Skip to main content
Image coming soon

CPS 230 Implementation Methodology for Risk Officers

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

CPS 230 Implementation Methodology for Risk Officers

Build the MSP register, operational risk tolerance statements, and attestation structure APRA expects from a large ADI.

The MSP register has intragroup shared-service entities flagged as 'to confirm with legal' and dozens of external vendors with no criticality tier assigned. CPS 230 is in force for large ADIs. APRA does not distinguish between intragroup and external in its materiality determination, and an examiner who finds blank tier columns with no documented methodology will record a governance finding.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

CPS 230 is a principles-based standard. APRA did not provide a template. Every large ADI has to build its own methodology: how it defines material service providers, how it tiers them by criticality, what due diligence it runs by tier, what contract clauses it requires, and how it handles the intragroup entity problem. For an investment bank with cross-border operations, intragroup shared-service entities, and complex custody and trading infrastructure, the implementation challenge is harder than for a domestic retail ADI. The entities at the centre of the problem are critical to operations. They typically do not have the audit rights clauses, BCP cooperation clauses, or incident notification requirements that CPS 230 mandates. Getting them there requires a methodology that can be explained to legal, to the service entity boards, and to APRA when the supervision comes.

What you walk away with

  • Build a defensible MSP criticality tier methodology with documented decision criteria that handles intragroup entities consistently with external vendors.
  • Draft operational risk tolerance statements with measurable metrics that a board risk committee can sign off on.
  • Produce CPS 230-compliant contract clause requirements for each MSP tier, including the intragroup intercompany agreement variant.
  • Design due diligence assessments by tier with templates for financial health, security posture, and substitutability reviews.
  • Build the APRA attestation template your Chief Risk Officer drafts and board endorses for the annual cycle.
  • Prepare the evidence file structure an APRA examiner will review when assessing your CPS 230 implementation.

The 12 modules

Module 1. Reading CPS 230 as an Implementation Map
CPS 230 is written as a principles standard, not a checklist. This module translates the operative requirements into an implementation sequence your team can run. You identify the mandatory elements APRA expects to see evidenced on examination, distinguish requirements that affect your framework design from those affecting your MSP register, and build the project plan that sequences the remaining work.
Module 2. Operational Risk Tolerance Statements
The tolerance statement is the document board signs and APRA reviews first on examination. This module covers the metric structure that defines operational risk tolerance measurably, the threshold design distinguishing tolerance from appetite, the escalation clause linking a tolerance breach to your risk committee calendar, and the board resolution language that closes the governance loop. A worked template is included.
Module 3. Defining Material Service Providers
CPS 230 does not define 'material' for you. This module builds the materiality criteria your institution applies: the threshold logic combining financial exposure, customer impact, regulatory dependency, and operational substitutability. It handles the intragroup entity question directly, producing a written materiality definition board approves and the documentation trail APRA expects to find at the head of your MSP register.
Module 4. MSP Criticality Tier Methodology
Tier assignment is where most ADI implementations stall. This module produces the criteria for Tier 1, Tier 2, and Tier 3 service providers, the scoring rubric business units complete, and the review committee process that validates their decisions. Output is a methodology document your Chief Risk Officer endorses and your APRA relationship manager can read without additional context.
Module 5. Due Diligence Framework by Tier
Due diligence requirements differ by criticality tier. This module builds the assessment scope: financial health and operational capacity indicators required from Tier 1 providers, security posture evidence required for technology MSPs, substitutability plans required before contracting with sole-source critical vendors, and the annual review cadence by tier. Downloadable templates for each assessment type are included.
Module 6. CPS 230 Contract Clause Requirements
MSP contracts must contain specific provisions under CPS 230. This module identifies the mandatory clauses: audit rights, incident notification timeframes, sub-contracting controls, termination and transition assistance obligations, and the BCP cooperation clause. For intragroup arrangements, the module provides the intercompany agreement variants that satisfy CPS 230 within a group legal structure. Legacy contract transition protocol is included.
Module 7. Business Continuity Integration for MSPs
For each Tier 1 provider, your BCP must integrate their recovery commitments. This module covers how to extract RTO and RPO commitments from contracts and map them to your critical operations recovery targets, how to design MSP-integrated scenario tests, and how to document the results in the format APRA examiners request when reviewing evidence of BCP testing across your MSP cohort.
Module 8. Operational Risk Event Management
CPS 230 sets minimum requirements for identifying, capturing, and reporting operational risk events. This module defines the event taxonomy appropriate for an investment bank, the capture threshold distinguishing reportable events from BAU issues, the root cause categorisation method, and the risk committee reporting template linking events to your tolerance statement. Includes the data model your operational risk system implements.
Module 9. Governance and Three-Lines Remapping
CPS 230 clarifies board accountability in ways the prior standard did not. This module remaps your three-lines model to the updated requirements: board accountabilities, management accountabilities, risk function role, and internal audit scope. Outputs include the governance paper for your board risk committee, the terms-of-reference amendments, and the management accountability statement for your Chief Risk Officer.
Module 10. Scenario Analysis and Stress Testing
APRA expects scenario analysis to inform your tolerance statement and capital quantification. This module covers the scenario development methodology: selecting scenarios relevant to your investment banking business mix, building severity and likelihood calibration, linking scenarios to your operational risk capital model, and documenting the analysis in the format your board risk committee and APRA examiners will review.
Module 11. APRA Attestation Structure and Board Sign-Off
The annual attestation requires a specific content structure. This module builds the attestation template: the self-assessment format covering each CPS 230 requirement, the exception register for known implementation gaps, the remediation timeline commitment, and the sign-off protocol satisfying APRA's governance expectations. The worked example draws from the APRA prudential practice guide and published attestation cycle guidance.
Module 12. Examination Readiness and Evidence File
When APRA schedules an examination of your CPS 230 implementation, the evidence file determines the outcome. This module produces the evidence map: which document covers which requirement, how to package the MSP register with methodology notes, how to present your tolerance statement against the events it covers, and how to handle examiner questions about gaps. Includes a 30-day examination preparation protocol.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Draft MSP register returned from business units with intragroup entities untiered and criticality column blank across most external vendors.
Board risk committee chair asked for the tolerance statement draft before the next meeting agenda closed and the risk function has no methodology for setting the metric.
APRA relationship manager flagged that the upcoming supervision will include a review of CPS 230 implementation progress.
Technology vendor contract renewal came through without CPS 230 clauses and legal wants a clause list from the risk function before they will negotiate.

