Skip to main content
Image coming soon

Non-Financial Risk Implementation for Global Banks

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

Non-Financial Risk Implementation for Global Banks

Build the RCSA, risk appetite statement, and control testing artefacts that satisfy APRA and board-level scrutiny.

NFR teams at global banks are accountable for artefacts that must hold up under APRA CPS 220 review, internal audit scrutiny, and board challenge simultaneously. The RCSA, the appetite statement, the control effectiveness testing methodology, and the three-lines-of-defence reporting pack all need to cohere. In practice they rarely do, because each was built in a different cycle by a different team against a different regulator expectation.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

The APRA CPS 220 review cycle creates a predictable pressure point: the regulator asks for evidence that operational and non-financial risks are being managed within board-approved appetite, and the response requires stitching together artefacts from six different business units that were never designed to align. The RCSA has granular control descriptions but no clear line to appetite thresholds. The scenario analysis is robust but sits in a separate workbook that nobody references in the risk committee paper. The board paper has a heat map but the underlying methodology is undocumented. NFR practitioners spend more time reconciling inconsistencies between artefacts than they do improving the risk management itself.

What you walk away with

  • Design an RCSA that maps controls to specific CPS 220 scenarios and risk appetite thresholds, not just to generic control categories.
  • Draft a risk appetite statement with quantitative tolerance bands that the board can challenge and approve without redrafts.
  • Build a control effectiveness testing methodology that produces evidence acceptable to both internal audit and APRA.
  • Construct a three-lines-of-defence reporting pack that presents the same risk picture at every governance layer without reconciliation overhead.
  • Run a structured scenario analysis process that feeds directly into the risk appetite review and the board risk paper.
  • Produce a gap analysis against CPS 220 and CPS 234 that prioritises remediation by regulatory materiality, not by internal convenience.

The 12 modules

Module 1. The NFR Framework Architecture
Maps the structural components of a non-financial risk framework: risk taxonomy, appetite statement, RCSA, control library, scenario analysis, and reporting pack. This module establishes how each artefact connects to the others and identifies the most common integration failures. Participants build a one-page framework map for their own organisation that they will use as a reference throughout the course.
Module 2. CPS 220 Obligations and Examiner Expectations
Translates APRA CPS 220 requirements into specific artefact obligations: what the regulator expects to see in the RCSA, what constitutes adequate board oversight evidence, and what prompts a Supervisory Concern Notice. Covers the most common CPS 220 findings from APRA reviews at Australian institutions and the remediation artefacts that resolved them. Not a reading of the standard; a practical map of what examiners actually probe.
Module 3. Building the Risk Taxonomy
Constructs the NFR risk taxonomy that underpins every downstream artefact. Covers the hierarchy from risk category to risk type to specific risk event, the alignment with Basel operational risk categories, and the customisation required for investment banking versus retail banking versus group treasury functions. Participants produce a draft taxonomy for their business unit with cross-references to the relevant regulatory scenarios.
Module 4. RCSA Design: From Control Listing to Scenario Alignment
Rebuilds the RCSA from first principles. Most RCSAs list controls against risk types and assign likelihood/impact scores. This module adds the layer that regulators actually test: the mapping from each control to the specific scenarios in the risk appetite statement, the evidence of control effectiveness at the point of testing, and the owner accountabilities that survive staff turnover. Produces a redesigned RCSA template tested against a sample CPS 220 examination scenario.
Module 5. Risk Appetite Statement Construction
Drafts a risk appetite statement with quantitative tolerance bands at three levels: strategic (board-approved thresholds), operational (business unit limits), and transactional (day-to-day decision rules). Covers the most common drafting failures: appetite statements that set risk categories but not tolerance bands, statements that cannot be operationalised below the executive level, and statements that become stale after the first risk event. Participants produce a redrafted appetite statement section for one risk category in their organisation.
Module 6. Control Effectiveness Testing Methodology
Builds a control testing methodology that produces evidence acceptable to APRA, internal audit, and the business simultaneously. Covers testing frequency, evidence standards, the difference between design effectiveness and operating effectiveness testing, and the escalation protocol when a control fails. Addresses the common failure mode where controls are rated effective on paper but cannot produce testing evidence on demand. Participants design a testing schedule for their top ten operational risk controls.
Module 7. Scenario Analysis for NFR
Designs a scenario analysis process that feeds directly into appetite review and board reporting rather than sitting as a standalone exercise. Covers scenario selection criteria, severity calibration against historical loss data and industry events, the linkage from scenario outcome to appetite threshold, and the documentation standard that satisfies APRA's expectation of forward-looking risk identification. Participants produce a scenario analysis template linked to their RCSA and appetite statement.
Module 8. Three-Lines-of-Defence Reporting Architecture
Constructs the reporting pack that presents the same NFR picture at every governance layer without manual reconciliation between first-line, second-line, and internal audit views. Covers the data flow from control testing results to risk dashboard to board risk paper, the escalation triggers that move an issue from operational to executive reporting, and the audit trail requirements for APRA examination. Produces a reporting architecture diagram and a draft reporting calendar.
Module 9. CPS 234 Integration: Cyber and Operational Risk Alignment
Integrates CPS 234 information security obligations into the NFR framework without duplicating effort. Covers the overlap between operational risk and cyber risk taxonomies, the control testing requirements that satisfy both standards, and the board reporting obligation under CPS 234 that must be aligned with the broader NFR board paper. Addresses the common failure mode where cyber risk sits entirely in IT with no connection to the operational risk appetite statement.
Module 10. Board Risk Paper Construction
Builds the board risk paper from the artefacts produced in earlier modules. Covers the narrative structure that boards at global investment banks expect, the heat map methodology that is defensible under challenge, the escalation section that demonstrates management is ahead of emerging risks, and the appendix structure that allows board members to drill into underlying evidence. Participants produce a board paper template tested against a mock board challenge session.
Module 11. Managing the APRA Examination Process
Prepares the NFR team for the APRA examination cycle: the information request response protocol, the document room management, the spokesperson coordination between risk, legal, and compliance, and the remediation commitment documentation that avoids Supervisory Concern escalation. Covers the common mistakes that create examiner concern even when the underlying risk management is sound, including inconsistent terminology across documents and undocumented methodology assumptions.
Module 12. Continuous Improvement and Framework Refresh
Builds the annual framework refresh process that keeps the NFR artefacts current without requiring a full rebuild each regulatory cycle. Covers the trigger events that require a material update versus a minor refresh, the change management process for appetite statement amendments, the control library governance that prevents the RCSA from drifting out of alignment with operational reality, and the lessons-learned process that converts risk events into framework improvements before the next APRA examination.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

