Skip to main content
Image coming soon

CPS 230 Operational Risk: From Gap List to Board Pack

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

CPS 230 Operational Risk: From Gap List to Board Pack

Build the critical-operations register, scenario library, and APRA-ready reporting artefacts your Board Risk Committee needs to see.

The CPS 230 gap register keeps expanding because the critical-operations boundary hasn't been drawn precisely enough to anchor the scenario library, vendor-dependency register, and tolerance statements underneath it. Every downstream artefact inherits that ambiguity.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

APRA's CPS 230 is not a compliance checklist. It is a systems-thinking exercise: map what is critical, define what severe but plausible means for each operation, identify which third parties sit inside that boundary, and produce tolerances a Board can actually hold. For a large, diversified financial group the complexity multiplies: multiple business lines, shared-service providers, global technology platforms, and a Board Risk Committee that expects a consolidated view, not a spreadsheet of business-unit submissions. The gap list grows because teams work bottom-up on individual processes without a top-down critical-operations taxonomy to constrain them. This course fixes that sequence.

What you walk away with

  • Define and document a critical-operations taxonomy your Board, CRO, and APRA reviewer will all accept without material challenge.
  • Build a severe-but-plausible scenario library anchored to your specific critical operations, not a generic sector template.
  • Produce a third-party and technology dependency register that maps directly to your critical-operations boundary and survives prudential scrutiny.
  • Draft operational risk tolerances at the right level of specificity for Board Risk Committee sign-off and ongoing monitoring.
  • Structure the CPS 230 Board pack so the narrative, heat map, and gap-closure tracking all tell one coherent story.
  • Set up a repeatable annual review cycle so the gap register closes rather than expands each cycle.

The 12 modules

Module 1. What APRA Actually Expects from CPS 230
Walk through the standard's intent versus its literal requirements. This module covers the difference between a compliance response and a genuine operational resilience posture, explains the four core obligations APRA supervisors test hardest (critical-operations identification, scenario plausibility, third-party dependency, and tolerance-setting), and sets up the framework the rest of the course uses. You leave with a one-page obligations map you can use to brief your CRO.
Module 2. Drawing the Critical-Operations Boundary
The most common reason gap registers expand is that the critical-operations boundary was drawn too broadly (every process qualifies) or too narrowly (key shared services are excluded). This module provides a decision matrix for classifying operations against impact, recoverability, and customer/regulator visibility criteria. You produce the first draft of your critical-operations register with a defensible rationale for inclusions and exclusions that APRA can interrogate.
Module 3. Shared Services, Group Structures, and the Boundary Problem
In a diversified financial group, technology infrastructure, treasury operations, and risk functions are often shared across multiple legal entities and business lines. This module covers how to represent shared-service dependencies in the critical-operations register without double-counting, how to handle operations that are critical in one business line but not another, and how to produce a group-level consolidated view that satisfies both the local APRA-regulated entity and the broader group governance structure.
Module 4. Building the Severe-But-Plausible Scenario Library
APRA expects scenarios that are genuinely stretching, not the same three cyber and pandemic scenarios every ADI submits. This module teaches a scenario-construction methodology starting from the critical-operations taxonomy: for each critical operation, identify the plausible disruption vectors (technology outage, third-party failure, people, premises, data), calibrate severity against historical incidents and sector stress events, and document the scenario narrative in a format suitable for Board Risk Committee and APRA review.
Module 5. Third-Party and Technology Dependency Mapping
CPS 230 requires a dependency register that is operational, not aspirational. This module covers how to identify fourth-party concentrations (providers your critical-operations vendors depend on), how to rate vendor criticality against your operations taxonomy rather than spend, how to structure the register so it feeds both your Board reporting and your vendor contract review cycle, and what APRA supervisors look for when they ask for your third-party risk management framework.
Module 6. Setting Operational Risk Tolerances That Hold Up
Tolerances written as broad qualitative statements fail Board scrutiny and give APRA nothing to test. This module provides a tolerance-setting methodology: define the metric (recovery time, transaction failure rate, data availability), set the threshold at the right level for your specific operation, establish the escalation trigger, and link each tolerance statement back to the relevant scenario. You leave with a tolerance-setting template calibrated to the complexity of a large financial group's Board Risk Committee.
Module 7. The Business Continuity Plan Underneath CPS 230
CPS 230 does not replace your BCP, but your BCP must now be derivable from your critical-operations register and scenario library. This module covers how to restructure existing BCPs to align with the CPS 230 taxonomy, what to include in the recovery procedures for critical operations that involve third-party or technology dependencies, and how to test and evidence BCP effectiveness in a format APRA can review without generating more gaps.
Module 8. Second-Line Oversight: Challenging First-Line Submissions
Second-line risk functions own the framework, not the operational data. This module covers how to structure a second-line challenge process for first-line CPS 230 submissions: what questions to ask about critical-operations completeness, how to identify when scenario plausibility is understated, how to test tolerance calibration without deep operational knowledge, and how to document your challenge activity in a way that demonstrates independent oversight to APRA.
Module 9. Producing the Board Risk Committee Pack
The Board Risk Committee needs a consolidated view of CPS 230 compliance posture, not a digest of business-unit gap registers. This module covers the structure of a Board-quality CPS 230 reporting pack: executive summary, critical-operations heat map, scenario library status, tolerance breach tracker, third-party risk dashboard, and gap-closure programme. Templates and worked examples for each section are included, calibrated to a large financial group with multiple business lines reporting up to a group Board.
Module 10. Managing the APRA Supervisory Dialogue
APRA supervisors approach CPS 230 reviews with specific lines of enquiry around the plausibility of scenarios, the completeness of the critical-operations boundary, and the robustness of tolerance-setting. This module prepares you for those conversations: common questions from APRA supervisors, how to present your critical-operations rationale without overdefending it, how to handle a finding that challenges your taxonomy, and how to document your responses in a way that closes supervisory issues rather than opening new ones.
Module 11. Embedding CPS 230 into the Annual Risk Calendar
CPS 230 is not a one-time implementation exercise. This module covers how to integrate CPS 230 obligations into your annual risk management cycle: when to refresh the critical-operations register, how to trigger scenario updates after material incidents or business changes, how to align the tolerance review with your ICAAP cycle, and how to structure the annual attestation to the Board so it reflects genuine assurance rather than a compliance sign-off.
Module 12. The Implementation Playbook for Your Function
The final module consolidates the methodology into a sequenced implementation plan specific to a second-line risk function in a large diversified financial group. It covers how to phase the critical-operations work across business lines, how to manage stakeholder engagement with first-line and technology teams, how to report progress to the CRO and Board Risk Committee during implementation, and what a mature CPS 230 posture looks like at the two-year mark after the standard's effective date.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Critical-operations register is too broad or too narrow, and first-line submissions are inconsistent: Modules 2, 3, 8.
Scenario library feels generic and APRA has challenged its plausibility: Modules 4, 10.
Third-party register does not clearly connect to critical operations: Module 5.
Board Risk Committee pack is a compilation of unit submissions rather than a consolidated risk view: Modules 6, 9.

