Skip to main content
Image coming soon

CPS 230 Operational Resilience: The Attestation Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

CPS 230 Operational Resilience: The Attestation Playbook

Build the critical operations register, tolerance statements, and board-ready attestation package that APRA is asking for.

Your CPS 230 submission is weeks away and the attestation package has a gap. Not in the policy, in the artefacts: the critical operations register lacks the tolerance calibration that ties it to your third-party dependency list, and without that link the scenario test records won't satisfy the board sign-off requirement.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

APRA's CPS 230 does not ask for a policy document. It asks for a critical operations register, tolerance statements that are explicitly calibrated to each operation's maximum tolerable disruption period, a third-party and technology dependency map that is tied to those tolerances, and scenario test records that demonstrate you have actually tested against them. Most teams have the first item and a draft of the second. The linkage between the four artefacts, the chain that lets a board director or APRA examiner follow a single critical operation from the register through to the tested scenario, is where teams stall. The board attestation requirement means a named director is signing that this chain is complete and accurate. That changes the urgency.

What you walk away with

  • Map your critical operations to a register format that satisfies the APRA CPS 230 definition and links directly to your tolerance statements.
  • Set maximum tolerable disruption periods grounded in business impact analysis data rather than regulatory minimums.
  • Build a third-party and technology dependency register that traces each dependency back to the critical operations it supports.
  • Write tolerance statements that a board director can sign and an APRA examiner can verify against your register.
  • Run a structured scenario test for at least one critical operation and produce the documentation that closes the attestation loop.
  • Assemble the board attestation package so the chain from register to test record is traceable in a single review session.

The 12 modules

Module 1. Reading CPS 230 as an Artefact Specification
CPS 230 names four primary artefacts: the critical operations register, tolerance statements, the dependency map, and scenario test records. This module reads the standard as a production specification rather than a compliance checklist. You identify which paragraphs impose artefact requirements, what APRA defines as a critical operation, and which existing documents in your organisation partially satisfy the requirement and which do not.
Module 2. Scoping Your Critical Operations Register
Before populating the register you have to define its boundaries: which operations qualify under the APRA definition, how granular the entries should be, and how to handle operations shared across multiple business lines. This module covers the scoping decision criteria, how to avoid both over-scoping (everything is critical) and under-scoping (only customer-facing operations), and how to document the scoping rationale so it can be explained to an examiner.
Module 3. Building the Register Row by Row
A working CPS 230 critical operations register has specific mandatory fields: operation name, business line owner, a description precise enough to identify disruption, the tolerance parameters, and the dependency list. This module provides the row template, works through three example operations at different complexity levels (a payment processing function, an internal treasury operation, and a client-facing advisory process), and shows how to handle operations where the business owner is not the compliance team.
Module 4. Setting Tolerance Statements That Will Hold Under Examination
Maximum tolerable disruption periods cannot be arbitrary. APRA expects them to be grounded in business impact analysis. This module works through the BIA methodology as it applies to each register entry, how to translate revenue impact, regulatory obligation, and counterparty consequence into a defensible MTD period, and how to write the tolerance statement in a format that connects directly to the register row it describes.
Module 5. Third-Party Dependency Mapping for the Attestation Package
The CPS 230 third-party risk requirement is not a standalone vendor risk exercise. It is a dependency map tied to the critical operations register. Each registered operation needs its key dependencies identified, categorised as material or non-material, and assessed against the tolerance statement. This module covers the dependency classification criteria, how to handle cloud infrastructure and intragroup service providers, and how to format the map so it can be reviewed alongside the register.
Module 6. Technology Dependency Integration
APRA distinguishes third-party service dependencies from technology dependencies within your own environment. This module covers how to identify technology dependencies relevant to each critical operation, how to assess single points of failure within your own infrastructure, and how to document technology dependencies in a format that complements rather than duplicates your existing technology risk register. Output is a technology dependency annex that links to the relevant register rows.
Module 7. Designing Scenario Tests That Produce Useful Records
A CPS 230 scenario test needs to test a named critical operation against its tolerance statement and produce a record that demonstrates what happened when the disruption was simulated. This module covers scenario design, how to select disruption scenarios relevant to your operation and dependency map, how to run the test in a way that produces attestable records, and what the test record must contain to satisfy the board and examiner.
Module 8. Running the First Scenario Test End to End
Module 7 designs the test; this module runs it. Structured walkthrough of a complete scenario test for one critical operation: pre-test briefing, simulated disruption activation, response tracking against the tolerance period, recovery validation, and post-test documentation. The output is a completed test record in the format required for the attestation package, including the gaps identified and the remediation actions logged.
Module 9. Remediation Actions and the Gap Register
Every scenario test surfaces gaps. CPS 230 does not require zero gaps at attestation time; it requires that identified gaps are documented and that a remediation plan is in place. This module covers how to structure the gap register, how to write remediation actions that are specific enough to be verifiable, how to prioritise gaps based on tolerance exposure, and how to present the gap register to the board in a way that supports rather than undermines the attestation.
Module 10. Board Governance and the Attestation Requirement
CPS 230 places specific obligations on the board, not just management. The attestation requirement means a board director is personally attesting to the completeness of the package. This module covers what the board needs to see before they can attest, how to structure the board paper presenting the register, tolerance statements, dependency map, and test records in reviewable format, and how to document the board's oversight role to satisfy APRA's governance requirement.
Module 11. Assembling the Attestation Package
The attestation package is a specific set of documents that need to be traceable to each other. This module covers how to assemble the register, tolerance statements, dependency map, test records, gap register, and board paper into a package where an examiner can follow a single critical operation from the register entry through to the tested scenario and back. Includes the attestation statement template and the version control protocol that keeps the package current after submission.
Module 12. Maintaining Compliance Through the Annual Review Cycle
CPS 230 compliance is not a point-in-time submission. The register must be kept current, tolerance statements must be reviewed when operations change, and scenario tests must be repeated on a cycle. This module covers the annual review protocol, how to trigger register updates when business operations change, how to manage third-party dependency changes without rebuilding the entire package, and how to document the review cycle in a way that supports the next attestation.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Modules 1-3 are for professionals who have read the standard but have not started building the register.
Modules 4-6 are for teams who have a draft register but have not completed the tolerance statements or dependency map.
Modules 7-9 are for teams ready to run scenario tests and close the gap register before the attestation deadline.
Modules 10-12 are for professionals preparing the board paper and building the ongoing compliance cycle into their operating rhythm.

