophe, key person dependencies, and contagion from a large third-party failure. This module builds the scenario selection methodology and the analysis template that produces board-ready stress-test outputs.
Module 8. Control Effectiveness Testing and Attestation
Saying you have controls is not enough under CPS 230. APRA expects evidence that controls are tested regularly and their effectiveness confirmed. This module covers the testing schedule design, the evidence standards APRA supervisors look for, the difference between design effectiveness and operating effectiveness, and how to structure the quarterly attestation cycle so the board signs off on tested results, not asserted ones. You produce the testing register and attestation calendar.
Module 9. APRA Supervisory Returns and Breach Notification
When a tolerance limit is breached, CPS 230 requires notification to APRA within specific timeframes. This module covers the breach identification process, the notification obligation triggers, the supervisory return templates APRA uses, and the post-breach remediation evidence APRA expects before it regards the matter as closed. You produce the breach notification protocol and the internal escalation flowchart that tells every level of management exactly what to do when the threshold is hit.
Module 10. Intragroup Dependencies and Group-Level Scoping
Many large financial groups provide shared services to their regulated subsidiaries, covering technology, finance, and operational functions. Under CPS 230, these intragroup arrangements need the same scrutiny as third-party dependencies. This module covers how to document intragroup service arrangements to satisfy the CPS 230 third-party provisions, how to structure the master intragroup agreement to meet APRA's requirements, and what a supervisory review will specifically check about your group's internal service delivery model.
Module 11. Board and Risk Committee Governance Structure
CPS 230 assigns specific responsibilities to the board, the board risk committee, and executive management. For a large financial group, the governance layer is often already complex. This module maps the exact CPS 230 accountability chain onto your existing governance structure, identifies where the standard creates new board obligations not covered by your existing risk committee charter, and produces the board-ready governance statement and delegated authority register that CPS 230 requires you to maintain and review annually.
Module 12. Annual Review and Attestation Cycle Design
CPS 230 is not a one-time implementation project. APRA expects that your operational risk tolerance statements, critical operations inventory, and BCP suite are reviewed and attested annually by the board. This module designs the annual review calendar, the internal evidence-gathering cadence that feeds each board attestation, the assurance process that confirms whether the prior period's plan held up against actual disruption events, and the multi-year improvement roadmap that demonstrates proactive risk management to APRA.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

You are a Group Executive at an APRA-regulated financial group and the BRC has asked when the CPS 230 board attestation will be ready.
You need to resolve a cross-divisional disagreement about what qualifies as a critical operation and what disruption threshold is acceptable for each business line.
You have extensive third-party and intragroup dependencies and need to document them in a way that satisfies CPS 230's service level commitment provisions.
You own the board attestation cycle and need to design an annual review process that is defensible to APRA supervisors without creating a last-minute sprint for your team every quarter.

What you get with this course

  • 12 written modules covering every CPS 230 implementation milestone for a diversified financial group
  • Downloadable templates: critical operations inventory, operational risk tolerance statement, BCP template, third-party risk register, substitutability assessment, attestation calendar, breach notification protocol, and board governance statement
  • Hand-built implementation playbook tailored to your group's divisional structure and existing risk governance framework
  • Access to the learning environment within 24 hours of purchase

What you will have in hand by Day 1, Week 1, Month 1

Access to the learning environment and all 12 modules within 24 hours of purchase.

Implementation playbook delivered at the same time, hand-built for your group's divisional structure and existing governance context.

All templates available for download from module 1 onward.

Before and after

Before

The CPS 230 tolerance statement is on the BRC agenda for the third consecutive quarter. Each division has different answers about criticality and thresholds. The board paper is not ready because no one can agree on a methodology that satisfies both the business and the prudential standard.

After

Tolerance statements drafted and board-approved. Critical operations inventory signed off across all divisions with a documented calibration methodology. Third-party service level register complete. Annual attestation cycle running without last-minute sprint work or retrospective artefact assembly.

What happens if you do not address this

APRA has made clear that CPS 230 compliance is expected without extension. Groups that cannot demonstrate a board-approved tolerance statement and a functioning BCP suite for each critical operation face a supervisory attention cycle that is significantly more burdensome than building the framework correctly the first time. APRA supervisory reviews of non-compliant entities result in enforceable undertakings and heightened prudential oversight, both of which consume more executive time than the implementation would have required.

Who it is for

Senior executives at large APRA-regulated financial groups who hold governance responsibility for operational risk management. This includes group chief risk officers, executive directors with board risk committee accountability, heads of operational risk at diversified financial conglomerates, and group executives whose sign-off is required on the CPS 230 board attestation. The typical participant is already familiar with risk governance frameworks but needs the CPS 230-specific methodology and templates to produce artefacts that will survive APRA supervisory scrutiny.

Who this is NOT for. Risk analysts or junior compliance staff building the underlying control registers. Business line heads who delegate all risk governance to their risk teams. Executives at smaller, single-business ADIs where the cross-divisional complexity this course addresses does not arise.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Designed for completion over three to four weeks at two to three hours per module. The implementation playbook compresses the total time to board-ready artefacts significantly by pre-mapping the methodology to your group's divisional context.

Why $199 is the right number

APRA-focused advisory firms typically charge between $150,000 and $400,000 for a CPS 230 readiness engagement. Prudential governance consulting at the board-paper level adds a further $20,000 to $50,000 per workstream. This course delivers the same methodology, all templates, and a hand-built implementation playbook specific to your group's situation for $199.

FAQ

Is this relevant to a conglomerate that has both APRA-regulated and non-APRA-regulated entities under the same group?
Yes. The course covers both group-level obligations and entity-level obligations. Module 1 walks through the scoping decision that determines which entities within your group are subject to which provisions, and how intragroup arrangements affect the regulated entities even when the service provider is not itself APRA-regulated.
Our risk appetite framework is already well developed. Will this course just duplicate what we have?
No. CPS 230 requires a specific operational risk tolerance statement that is distinct from a risk appetite framework. Module 3 covers exactly this distinction and explains what the board-approved document must contain that most existing appetite frameworks do not address.
How specific is the implementation playbook to our situation?
The playbook is hand-built after reviewing the course material for your role and group context. It addresses the specific calibration challenges of a multi-divisional financial group and includes the workshop facilitation agenda for your cross-divisional threshold alignment process.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!