You have an RCSA that lists controls but cannot produce scenario-aligned testing evidence on demand: Modules 4 and 6.
Your risk appetite statement exists but the board keeps requesting clarification on tolerance bands and escalation triggers: Modules 5 and 10.
Your scenario analysis is robust but disconnected from the appetite statement and the board paper: Modules 7 and 8.
You have an APRA examination approaching and need to close gaps in the three-lines-of-defence reporting architecture: Modules 8 and 11.

What you get with this course

  • Twelve written modules covering the full NFR implementation methodology from taxonomy through board reporting.
  • Downloadable templates for each artefact: RCSA redesign template, risk appetite statement with tolerance bands, control testing schedule, scenario analysis workbook, three-lines-of-defence reporting architecture, and board risk paper.
  • Worked examples drawn from common APRA examination scenarios at investment banking institutions.
  • Hand-built implementation playbook tailored to your specific control environment, delivered alongside course access.

What you will have in hand by Day 1, Week 1, Month 1

Course access and the hand-built implementation playbook are both provisioned within 24 hours of purchase.

The twelve modules are self-paced. Most practitioners work through two to three modules per week alongside their operational workload.

The implementation playbook is specific to your organisation's control environment and regulatory obligations.

Before and after

Before

The RCSA, appetite statement, control testing records, scenario analysis, and board paper exist as separate documents built in different cycles. When APRA asks for evidence that risks are managed within appetite, the response requires manual reconciliation across six workbooks. Board challenge on the heat map cannot be answered without going back to source data.

After

Every NFR artefact is architecturally connected: the RCSA maps to appetite thresholds, control testing produces scenario-aligned evidence, scenario analysis feeds the appetite review, and the board paper draws directly from tested data. APRA examination requests can be answered from a single coherent documentation set.

What happens if you do not address this

APRA CPS 220 reviews at Australian banks have increasingly resulted in Supervisory Concern Notices where the risk management artefacts exist but are not coherent with each other. The regulator's expectation has shifted from 'show us your RCSA' to 'demonstrate that your RCSA, your appetite, and your control testing tell a consistent story'. Teams that cannot demonstrate that coherence face remediation obligations that consume the next twelve months of NFR capacity.

Who it is for

Non-financial risk managers, operational risk directors, and enterprise risk leads at Australian and global investment banks who are accountable for CPS 220, CPS 234, and operational risk framework delivery. People who own the RCSA process, the risk appetite statement, and the board risk reporting pack. They understand the regulatory landscape; what they need is a structured implementation methodology that produces artefacts that are audit-ready from the moment they are drafted.

Who this is NOT for. General compliance officers who need an introduction to operational risk concepts. This course assumes you already understand what an RCSA is and what APRA expects; it is about building the artefacts correctly, not learning the theory.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Approximately four to six hours per module. The full course covers twelve modules. Most practitioners complete the course over four to six weeks, with implementation work running in parallel from module three onwards.

Why $199 is the right number

APRA-focused risk training from the larger consultancies runs at $8,000 to $15,000 per delegate for a three-day programme that covers theory and regulation but does not produce artefacts. Internal capability building through secondments takes twelve to eighteen months. This course produces the actual artefacts your organisation needs, not a training certificate.

FAQ

Does this cover both CPS 220 and CPS 234?
Yes. Module 9 specifically covers the integration between CPS 220 operational risk obligations and CPS 234 information security obligations. The course is designed for NFR practitioners who need both frameworks to connect in their reporting architecture.
Is this relevant for investment banking specifically, or is it written for retail banking?
The artefacts and methodology are calibrated for the investment banking context: the risk taxonomy includes trading and markets risk types, the scenario analysis covers market disruption and counterparty failure scenarios, and the board reporting examples reflect the governance structure of a global investment bank.
What if I already have an RCSA and appetite statement? Do I need to start from scratch?
No. The implementation playbook is built specifically for your existing framework. The course methodology assumes you are working with existing artefacts and shows you how to rebuild or retrofit each component to achieve the coherence the regulator expects.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!