Description

A focused course, tailored for you

APRA CPS 230 Operational Risk Implementation

Build the MIOS register, scenario analysis, and third-party oversight protocols that hold up under an APRA examination.

The MIOS register passed its first board review, but an APRA examination is a different standard. Examiners want to see the classification methodology, the scenario analysis that produced the disruption estimates, and the documented third-party oversight protocol. Not the register itself, but the process that produced it and can reproduce it next cycle.

$199 one-time

Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

CPS 230 created a new obligation for operational risk management that most banks initially satisfied through a consultant-led gap analysis. The gap analysis produced a MIOS register and a framework document. What it typically did not produce was a repeatable classification methodology, a scenario analysis process with quantified outputs, or a third-party notification protocol that satisfies both procurement and the risk committee. When APRA reviews these artefacts, the question is not whether they exist but whether the methodology behind them is defensible and documented. At AVP level, you are the person who needs to close that gap without outsourcing the method.

What you walk away with

Build a MIOS classification framework your board approves and APRA accepts without requiring re-work before the next supervisory review.
Run scenario analysis workshops that produce quantified disruption impact estimates rather than vague narrative descriptions.
Document third-party notification and oversight protocols that meet CPS 230 service provider requirements before an examiner asks for them.
Write an operational risk appetite statement that connects board-level risk tolerance to measurable business line limits.
Create a continuous MIOS monitoring process that keeps the register accurate without requiring a full reclassification exercise each cycle.

The 12 modules

Module 1. Reading CPS 230 for What It Actually Requires

Walk through each section of the prudential standard with attention to what APRA enforcement history reveals about its interpretation. Banks often read CPS 230 but miss the specific enumerated obligations that separate a passing review from a finding. This module produces a compliance obligation register specific to your institution, covering governance, risk management framework, incident reporting, and service provider requirements as a trackable checklist rather than a document summary.

Module 2. Building the MIOS Classification Framework

Develop the criteria that determine whether an operation or service is Material, Important, or neither. Covers the three-test methodology across criticality, substitutability, and concentration, how to set quantitative thresholds your board approves in advance, and how to handle contested cases where business units believe their services are incorrectly classified. The output is a written methodology document you can present to APRA as evidence of a structured, repeatable classification process.

Module 3. Running the MIOS Inventory Exercise

Map every operation and service against the classification framework with documentation sufficient to justify each decision. Provides a data-gathering template, a structured interview guide for business unit heads, and a process for handling missing or inconsistent service information. The resulting register passes the examination standard because every entry carries documented rationale traceable to board-approved criteria, rather than a classification recorded without supporting reasoning visible to an examiner.

Module 4. Scenario Analysis: Designing Extreme-but-Plausible Disruptions

Build the scenario analysis process CPS 230 requires for material and important services. Covers how to construct scenarios that are genuinely plausible rather than theoretical, how to estimate severity and likelihood in a way that connects to your operational risk appetite, and how to document workshop outcomes for board presentation and annual repetition. Addresses the common failure mode where scenario outputs are too vague to produce measurable impact estimates an APRA examiner would accept.

Module 5. Quantifying Disruption Impact Across Service Dependencies

Translate scenario outcomes into financial, customer, and reputational impact estimates that a risk committee can use for decision-making. Covers dependency mapping methods, cascade analysis for propagating a single disruption through connected services, and how to present uncertainty ranges rather than misleadingly precise point estimates. Produces the impact quantification tables your APRA submission needs to demonstrate that scenario analysis is substantive rather than a templated narrative exercise.

Module 6. Third-Party Service Provider Notifications and Oversight

Build the protocol for identifying which third-party arrangements fall under CPS 230 service provider requirements and what notifications your institution must issue when a provider's MIOS status changes. Covers the written notification procedures, the due diligence questions your procurement and vendor management teams need to ask at contract stage, and the monitoring cadence for service providers whose failure could trigger a material disruption at your institution.

Module 7. Operational Risk Appetite: Board Statement to Business Line Limits

Write the operational risk appetite statement that connects the board's strategic risk tolerance to the operational risk limits each business line works within. Covers the structure of an effective appetite statement, the metrics and thresholds that make it measurable rather than aspirational, and the escalation triggers that bring a business line back into appetite when a metric breaches. Produces a draft board paper section on operational risk appetite ready for risk committee review.

Module 8. Incident Identification, Classification, and APRA Reporting

Build the incident reporting process CPS 230 requires, including the 72-hour notification obligation to APRA for operational risk incidents affecting material services. Covers what counts as a notifiable incident versus an internally managed event, the report template APRA expects, and the internal escalation chain required to issue notification within the window. Includes the lessons-learnt process that feeds back into MIOS classifications and scenario analysis assumptions the following cycle.

Module 9. Business Continuity Planning Aligned to the MIOS Register

Align existing business continuity plans to the MIOS register so every material and important service has a tested recovery procedure with defined recovery time objectives. Covers the gaps that typically exist between current BCP documentation and CPS 230 requirements, the testing cadence that provides evidence of genuine preparedness, and the documentation standard that demonstrates to APRA that recovery planning is operational rather than a shelf document reviewed annually.

