A focused course, tailored for you
Operational Resilience Under CPS 230
Build the board-ready critical operations program that APRA examiners actually want to see.
Your critical operations register keeps expanding because every business unit head has a different view of what is material. Tolerances are contested. The board paper is due. The APRA examination cycle does not wait for internal alignment.
$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.
Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.
Why this course
CPS 230 Operational Risk Management requires APRA-regulated entities to formally identify critical operations, set board-approved tolerances, map service provider dependencies, and maintain a tested operational resilience program. The standard is clear on the outcome. It is silent on how a Senior Operational Risk Manager stitches together an RCSA that was built for Basel purposes, a scenario library built for stress testing, and a third-party dependency map that lives in three separate systems, into a single coherent package that satisfies an APRA examiner, a board risk committee, and a group-level reporting requirement simultaneously. That integration is the work nobody scoped. This course scopes it.
The 12 modules
Module 1. What CPS 230 Actually Requires vs What Most Banks Have Built
A precise reading of CPS 230 against the legacy operational risk frameworks most APRA-regulated banks inherited from Basel. This module maps the gaps: where CPS 231 and CPS 232 compliance left blind spots, which CPS 230 obligations are genuinely new, and which existing artefacts including the RCSA, BCP, and scenario library can be repurposed versus rebuilt. Output: a gap map you take into your first internal stakeholder session.
Module 2. Scoping Critical Operations Without Scope Creep
The most common failure mode in CPS 230 implementation is a critical operations register that includes everything because no one wants to be the person who left something out. This module builds the materiality criteria, the challenge process for business unit nominations, and the escalation path for contested items. Output: a scoping methodology document and a draft board-approved definition of materiality calibrated to your entity.
Module 3. Setting Impact Tolerances That Survive Board Challenge
Tolerances set too conservatively create unrealistic recovery obligations. Tolerances set too loosely fail the APRA credibility test. This module walks through the quantitative and qualitative inputs for each critical operation, the facilitation technique for business line agreement, and the documentation standard that shows the board the tolerance was set with evidence rather than judgment alone. Output: a tolerance-setting template calibrated to your entity's risk appetite statement.
Module 4. Mapping Service Provider Dependencies Without Repeating the Outsourcing Register
CPS 230 requires material service provider identification and management, but most APRA-regulated entities already maintain an outsourcing register under legacy CPS 231 obligations. This module shows how to extract the critical operations dependency view from the existing register without duplicating governance, how to classify fourth-party dependencies, and how to write the risk assessment narrative that connects the dependency map to the tolerance. Output: a dependency mapping template that feeds directly into the board paper.
Module 5. Integrating the RCSA Into the Resilience Framework
The RCSA was designed to identify and rate risks to business-as-usual operations. CPS 230 requires a view of risks to critical operations under stress. The two are related but not identical. This module builds the bridge: which RCSA risks map to which critical operations, how to identify gaps in coverage, and how to maintain the RCSA as the feeder document for the resilience program rather than running two parallel risk registers. Output: an RCSA-to-resilience mapping template.
Module 6. The Scenario Library: From Stress Testing to Resilience Testing
Scenario analysis under operational risk capital requirements focuses on severity and frequency of loss. Resilience scenario testing focuses on disruption to critical operations and recovery within tolerance. This module translates the existing scenario library into resilience-relevant scenarios, identifies which scenarios require a new data set, and builds the testing calendar that demonstrates to APRA that scenarios are run, not just documented. Output: a scenario mapping matrix and testing calendar template.
Module 7. The Third-Party Risk Annex APRA Examiners Read First
APRA examinations under CPS 230 consistently flag third-party risk annexes as the section with the most gaps. The common failures are dependency maps not tracing to critical operations, service provider assessments that restate contractual terms without risk analysis, and contingency plans that assume the provider recovers within tolerance. This module writes the annex structure, the risk assessment narrative, and the contingency planning section that addresses each of those examiner concerns. Output: a third-party risk annex template with worked examples.