What you get with this course

  • 12 written modules covering the full CPS 230 implementation methodology: MSP identification, criticality tiering, due diligence by tier, contract requirements including intragroup variants, BCP integration, operational risk event management, governance remapping, scenario analysis, APRA attestation, and examination readiness.
  • Downloadable templates: MSP register with methodology notes, criticality tier scoring rubric, due diligence checklist by tier, contract clause checklist with intragroup variants, BCP scenario test record, operational risk tolerance statement, APRA attestation template, examination evidence map.
  • Hand-built implementation playbook tailored to your institution's CPS 230 implementation stage and APRA relationship context, delivered alongside course access.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Before and after

Before

MSP register is partially complete with intragroup entities untiered and no documented criticality methodology. Tolerance statement is a draft board has not seen. Attestation is a concept with no template. Examination readiness is not yet a structured topic.

After

Criticality tier methodology is documented and board-endorsed. MSP register carries a defensible tier for every entry including intragroup entities, with decision criteria on file. Tolerance statement is in board minutes. Attestation template is ready to run for the next annual cycle. Evidence file is structured and current.

What happens if you do not address this

APRA commenced CPS 230 supervisions on large ADIs from the standard's effective date. An examiner who finds an MSP register with blank criticality tiers and no documented tier methodology will record a governance finding, not an implementation finding. The distinction between those two classifications matters to board and to the institution's supervisory relationship with APRA.

Who it is for

A Risk and Compliance officer at a large Australian ADI who owns the CPS 230 implementation program. You have read the standard, the prudential practice guide, and the industry guidance. You know the requirements at a principles level. What you need is the methodology that turns those principles into artefacts: the MSP tier rubric, the tolerance statement template, the contract clause checklist, the APRA attestation structure. You are accountable for the implementation program, not just the advisory layer.

Who this is NOT for. Risk officers whose CPS 230 implementation is complete and has been reviewed by APRA. Also not for front-line business unit operational risk liaisons whose role is to populate MSP register fields rather than design the methodology behind them.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. 12 modules, 3 to 4 hours to read through in sequence. Most practitioners work through the module relevant to their current implementation stage and apply the templates directly to their in-progress artefacts.

Why $199 is the right number

APRA's prudential practice guide covers principles. Industry association guidance covers governance framing. Law firm briefings cover compliance risk interpretation. None provides the implementation methodology: how to turn CPS 230's principles into the specific artefacts your risk function produces, your board approves, and your APRA examiner reviews.

FAQ

Is this specific to investment banks or does it cover all ADIs?
The modules use investment banking examples throughout: trading operations, global custody, prime brokerage, wholesale lending, and cross-border shared service structures. The methodology applies to any large ADI, but the examples and the intragroup entity treatment are built for your operating context.
Does this cover how to handle intragroup entities in the MSP register?
Yes. Module 3 covers the materiality determination for intragroup entities. Module 6 covers the intercompany agreement clauses that satisfy CPS 230 within a group legal structure. The playbook includes worked examples drawn from common intragroup shared-service arrangements.
How current is the regulatory content?
The course is built against the version of CPS 230 and the APRA prudential practice guide current at the time of fulfilment. Gerard reviews each implementation playbook against the current standard before delivering it.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!