What you get with this course

  • Twelve written modules structured around the CPS 230 attestation artefact chain, not the regulation text.
  • Downloadable templates for each artefact: critical operations register, tolerance statement format, dependency map, scenario test record, gap register, and board attestation paper.
  • Worked examples for three types of critical operations at different complexity levels.
  • The hand-built implementation playbook, delivered alongside course access, tailored to financial services firms operating under APRA regulation.

What you will have in hand by Day 1, Week 1, Month 1

Course access and the hand-built implementation playbook are provisioned within 24 hours of purchase.

Each module is self-paced and can be completed in 45-90 minutes.

The full artefact set can be built in parallel with module completion, making the 12-module course completable in 4-6 weeks alongside a normal work schedule.

Before and after

Before

The team has a policy and a draft register. Tolerance statements are not calibrated to the dependency map. No completed scenario test records. Board paper not started. The attestation deadline is on the calendar and the artefact chain has visible gaps.

After

A complete critical operations register tied to calibrated tolerance statements, a dependency map that traces each vendor and technology dependency back to a specific operation, at least one completed scenario test record, a gap register with a documented remediation plan, and a board paper structured so a director can attest with confidence.

What happens if you do not address this

APRA's enforcement posture on CPS 230 is active. An incomplete attestation package, or a package where the artefact chain cannot be followed by an examiner, is not a minor administrative gap. It is a governance failure that the board director has personally attested to. The reputational and regulatory consequence of an examiner finding that the attestation was made against an incomplete artefact set is significant.

Who it is for

A senior or executive-level professional at an APRA-regulated financial services firm, working in operational risk, compliance, governance, or a business line with direct accountability for CPS 230 implementation. Accountable for the board attestation package or a specific artefact within it. Has already read the standard but has not yet closed the gap between the regulation text and the production-ready artefact set.

Who this is NOT for. Firms not subject to APRA regulation. Teams that have already completed and submitted their CPS 230 attestation package with examiner confirmation. Consultants looking for a generic operational resilience framework rather than the specific APRA CPS 230 artefact chain.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. 45-90 minutes per module, 12 modules. Designed to be completed alongside active CPS 230 implementation work rather than as a prerequisite to it.

Why $199 is the right number

External consultants charge $15,000-$40,000 for a CPS 230 readiness engagement and produce a report rather than your artefacts. Regulatory training courses cover the standard but do not produce the register, tolerance statements, or scenario test records. This course costs $199 and produces the artefacts directly.

FAQ

Is this course specific to APRA CPS 230 or does it cover broader operational resilience frameworks?
It is built specifically for APRA CPS 230. The module structure follows the CPS 230 artefact requirements, and the templates are formatted for the APRA expectation. References to DORA, the Bank of England operational resilience rules, and BCBS 239 appear where they are relevant to firms with cross-jurisdictional obligations, but the primary focus is the APRA CPS 230 attestation package.
Does the course cover the third-party risk requirements in CPS 230 and CPS 234?
Modules 5 and 6 cover the CPS 230 third-party and technology dependency requirements as they apply to the critical operations register. CPS 234 (information security) is referenced where it intersects with technology dependencies. The course is not a standalone CPS 234 implementation guide; its third-party coverage is scoped to what the attestation package requires.
How is the hand-built implementation playbook tailored?
After purchase, Gerard reviews your role and organisation context and builds the playbook to reflect your specific operational environment, the complexity of your critical operations register, and the timeline you are working against. The playbook is delivered alongside course access within 24 hours.
What if my organisation has already submitted its CPS 230 attestation?
The course is also useful for the annual review cycle, for expanding the register when new operations are added, and for preparing for an APRA examination after the initial attestation. Module 12 covers the ongoing compliance cycle specifically.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.