Skip to main content
Image coming soon

CPS 230 Compliance Implementation for Financial Services

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

CPS 230 Compliance Implementation for Financial Services

Build the obligations register, criticality tiers, and control evidence that APRA CPS 230 requires of every regulated institution.

The CPS 230 gap assessment came back with a third-party register that is incomplete, tolerance statements that have never been tested, and a board attestation due in the next reporting cycle. None of those gaps close themselves.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

APRA CPS 230 is not a policy update. It requires a specific set of deliverables that most compliance functions have not built before: an enumerated obligations register tied to testable controls, a criticality-tiered register of every material service arrangement, documented and tested tolerance levels for each critical operation, and a monitoring program that produces ongoing evidence rather than a point-in-time assessment. The institutions that are ahead treated this as an implementation project with defined outputs. The ones still behind are waiting for the policy refresh to precede the register build. The register build comes first.

What you walk away with

  • Build a structured CPS 230 obligations register with source citations and obligation-to-control linkages.
  • Design and complete the material service arrangements register with criticality tiers and concentration risk analysis.
  • Write and validate tolerance statements for every critical operation that meet APRA documentation requirements.
  • Design controls from first principles that satisfy APRA examination standards, with evidence files for each.
  • Build and operate a risk-based compliance monitoring program that produces ongoing testing evidence.
  • Produce the board attestation report and supporting package that documents CPS 230 compliance defensibly.

The 12 modules

Module 1. CPS 230 Obligations Register Design
Building a structured obligations register is the foundation of every CPS 230 compliance program. This module covers extracting individual requirements from the standard, categorising them by domain (business continuity, third-party risk, incident management, change management), and creating the master register that drives all downstream work. You leave with the register schema, source-citation format, and the obligation-to-control link field that makes the monitoring program tractable.
Module 2. Identifying Material Service Arrangements
CPS 230 Attachment B requires identifying every material service arrangement across the institution. This module covers the materiality threshold criteria, the interview protocol for surfacing arrangements across business lines, and the workpaper format that documents the assessment. Includes the concentration risk worksheet, the process for escalating newly identified arrangements, and the standard for what material means when an APRA examiner pushes back on your methodology.
Module 3. Criticality Tiering for Service Providers
Every material arrangement needs a criticality tier. This module builds the tiering methodology from scratch: criteria for Tier 1 (severe, immediate disruption), Tier 2 (significant impact within days), and Tier 3 (manageable alternatives exist). Covers the scoring worksheet, the override process for regulator-specific designations, and how to document tier definitions so the board can approve them and an APRA examiner can interrogate the methodology without ambiguity.
Module 4. Tolerance Statements for Critical Operations
CPS 230 requires documented tolerance levels for every critical operation. This module covers writing tolerance statements that satisfy the standard: maximum tolerable disruption periods, data loss thresholds, and the minimum service levels that define recovery. Templates include the tolerance statement format, the mapping to recovery time objectives in existing business continuity plans, and the testing record that shows each tolerance has been validated against a real scenario.
Module 5. Business Continuity Plan Compliance Assessment
CPS 230 sets specific requirements for BCP scope, testing frequency, and board oversight. This module covers reviewing existing BCPs against those requirements: the compliance review checklist, identifying gaps in testing evidence and scope, and writing the assessment memo that goes to the risk committee. Includes the remediation tracking template and the decision framework for when a gap requires escalation versus a monitored management action.
Module 6. Incident Classification and Regulatory Notification
CPS 230 requires a formal incident management capability with documented classification criteria and APRA notification obligations. This module covers the classification matrix (operational event vs reportable incident vs material incident), the notification threshold analysis, and the 24-hour notification workpaper. Templates include the incident register, the classification decision tree that first-line staff can apply, and the regulatory notification letter format for material incidents.
Module 7. Designing Controls from CPS 230 Obligations
Each obligation in the register needs a mapped control. This module covers control design principles for CPS 230: the difference between preventative and detective controls, the control statement format that satisfies APRA examination, and the process for assigning ownership to first-line functions while maintaining second-line oversight. The output is a control library template and the obligation-to-control matrix that connects the obligations register to the monitoring program.
Module 8. Control Evidence Standards for APRA Examination
A well-designed control is not defensible without documented evidence. This module covers what APRA examiners look for: the evidence type hierarchy, sampling standards for operational risk controls, and the most common evidence gaps found in CPS 230 reviews. Includes the evidence file format for each control type, the self-assessment questionnaire first-line teams complete before a compliance review, and the quality rating scale that anchors testing conclusions.
Module 9. Building the CPS 230 Compliance Monitoring Program
CPS 230 controls require ongoing testing, not a one-time gap assessment. This module covers designing a risk-based monitoring program: the control testing frequency matrix, the issue management process from finding to board-reported closure, and the metrics that demonstrate program effectiveness. Templates include the annual monitoring plan, the testing workpaper format, and the issue register that tracks each item from identification through to sign-off by the responsible executive.
Module 10. BEAR Accountability Mapping for CPS 230
The Banking Executive Accountability Regime intersects with CPS 230 in how operational risk responsibilities are allocated and documented. This module covers mapping CPS 230 obligations onto BEAR accountability statements, the handoff between accountable executives and the compliance function, and how to document the accountability chain in a way that satisfies both regimes simultaneously without creating contradiction or gap between the two accountability maps.
Module 11. Board and Audit Committee Reporting
CPS 230 requires periodic board-level oversight and a formal attestation. This module covers what goes into the compliance attestation report: obligation completion status, control effectiveness ratings, open issues with remediation timelines, and the risk narrative. Templates include the board report format, the attestation sign-off process with the responsible executive, and the escalation criteria for matters requiring board decision before the next reporting cycle.
Module 12. Transitioning CPS 230 Implementation to BAU
The implementation phase ends; the ongoing compliance program begins. This module covers transitioning from project-mode to business-as-usual operations: the quarterly control testing cadence, the trigger-based review process for new material arrangements, the annual BCP review cycle, and the examination readiness pack that keeps the program defensible between APRA visits. Covers the compliance team operating rhythm and the annual attestation preparation timeline.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Your third-party register exists but has no criticality tiers and no concentration risk analysis: modules 2 and 3 build both from the materiality assessment through to the board-approved tier definitions.
The board asked for a CPS 230 attestation and your current position paper cannot be defended control-by-control: modules 7, 8, and 11 build the control library, evidence files, and the attestation report that backs the sign-off.
An incident last quarter was not classified correctly and the APRA notification question is still open: module 6 builds the classification matrix and notification decision process that prevents the same gap in the next cycle.
The obligations-to-controls mapping you have was built under an older framework and does not enumerate CPS 230 specifically: modules 1, 7, and 9 rebuild it from the standard through to the monitoring program.

