Skip to main content
Image coming soon

APRA CPS 230 Operational Risk for Financial Services

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

APRA CPS 230 Operational Risk for Financial Services

Build the methodology that survives an APRA review, from critical operations scoping through MSP classification, BCP testing, and notification procedures.

The service provider register is reviewed and returned. The critical operations scope is contested. The BCP owner list has gaps. The methodology that would resolve all three does not exist in writing yet, and every review cycle surfaces the same open items.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

APRA's CPS 230 standard is specific about what financial services firms must produce, but not about how to produce it. The gap between the obligation and the methodology shows up in the artefacts: a service provider register where MSP classification decisions cannot be traced to documented criteria, a critical operations scope that was decided by committee but never written down, BCPs that name a recovery time objective without the dependency map to support it. Associates doing the implementation work inherit this gap. They receive a register template or a BCP template and are expected to fill it correctly, but the classification criteria, the scoping methodology, and the BCP testing framework are not in the template. They are in APRA's guidance, in the firm's risk appetite, and in decisions that have never been written down. This course writes them down, with decision trees, worked examples, and templates built specifically for the Australian financial services context.

What you walk away with

  • Document a defensible critical operations scope using APRA's three-criteria definition, supported by a scoping methodology your team can reapply at the next material change.
  • Classify service provider arrangements as Material or non-Material using a decision tree that traces the classification back to the CPS 230 criteria and the APRA guidance on substitutability and concentration risk.
  • Build service provider register entries that pass a CPS 230 review, including the risk assessment dimensions, contractual status fields, and concentration risk flags that APRA examiners look for.
  • Produce BCP documentation for a critical operation that includes activation criteria, the dependency map, recovery steps with RTOs, and owner assignments, structured for APRA review.
  • Design and document a CPS 230 scenario test exercise, including scenario selection criteria, exercise format, gap documentation, and the remediation tracking process after an exercise surfaces a weakness.
  • Set up the governance and reporting infrastructure for ongoing CPS 230 compliance, including the board reporting template, the APRA notification decision tree, and the annual self-assessment workbook.