What you get with this course

  • Twelve written modules delivered in the Art of Service learning environment.
  • Downloadable critical-operations decision matrix and classification template.
  • Severe-but-plausible scenario construction template with calibration guidance.
  • Third-party and technology dependency register template with APRA-review notes.
  • Operational risk tolerance-setting template with example thresholds.
  • Board Risk Committee CPS 230 reporting pack template with worked examples.
  • Hand-built implementation playbook for a second-line risk function in a large financial group, delivered alongside course access.

What you will have in hand by Day 1, Week 1, Month 1

Course access provisioned within 24 hours of purchase.

Hand-built implementation playbook delivered alongside course access.

Each module is self-paced; most participants complete the full course across two to three working weeks.

Before and after

Before

The CPS 230 gap register expands each cycle. Critical-operations boundaries vary across business units. Scenarios feel generic. The Board pack is a digest of first-line submissions rather than a second-line view.

After

A locked critical-operations taxonomy anchors every downstream artefact. The scenario library is plausible and defensible. The Board Risk Committee receives a consolidated, independently assessed view. APRA supervisory dialogue moves from challenge to confirmation.

What happens if you do not address this

APRA's prudential supervision timeline does not pause for programme complexity. An immature CPS 230 posture at the point of a supervisory review produces findings that become public on APRA's breach register and require remediation under supervisory scrutiny. The cost of a Board-quality gap register built reactively under regulatory pressure is an order of magnitude higher than building it to methodology now.

Who it is for

Senior managers and managers in second-line risk functions at large Australian authorised deposit-taking institutions and diversified financial groups. You own or contribute to the CPS 230 programme, the ICAAP operational risk section, or the Board Risk Committee pack. You have the domain knowledge but need a repeatable methodology that produces APRA-quality artefacts without rebuilding the approach from scratch each reporting cycle.

Who this is NOT for. Compliance officers at small ADIs or credit unions implementing CPS 230 for the first time with a simple operational footprint. First-line business unit risk coordinators who are completing templates rather than designing the framework.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Approximately 90 minutes per module. Full course is 15-18 hours of focused reading and template work, typically spread across two to three weeks alongside a normal working schedule.

Why $199 is the right number

APRA publishes guidance notes and industry associations run CPS 230 workshops that cover the standard's requirements at a high level. Neither produces the operational artefacts your second-line function needs to deliver: the critical-operations register, the scenario library, the Board pack. External consultants who build these artefacts charge $50,000 or more and produce outputs calibrated to their methodology, not your group's governance structure. This course gives your function the methodology to build them in-house, with templates and a hand-built playbook specific to your role.

FAQ

Is this relevant to a large diversified financial group, not just a deposit-taking institution?
Yes. The course is specifically designed for complex financial groups with multiple business lines, shared-service structures, and group-level Board reporting requirements. The module on group structures and shared services addresses the boundary problems unique to diversified groups.
Does the course cover the APRA supervisory review process specifically?
Module 10 is dedicated to preparing for and managing APRA supervisory dialogue, including the common lines of enquiry supervisors use and how to document your responses.
How does the implementation playbook differ from the course content?
The course teaches the methodology. The implementation playbook is built for your specific function: a second-line risk team in a large financial group. It sequences the work, names the stakeholder engagements, and provides the reporting cadence for your CRO and Board. It is delivered alongside course access, not separately.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.