What you get with this course

  • Twelve written modules covering every CPS 230 implementation workstream from obligations register to board attestation.
  • Downloadable templates for every module: obligations register schema, materiality assessment workpaper, criticality tiering worksheet, tolerance statement format, BCP compliance checklist, incident classification matrix, control library, evidence file formats, monitoring plan, issue register, and board attestation report.
  • Hand-built implementation playbook delivered alongside course access, tailored to your institution's CPS 230 compliance profile.

What you will have in hand by Day 1, Week 1, Month 1

Course access provisioned within 24 hours of purchase.

Implementation playbook delivered alongside course access, hand-built for your institution's CPS 230 compliance profile.

Before and after

Before

Obligations identified but not enumerated in a register. Third-party arrangements partially mapped, criticality undefined. Tolerance statements generic or absent. Board attestation is a best-efforts declaration rather than an evidence-backed sign-off.

After

A complete obligations register tied to tested controls, a criticality-tiered third-party register with concentration risk analysis, validated tolerance statements, and a board attestation that can be defended line-by-line to an APRA examiner.

What happens if you do not address this

The obligations register, third-party criticality tiers, and tolerance statements are not optional deliverables. An APRA examination that finds these absent or inadequate puts the compliance function in an indefensible position. The cost of remediation under examination pressure is considerably higher than building the program correctly from the start.

Who it is for

Senior compliance managers and compliance directors at APRA-regulated financial services institutions who are accountable for the CPS 230 implementation program. You have a background in financial services compliance and understand the regulatory environment. What this course builds is the implementation methodology: how to translate the standard into deliverables, how to design controls that satisfy APRA examination, and how to build the monitoring program that makes the board attestation defensible.

Who this is NOT for. Someone looking for a general introduction to operational risk management or a policy template library. This course is for compliance professionals who already understand the regulatory environment and need the implementation method, the templates, and the build sequence that produces a defensible CPS 230 compliance program.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Most compliance professionals complete the course across five to seven working sessions. Each module is designed to be immediately applicable, so implementation typically runs in parallel with the reading.

Why $199 is the right number

APRA guidance documents and CPG papers provide the regulatory requirements but not the implementation methodology. External consultants charge $15,000 or more for a CPS 230 gap assessment and remediation plan. This course delivers the same obligations-to-controls build methodology with ready-to-use templates, completed at your own pace.

FAQ

Does this cover the current CPS 230 requirements in full?
The course is built around the full CPS 230 standard as currently in force. It covers obligations register design, third-party management, business continuity, incident management, BEAR accountability intersections, and board attestation in sequence.
Is this relevant to compliance managers covering multiple APRA-regulated entities within a group?
Yes. Module 10 specifically covers accountability mapping across group structures, and the obligations register methodology applies at entity level, subsidiary level, or consolidated group level depending on how your regulatory obligations are scoped.
What templates are included?
Twelve module-level templates covering: obligations register schema, materiality assessment workpaper, criticality tiering worksheet, tolerance statement format, BCP compliance review checklist, incident classification matrix, control library, evidence file format, monitoring plan, issue register, board attestation report, and attestation sign-off process.
How does the implementation playbook differ from the course modules?
The modules teach the methodology. The implementation playbook is hand-built for your specific compliance profile: it applies the CPS 230 obligations to your institution's operational risk domains, pre-populates the register schema with relevant obligations, and sequences the build workstreams for your team's capacity.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!