A focused course, tailored for you
APRA CPS 230 Operational Risk for Senior Managers
Build the critical operations register, impact tolerances, and scenario-testing process that APRA expects from the business-unit level.
The critical operations register and the impact tolerance statement were built six months apart, by different people, using different criteria. The APRA prudential review is six weeks out. The self-assessment has a gap where the reconciliation between the two documents should be.
$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.
Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.
Why this course
CPS 230 puts direct accountability on Senior Managers for their business unit's operational resilience. The standard requires a coherent document set: critical operations scoped to APRA's definition and mapped to the enterprise register, impact tolerances set at the operation level with supporting rationale, third-party arrangements identified and assessed against each critical operation, annual scenario tests with documented outcomes, and board reporting that holds together under regulatory scrutiny. The gap most Senior Managers face is not awareness of the requirement. It is the methodology to connect all these documents into a single coherent program the business unit owns and can maintain quarterly.
The 12 modules
Module 1. What CPS 230 Requires of the Senior Manager
CPS 230 is not only an enterprise risk framework obligation. It assigns direct accountability to the Senior Manager for their business unit's operational risk management. This module maps the standard's requirements to your specific accountabilities: what you must produce, what you must attest to, and what APRA will look for in your self-assessment. You leave with a personal obligations checklist tied to your role level and business unit scope.
Module 2. Scoping Critical Operations at the Business-Unit Level
APRA defines critical operations as those whose disruption would have a material impact on your entity's customers, counterparties, or financial system obligations. This module walks through the scoping methodology: how to apply APRA's materiality test to your unit's operations, how to document your reasoning clearly, and how to ensure your scoping decisions reconcile with the enterprise-level critical operations register without duplicating it or creating conflicts.
Module 3. Setting Impact Tolerances That Hold Under APRA Review
Impact tolerances define the maximum acceptable level of disruption to each critical operation. This module covers how to set them: choosing the right metrics (time-based, volume-based, or customer-impact-based), calibrating them against your operational risk appetite, documenting the supporting rationale APRA expects, and ensuring they are consistent with enterprise tolerances. The module produces a tolerance-setting template ready for APRA review.
Module 4. Building the Third-Party Dependency Register
CPS 230 requires entities to identify material third-party arrangements supporting each critical operation. This module builds the register: how to identify which providers qualify as material, how to map them to your critical operations, what due diligence documentation APRA expects, and how to structure the register so it can be updated as arrangements change without rebuilding from scratch each review cycle.
Module 5. Third-Party Risk Assessment Under the Standard
Having a register is step one. CPS 230 also requires ongoing assessment of third-party risks and contractual protections. This module covers the assessment methodology: what APRA expects in your due diligence process, how to document concentration risk across providers, how to assess substitutability for each material provider, and what contractual clauses APRA's prudential guidance expects to see in material service agreements.
Module 6. Scenario Design for the Annual Exercise
The CPS 230 scenario testing requirement is more specific than a tabletop exercise. This module covers how to design scenarios that satisfy the standard: choosing scenarios that stress your critical operations against plausible severe events, designing injects at the right severity level, structuring the exercise so it produces documented evidence of your resilience, and ensuring the outputs link back to your impact tolerances and third-party register.
Module 7. Running the Exercise and Capturing APRA-Credible Evidence
Designing the scenario is half the work. Running it and capturing useful outputs is the other half. This module covers exercise facilitation for a Senior Manager who owns the process: pre-exercise logistics, how to brief participants on what is being tested, how to document observations during the exercise, and how to produce a post-exercise report that identifies gaps and remediation actions APRA would expect to see acted on.
Module 8. The Self-Assessment Process APRA Expects
CPS 230 requires entities to conduct an annual self-assessment of their operational risk management framework. This module walks through the self-assessment structure from the Senior Manager's perspective: what the assessment must cover, how to rate your business unit's compliance against each requirement, how to escalate identified gaps, and how to write the summary that feeds into the entity-level self-assessment without overstating or understating your position.
Module 9. The Board Operational Resilience Report
The board needs to receive and act on operational resilience information. This module covers the report structure that satisfies both the board's governance obligation under CPS 230 and the board's actual information needs: how to present critical operations status, impact tolerance breaches or near-misses, scenario testing outcomes, and third-party risk concentration in a format that supports board oversight without requiring the board to read a compliance manual.
Module 10. Integrating CPS 230 Into Your Existing Risk Frameworks
Most Senior Managers already have operational risk reporting, incident management, and change management processes. CPS 230 does not replace these. This module maps the touchpoints: where your existing frameworks already satisfy CPS 230 requirements, where they need to be extended, and how to avoid building a parallel compliance program that duplicates work. The output is an integration map specific to your business unit's existing process landscape.
Module 11. Notification Obligations and Trigger Identification
CPS 230 requires entities to notify APRA of operational risk incidents that breach or are at material risk of breaching an impact tolerance. This module covers the notification obligation from the Senior Manager's perspective: what triggers a notification, how quickly you must notify, what information APRA expects in the notification, and how to build the escalation path within your team so the right information reaches compliance and the board in time.
Module 12. Quarterly Review and Ongoing Maintenance
CPS 230 compliance is not a one-time project. This module builds the quarterly review process: how to check your critical operations register against operational changes in your business unit, how to review third-party arrangements for changes in risk profile, how to update impact tolerances when your operations change, and how to run a lightweight internal check that keeps your document set current without requiring a full rebuild every quarter.
How this addresses your situation
Specific modules that map to what you said you are dealing with.
Senior Manager preparing for an APRA prudential review who needs to reconcile their critical operations register with their impact tolerance statements.
Senior Manager who has started CPS 230 implementation work but lacks a methodology for connecting the documents into a coherent program.
Senior Manager whose board paper on operational resilience has been returned for clarification or additional detail before reaching the board.
Senior Manager whose team is running scenario exercises that produce outputs the team cannot connect back to the regulatory requirements.
Who it is for
A Senior Manager at an APRA-regulated authorised deposit-taking institution or registrable superannuation entity who owns a business unit's contribution to the CPS 230 compliance program. Has the mandate, the team, and some work already done, but needs a coherent implementation methodology and reusable document templates, not another policy read.
Who this is NOT for. Enterprise risk function staff whose job is to set the CPS 230 framework and policy from a distance. Compliance analysts who review the standard without owning implementation. Anyone whose CPS 230 program is already in the continuous monitoring and self-assessment phase with no material gaps.
How it arrives
Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.
Time investment. Each module takes 20-40 minutes to read and complete. Full course in a single focused day or across two weeks at one module per session.
FAQ
Is this specific to ADIs or does it also cover RSEs?
The course covers both. CPS 230 applies to all APRA-regulated entities including authorised deposit-taking institutions and registrable superannuation entities. Module examples draw on both contexts.
My business unit's CPS 230 work is already partly done. Is this still useful?
Yes. The course is structured so each module stands alone. If your critical operations register is solid but your impact tolerances or third-party register need work, you can go directly to those modules and use the templates to close the specific gaps.
How is this different from a general operational risk management course?
Every module is specific to CPS 230's requirements and written for the Senior Manager who owns implementation at the business-unit level. The templates produce APRA-ready documents, not generic risk management artefacts.