The 12 modules

Module 1. CPS 230 Architecture and Obligation Mapping
CPS 230 integrates three obligation streams that most implementations treat as separate tracks: operational risk management, business continuity, and service provider oversight. This module maps the three streams to each other and to your existing control environment, producing an obligation register that identifies where your current framework satisfies CPS 230 requirements and where it needs uplift. The output is the project scope document that gives your implementation a defensible starting boundary before any artefact work begins.
Module 2. Defining Critical Operations: The Scoping Decision
The definition of critical operations in CPS 230 rests on three criteria: disruption that materially affects depositors, members, or policyholders; damage to the firm's financial soundness; or material reputational risk. This module works through the APRA guidance on applying each criterion, the documentation required to support your scoping decision, and the governance process for getting the scope approved and recorded. You produce a scoping methodology document structured to hold under direct APRA examiner scrutiny.
Module 3. Business Process Inventory for Critical Operations
Mapping business processes to critical operations requires a hierarchy that runs from operation to activity to task, with each level documenting system dependencies, process owners, recovery time objectives, and recovery point objectives. This module covers the inventory structure, the data elements APRA examiners expect at each level, the collection workflow for pulling submissions from across business units, and the review process for keeping the inventory current when processes change. You build a populated template using two financial services critical operation examples.
Module 4. The Service Provider Register: Structure and Data Model
The service provider register is the first artefact APRA examiners interrogate. This module covers the register's required fields, including service description, criticality tier, contractual status, key risk indicators, and concentration risk flags, and the data collection workflow for pulling records from procurement, legal, and business operations. You finish with a register schema, a data collection questionnaire for business unit completion, and a governance structure for keeping the register accurate across its lifecycle between review cycles.
Module 5. Material Service Provider Classification: Criteria and Decision Tree
MSP classification is where most registers stall, because the criteria in CPS 230 require judgment on substitutability, concentration risk, and single-point-of-failure exposure that the standard does not prescribe in detail. This module examines the criteria, the APRA letter guidance, and worked examples across the four most contested categories in financial services: cloud infrastructure providers, payment processors, data analytics vendors, and offshore captive arrangements. You build a classification decision tree with supporting documentation requirements for each possible outcome.
Module 6. Third-Party Risk Assessment for Material Service Providers
Once an arrangement is classified as a Material Service Provider, APRA expects a risk assessment that goes beyond a standard third-party risk scorecard. This module covers the CPS 230-specific assessment dimensions, including operational resilience, information security posture, financial viability, and exit capability, and the escalation criteria that trigger enhanced oversight or contractual remediation. You produce an MSP assessment template and an escalation decision framework ready for application across your service provider population.
Module 7. CPS 230 Contractual Requirements for MSP Arrangements
CPS 230 mandates specific contractual provisions for Material Service Provider arrangements, covering termination rights, audit access, sub-contractor notification, and business continuity cooperation obligations. This module maps APRA's requirements to contract clause language, covering both new arrangements structured after the standard and the remediation of existing contracts that predate it. You finish with a contract review checklist and a clause library covering the most common MSP contract structures used in the Australian financial services market.
Module 8. Business Continuity Plans for Critical Operations
Business continuity plans under CPS 230 must be operation-specific, tested, and assigned to named owners. This module covers the BCP structure APRA expects, including objectives, activation criteria, recovery steps, recovery time targets, dependency maps, and escalation chains, and the documentation standard required for each element to satisfy a review. You produce a BCP template for a financial services critical operation, populate it with two dependency map examples from the banking and asset management context, and build the owner assignment and review schedule.
Module 9. Scenario Testing and BCP Exercise Design
APRA expects BCPs to be tested through scenarios that simulate real disruption, not exercises that confirm what everyone already knows. This module covers scenario selection criteria for financial services critical operations, including third-party failure scenarios and simultaneous disruption events, the exercise formats from tabletop through live test, documentation requirements for each format, and the gap remediation process after an exercise finds a weakness. You design a scenario test programme for one critical operation and produce the exercise report template.
Module 10. Incident Management and CPS 230 Notification Requirements
CPS 230's notification requirements are tighter than most operational risk teams expect. Material incidents and service provider failures affecting critical operations require APRA notification within defined timeframes, and the classification criteria for what triggers a CPS 230 notification versus a normal incident report are not always clear from the standard alone. This module covers the incident classification criteria, the notification decision tree, the notification template, and the post-notification review requirements, producing a notification procedure your team can execute without ambiguity.
Module 11. Governance, Board Reporting, and APRA Attestation
CPS 230 requires board oversight, documented management accountability, and executive attestation to APRA. This module covers the governance framework, including board risk committee mandate, the management accountability statement, and the annual attestation process, and the reporting structure with the metrics and indicators boards need for genuine oversight without operational detail. You produce a board reporting template and an executive accountability framework aligned to CPS 230's governance requirements and APRA's published supervisory expectations.
Module 12. Self-Assessment and Continuous Improvement Cycle
CPS 230 compliance requires a self-assessment and improvement cycle that responds to material changes, regulatory feedback, and exercise findings, not just a point-in-time implementation. This module covers the self-assessment methodology, including scoping, evidence collection, gap rating, and management response, the trigger events that require an out-of-cycle review, and the integration of CPS 230 assessments into the firm's broader operational risk management cycle. You finish with a self-assessment workbook and an improvement tracking template built for the annual APRA review cadence.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Modules 1 to 3 address the scoping and inventory work that defines the implementation boundary, resolving the most common point of contention between the operational risk team and business units about what is in scope and at what granularity.
Modules 4 to 7 address the service provider obligations, providing the register structure, classification methodology, risk assessment framework, and contract review process that Material Service Provider management requires.
Modules 8 to 10 address business continuity and incident response, building the BCP artefacts, the scenario test programme, and the APRA notification procedure that most implementations leave incomplete.
Modules 11 and 12 address governance and ongoing compliance, establishing the board reporting structure, the attestation process, and the self-assessment cycle that sustains CPS 230 compliance beyond the initial implementation project.