Module 10. Internal Audit Scope for CPS 230 Assurance

Build the internal audit approach that gives the board independent assurance over CPS 230 compliance without duplicating first-line implementation work. Covers the audit scope across classification methodology, scenario analysis quality, and third-party oversight; the evidence standards that distinguish genuine compliance from documented compliance; and the findings reporting structure that connects audit results to board-level accountability. Produces an internal audit charter addendum for operational risk assurance.

Module 11. Keeping the MIOS Register Accurate as the Business Changes

Design the continuous monitoring process that keeps the MIOS register current as services are added, modified, or discontinued, without requiring a full reclassification exercise each time. Covers the trigger events that require a classification review, the change control process for services entering or leaving the register, and the governance structure ensuring business units notify risk management of relevant changes before the next supervisory cycle begins.

Module 12. Board and APRA Reporting on CPS 230 Progress

Build the board reporting pack and APRA engagement materials that demonstrate your institution's CPS 230 implementation in a format satisfying both audiences. Covers the board-level operational risk dashboard, the structure of an effective board paper on CPS 230 status, and the supervisory interaction materials showing structured implementation rather than reactive responses to examiner questions. Includes the self-assessment template many institutions prepare before an APRA review commences.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

MIOS classification methodology is contested by business stakeholders with no documented criteria to defend decisions in the room: Modules 2, 3

Scenario analysis outputs are narrative descriptions rather than quantified impact estimates: Modules 4, 5

Third-party service provider oversight protocols are not yet documented for an APRA examiner: Module 6

Board cannot measure whether operational risk appetite is being met across business lines: Modules 7, 12

What you get with this course

12 written modules covering the full CPS 230 implementation cycle from classification methodology through board reporting
Downloadable MIOS classification methodology template with board-approved threshold criteria
Scenario analysis workshop guide and quantified impact output template
Third-party notification protocol framework aligned to CPS 230 service provider requirements
Operational risk appetite statement draft structured for risk committee review
Incident reporting template with 72-hour APRA notification procedure and escalation chain
Board reporting pack template for CPS 230 implementation status
Hand-built implementation playbook tailored to your institution's current CPS 230 state and the gaps most likely to surface in an APRA review

What you will have in hand by Day 1, Week 1, Month 1

Course access provisioned within 24 hours of purchase.

Hand-built implementation playbook delivered at the same time as course access.

Before and after

Before

MIOS register exists but classification decisions lack a documented, repeatable methodology; scenario analysis produces narrative descriptions rather than quantified disruption estimates; third-party oversight protocols are undocumented; board reporting summarises activity rather than demonstrating evidenced compliance.

After

Every MIOS classification traces to board-approved criteria with written reasoning an examiner can follow; scenario workshops produce quantified impact tables; third-party protocols are documented and monitored against a defined cadence; board reporting demonstrates measurable compliance progress with evidence behind each claim.

What happens if you do not address this

An APRA prudential review that finds classification methodology gaps or undocumented scenario analysis does not produce a clean supervisory letter. Findings follow the institution into the next cycle, create board-level visibility of the compliance gap, and may result in a more intensive supervisory relationship with APRA for the following period.

Who it is for

Senior risk, operations, or compliance professionals at APRA-regulated banks and financial services entities responsible for building or maintaining the CPS 230 operational risk framework. You understand the prudential standard's obligations but have not yet produced a complete, defensible methodology for MIOS classification, scenario analysis, and third-party oversight. You have done the initial gap analysis and built the register. The methodology and documentation depth that APRA expects are the remaining gaps.

Who this is NOT for. Junior analysts looking for an introductory overview of operational risk concepts, or executives who want a high-level summary of CPS 230 obligations without the implementation methodology. This course is for the person doing the build, not the person who commissioned it.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Six to eight hours across the 12 modules. Each module works independently as a reference guide when its specific CPS 230 phase comes up in your implementation cycle.

Why $199 is the right number

Consultant-led CPS 230 implementation support requires a significant budget and typically produces a gap analysis report plus framework document owned by the consulting firm. This course produces the same classification methodologies and documentation templates at $199, with the implementation work done by your team using documented, repeatable methods they own going forward.

FAQ

Does this course cover CPS 234 or CPS 511 as well?

The course is specific to CPS 230 operational risk. The MIOS register, scenario analysis, and incident reporting modules focus on CPS 230 obligations only.

Is this relevant for non-bank APRA-regulated entities?

Yes. CPS 230 applies to all APRA-regulated entities including general insurers, life insurers, and superannuation funds. The modules use banking examples but the methodology applies to any entity with MIOS classification obligations.

What if our CPS 230 implementation is already partially complete?

The modules work independently. Start at the module covering your current gap. The implementation playbook maps your likely current state and identifies what to prioritise next.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.