A focused course, tailored for you
The APRA CPS 230 Readiness Pack for Australian Boards
An integrated readiness pack covering CPS 230 critical functions, ASD Essential Eight maturity, severe-but-plausible scenarios, and AICD boardroom talking points. Built for the Australian board attestation.
APRA CPS 230 is now in effect. AICD director duty statements call out operational resilience. ASD Essential Eight Maturity Levels appear in vendor due diligence. The course delivers a single integrated readiness pack an Australian board signs.
$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.
Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.
Why this course
Australian compliance leaders feel the cadence pressure in 2026. APRA CPS 230 took effect in July 2025 for the supervised firms (banks, insurers, superannuation funds), requiring documented critical functions, impact tolerances, severe-but-plausible scenarios, and board-level attestation. AICD director duty statements call out operational resilience as a director responsibility. The ASD Essential Eight Maturity Levels keep appearing in vendor due diligence and federal procurement.
Customers (CROs, CCOs, board secretariats at APRA-supervised firms) ask for a single integrated readiness pack and the default tooling produces fragmented ones. CPS 230 gap analyses sit in one folder. Essential Eight assessments sit in another. Scenario libraries sit in a third. AICD-style board briefings sit in a fourth.
The course works through the integrated pack. CPS 230 critical-function identification and impact tolerances written so a board can sign the attestation. An Essential Eight Maturity Level scoring grid that aligns with APRA expectations on technology resilience. A severe-but-plausible scenario set that covers credible disruption (cloud-region failure, key-vendor failure, cyber attack, climate event, payments-rail disruption). AICD boardroom talking points. Twelve modules with deliverables. Plus a hand-built playbook for your specific customer mix.
The 12 modules
Module 1. The Australian operational resilience landscape
Walkthrough of the 2026 Australian operational resilience landscape. CPS 230 effective from July 2025. CPS 234 cybersecurity. AICD director duty statement on operational resilience. Treasury and ASIC adjacent expectations. ASD Essential Eight Maturity Levels. The strategic decisions a Risk Officer or board secretariat faces.
Module 2. CPS 230 critical-function identification
Build the CPS 230 critical-function identification framework. The definition test. The customer-impact test. The financial-impact test. The system-stability test. The judgement framework for borderline functions. The documentation that supports the identification decision. Aligned to APRA prudential standard language. Includes the worked example for banking critical functions (payments, deposit access, lending decisioning), insurance critical functions (claims processing, policy issuance), and superannuation critical functions (member access, contribution processing, pension payments). Plus the documentation alignment with APRA prudential standard CPS 230.
Module 3. Impact-tolerance setting
Build the impact-tolerance setting framework. The recovery time objective. The recovery point objective. The maximum tolerable period of disruption. The financial-loss tolerance. The customer-impact tolerance. The board-readable narrative for each. Plus the worked examples for banking, insurance, and superannuation. Includes the worked example for banking impact tolerances, insurance impact tolerances, and superannuation impact tolerances. Plus the integration with the customer's existing business-continuity-management framework and the cross-walk to APRA's prudential standard expectations on impact tolerance documentation.
Module 4. Essential Eight Maturity Level scoring
Build the Essential Eight Maturity Level scoring grid. The eight mitigation strategies (application control, patch applications, configure macros, user application hardening, restrict admin privileges, patch operating systems, MFA, regular backups) at Maturity Levels 1, 2, 3. The scoring rubric. The evidence required for each level. The alignment with APRA's expectations on technology resilience.
Module 5. Severe-but-plausible scenarios
Build the severe-but-plausible scenario set. Cloud-region failure (AWS Sydney, Azure Australia East, Google Cloud Sydney). Key-vendor failure (core banking, payments processor, customer-data platform). Cyber attack (ransomware, supply-chain compromise, insider). Climate event (flood, bushfire, cyclone). Payments-rail disruption (NPP, BECS, direct entry). Plus the scenario test pattern.
Module 6. Scenario testing pattern
Build the scenario testing pattern. The annual exercise design. The quarterly mini-exercise design. The participant matrix (executive, operational, customer, regulator). The success-criteria framework. The post-exercise reporting structure. The board-visibility framework. Plus the lessons-learned integration with the CPS 230 critical-function review.