What you get with this course

  • 12 written modules covering the CPS 230 implementation methodology from critical operations scoping through ongoing self-assessment
  • Critical operations scoping methodology document and worked examples
  • Service provider register schema and data collection questionnaire
  • MSP classification decision tree with supporting documentation requirements for each classification outcome
  • MSP risk assessment template and escalation decision framework
  • Contract review checklist and MSP clause library for Australian financial services arrangements
  • BCP template for financial services critical operations with dependency map examples from banking and asset management
  • Scenario test programme design guide and exercise report template
  • APRA notification decision tree and notification procedure template
  • Board reporting template and executive accountability framework
  • Self-assessment workbook and improvement tracking template for the annual APRA review cadence
  • Hand-built implementation playbook tailored to your account type and operational risk context
  • Access to the learning environment within 24 hours of enrolment

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Before and after

Before

The service provider register is reviewed and returned. MSP classification decisions live in email threads. BCPs are drafted but the dependency maps are missing or incomplete. The APRA notification threshold is interpreted differently by different team members. Every review cycle surfaces the same open items because the methodology that would close them has never been documented.

After

MSP classification is documented and traceable to the CPS 230 criteria. The register passes review without a returned red cell. BCPs include tested dependency maps and are supported by a structured scenario exercise programme. The notification procedure is clear, documented, and practiced. The self-assessment workbook shows APRA a continuous improvement cycle, not a point-in-time snapshot.

What happens if you do not address this

APRA's review process for CPS 230 will surface gaps in the methodology underlying the artefacts, not only gaps in the artefacts themselves. A register with undocumented classification decisions and BCPs without tested dependency maps will require remediation under regulatory scrutiny, with the cost of that remediation determined by how far into the review cycle the gaps are found.

Who it is for

Associates and analysts in operational risk, compliance, or risk management at APRA-regulated financial services institutions who are working on CPS 230 implementation, gap analysis, or second-line review of business unit submissions. Also relevant for internal audit practitioners preparing for CPS 230 review engagements and for business managers whose operations have been scoped as critical and who are responsible for delivering the BCP artefacts to the operational risk team.

Who this is NOT for. Senior risk officers whose engagement with CPS 230 is limited to governance review with no role in building the underlying artefacts. External consultants who want a framework to pitch without an intention to execute the implementation work themselves. IT teams responsible for system recovery without the regulatory context of why the recovery targets are set as they are.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. 12 modules, self-paced. Each module is designed for a focused work session of 60 to 90 minutes. The implementation playbook and downloadable templates are built for direct application to live implementation work from the first module.

Why $199 is the right number

APRA guidance documents describe what is required but not how to build the artefacts. General operational risk frameworks provide structure but are not calibrated to CPS 230's specific definitions, classification criteria, and notification requirements. Internal training programmes address the firm's current state but not the methodology for building the artefacts that do not yet exist. This course fills the gap between the regulatory obligation and the implementation methodology, with decision trees and templates built specifically for the Australian financial services regulatory context.

FAQ

Is this course specific to one type of APRA-regulated institution?
No. The methodology applies across banks, insurance companies, and superannuation funds regulated under CPS 230. The worked examples draw from the banking and asset management context, and module summaries note where the application differs by institution type.
Does the course cover the APRA supervisory expectations for the attestation process?
Yes. Module 11 covers the attestation process and the governance documentation APRA expects to see, and Module 12 addresses the self-assessment methodology that supports the attestation. The implementation playbook includes a pre-attestation checklist.
Can the templates be adapted for use within an existing documentation framework?
Yes. All templates are delivered as editable documents structured to accommodate institution-specific terminology, risk appetite statements, and governance conventions. The implementation playbook includes adaptation guidance for the most common documentation framework requirements in Australian financial services.
How does the course handle the MSP classification edge cases that APRA's guidance does not resolve clearly?
Module 5 is built specifically around the contested cases, including cloud infrastructure, payment processors, data analytics vendors, and offshore captive arrangements. The classification decision tree documents the factors, the evidence required, and the escalation path for cases where the classification is genuinely ambiguous.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!