Module 8. Building the Operational Resilience Program Document
The CPS 230 operational resilience program document is the master reference that ties critical operations, tolerances, service provider dependencies, scenario testing, and governance together. This module covers the document architecture, the version control and annual review requirements, the board approval narrative, and the interface between the resilience program document and the group-level risk framework. Output: a program document structure with all required CPS 230 cross-references populated.
Module 9. Writing the Board Paper That Gets Approved
Board risk committees receive CPS 230 papers that are either too operational (a list of what was done) or too conceptual (a description of the standard). Neither gets approved without rework. This module covers the board paper structure that frames the program as a risk management decision rather than a compliance exercise, the tolerance approval narrative, and the reporting cadence the board needs to discharge CPS 230 oversight obligations. Output: a board paper template and a recurring reporting dashboard structure.
Module 10. Managing the APRA Examination: What Examiners Ask and What They Want to See
APRA examinations under CPS 230 are not documentation reviews. They are conversations about whether the entity understands its critical operations and can demonstrate the resilience program is operational, not theoretical. This module covers the most common examiner questions, the documentation package that supports each answer, the escalation points where senior management will need briefing before the examination, and the response process for examination findings. Output: an examination readiness checklist and a stakeholder briefing template.
Module 11. Group-Level Reporting When Your Entity Is Inside a Larger Group
APRA-regulated entities inside a larger financial group face an additional layer of complexity: CPS 230 obligations at the entity level must interface with group-level operational risk reporting that may follow a different standard, cadence, or taxonomy. This module covers the reporting interface, the data translation requirements, and the governance structure that satisfies both the APRA-regulated entity board and the group risk function simultaneously. Output: a group-reporting interface document and a taxonomy alignment matrix.
Module 12. The Annual Review Cycle: Keeping the Program Current Without Rebuilding It
The most expensive CPS 230 implementations are the ones that treat the annual review as a rebuild. Critical operations change. Tolerances may need resetting. Service providers change. This module builds the incremental annual review process, the trigger-event review process for material changes mid-year, and the documentation trail that demonstrates to APRA the program is maintained as a living document rather than a compliance artefact filed after the examination. Output: an annual review process map and a change-trigger register template.
How this addresses your situation
Specific modules that map to what you said you are dealing with.
You are preparing the initial CPS 230 submission and need to scope critical operations before the board paper deadline.
You have a first draft but tolerances are contested by business unit heads and the sign-off is stalled.
You are preparing for an APRA examination and need to organise the documentation package.
You are inside a financial group and need to align the entity-level CPS 230 program with group risk reporting requirements.
Who it is for
Senior Operational Risk Managers and Group Operational Risk leads at APRA-regulated banks, asset managers, and insurance groups who are responsible for CPS 230 implementation, board risk committee reporting, and APRA examination readiness. You understand the standard. The challenge is the execution artefacts.
Who this is NOT for. Risk professionals at non-APRA-regulated entities, or anyone looking for a conceptual overview of operational risk frameworks. This course is about building the specific artefacts CPS 230 requires.
How it arrives
Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.
Time investment. Each module takes approximately 45 to 60 minutes to read and work through. The full 12-module course typically runs across two to three weeks for a working operational risk professional.
FAQ
Is this specific to banking or does it cover insurance and superannuation as well?
The modules are written primarily for APRA-regulated banks and ADIs, where CPS 230 has the most immediate operational impact. The core methodology for critical operations scoping, tolerance-setting, and board reporting applies equally to insurance entities under LPS 230 and RSE licensees under SPS 230. The third-party risk annex module addresses the specific obligations that differ across the three standards.
My entity already has a CPS 230 program in place. Is there still value in the course?
The most common finding in entities that have completed their initial CPS 230 submission is that the annual review process was not built into the program structure. The second most common finding is that the third-party risk annex does not connect to the critical operations register in a way that satisfies examiners. Module 7 and Module 12 address both of those gaps directly.
What does the implementation playbook include?
The playbook is built specifically for your role and operational context. It covers the sequencing of the implementation workstreams, the stakeholder engagement plan for tolerance sign-off, the examination readiness timeline, and a prioritised action list for the first 90 days. It is a working document for your specific program, not a generic checklist.