Module 7. Third-party service provider framework
Build the third-party service provider framework. CPS 230 third-party requirements. The provider identification. The criticality classification. The contract review framework. The ongoing monitoring framework. The exit framework. The CPS 234 cybersecurity alignment. Plus the worked example for cloud, payment-processor, and SaaS providers.
Module 8. AICD boardroom talking points
Build the AICD boardroom talking points. The director-duty framing. The operational resilience director responsibility. The attestation framing. The dashboard the board reads. The exception-reporting framing. The annual-cycle framing. Plus the version of each point a director with non-financial background can follow.
Module 9. Board attestation document
Build the board attestation document. The structure APRA accepts. The supporting evidence chain. The version control. The board-meeting integration. The chair sign-off process. The auditor review pattern. Plus the framework for the inevitable late-stage board question. Includes the integration with the audit committee, the integration with the risk committee, the integration with the full board, and the version-control pattern across the annual cycle. Plus the worked example of the framework's response to APRA's expected supervisory follow-up question on attestation evidence.
Module 10. Quarterly retainer engagement structure
Build the quarterly retainer engagement structure. The monthly posture review. The quarterly tabletop exercise. The quarterly third-party monitoring update. The annual scenario library refresh. The board briefing cadence. The renewal conversation script. Plus the pricing framework. Includes the engagement-economics framework, the renewal conversation script for month-eleven of each annual cycle, and the integration with the customer's existing third-line-of-defence relationship. Plus the cross-engagement reference pattern that surfaces value compounding across multiple APRA-supervised customer engagements.
Module 11. Sector applications
Sector applications. Banking. Life and general insurance. Health insurance. Superannuation. Wealth management. Payment institutions. Each has a slightly different CPS 230 scope (CPS 230 applies broadly to APRA-regulated entities with sector-specific overlays) and a different board profile. Each sector application includes the worked board profile, the worked critical-function inventory, the worked impact-tolerance shape, and the worked scenario-library focus. Plus the integration with the sector-specific regulator (APRA general, APRA superannuation, APRA insurance) and ASIC adjacencies.
Module 12. Your 10-week build plan
Week by week. Weeks 1-2: landscape and CPS 230 critical-function identification. Weeks 3-4: impact-tolerance setting and Essential Eight Maturity Level scoring. Weeks 5-6: severe-but-plausible scenarios and scenario testing pattern. Weeks 7-8: third-party framework and AICD boardroom talking points. Weeks 9-10: board attestation, quarterly retainer structure, sector applications. Deliverable: an integrated readiness pack ready for the next APRA-supervised customer board.
How this addresses your situation
Specific modules that map to what you said you are dealing with.
Customer needs critical-function identification → Module 2.
Customer needs impact tolerances → Module 3.
Customer asks about Essential Eight → Module 4.
Customer needs scenarios → Modules 5-6.
Customer needs third-party framework → Module 7.
Customer board needs talking points → Module 8.
Customer needs attestation document → Module 9.
You need a retainer structure → Module 10.
Who it is for
For Australian risk and compliance leaders, fractional CROs, principals at boutique Australian risk firms, senior consultants at mid-tier risk advisory practices, and senior partners at Australian operational-resilience consultancies.
Who this is NOT for. Pure non-Australian markets. Practitioners at firms with no APRA-supervised customer business. Pure non-operational-resilience roles.
FAQ
Will this work for ASIC-supervised firms?
Module 11 covers the ASIC adjacency. The core CPS 230 framework adapts.
What about non-APRA Australian customers?
Modules 4 and 7 cover Essential Eight and third-party frameworks that apply broadly.
Does this cover CPS 234 cybersecurity specifically?
Module 7 covers CPS 234 alignment with CPS 230 third-party requirements.
What about superannuation-specific patterns?
Module 11 covers superannuation-anchored patterns.
What is in the implementation playbook for me specifically?
Pack structure tuned to your customer-sector mix, talking points pre-loaded with your typical board profile, retainer pricing matched to your team capacity.
