Skip to main content
Image coming soon

Operational Resilience Program Build for Financial Services

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

Operational Resilience Program Build for Financial Services

Map your critical operations, pass your scenario tests, and deliver a board-ready resilience program that satisfies APRA CPS 230.

Your scenario test results are in. Three critical operations have recovery gaps the documentation does not yet cover. The board resilience committee wants a program status report before the next attestation period, and your third-party service provider list has grown faster than the oversight framework that is supposed to govern it. Every one of those items is due to the same root problem: the program artefacts that regulators and boards expect do not yet exist in the shape they need to exist.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

APRA CPS 230 set a new bar for operational resilience in Australian financial services. Critical operations must be identified and scoped. Tolerance levels for disruption (MTPoDs) and recovery time objectives must be documented per operation, not per system. Scenario testing must be evidenced with formal reports that demonstrate the program is working. Third-party and fourth-party service providers must be overseen through a structured attestation process. Board and governance committees need reporting that shows the program is not just active but effective. Senior resilience managers at large financial groups are accountable for all of it simultaneously, with a team that is rarely large enough for the scope.

What you walk away with

  • Complete a defensible critical operations register with MTPoDs and RTOs documented to CPS 230 standard.
  • Design and run a scenario test that produces a board-submittable evidence package.
  • Build a third-party service provider resilience oversight framework with attestation templates.
  • Produce a governance committee reporting dashboard that shows program health at a glance.
  • Map your program against CPS 230 requirements well enough to self-assess gaps before an APRA review.
  • Hand a resilience program structure to a new team member that does not require your presence to run.

The 12 modules

Module 1. Scoping Critical Operations Under CPS 230
Start with the APRA CPS 230 definition of a critical operation and work through the scoping methodology a large financial group actually needs. Covers the difference between a business service, a critical operation, and a supporting asset. Walks through how to facilitate a scoping workshop with business unit heads, resolve disputes where two units claim the same critical operation, and document the output in a register your regulator can inspect. Includes a scoping decision matrix and a draft register template.
Module 2. Setting MTPoDs and RTOs That Survive Scrutiny
Maximum tolerable periods of disruption and recovery time objectives are not IT metrics under CPS 230. They are business judgements that must be defensible to an APRA reviewer. This module covers the methodology for deriving MTPoDs from customer impact and regulatory exposure, the process for aligning RTOs with realistic recovery capability, and the documentation format that shows how each figure was determined. Common failure: setting RTOs tighter than the actual recovery capability and getting caught in the scenario test.
Module 3. Scenario Test Design: From Selection to Evidence Pack
Covers how to select scenarios that are plausible, severe, and linked to the critical operations in your register. Walks through the design of a test script that produces observable outcomes rather than pass/fail checkbox answers. Covers who needs to participate, how to document observations in real time, and how to assemble the post-test evidence package that satisfies both internal audit and a regulator. Includes a scenario test planning template and an observation log format.
Module 4. Writing the Scenario Test Report
The scenario test report is the artefact APRA and your board committee will read. This module covers the structure of a credible report: executive summary with findings and remediation commitments, methodology section explaining how the test was run, findings register with severity ratings, and a management response section. Covers how to handle a genuine gap finding without triggering a regulatory escalation, and how to close findings with evidence the gap is remediated.
Module 5. Third-Party Service Provider Resilience Oversight
CPS 230 extends resilience obligations to material service providers. This module covers how to tier your service provider population by criticality, design a resilience attestation questionnaire that elicits genuine responses rather than tick-box answers, and build an oversight calendar that gives you a defensible picture of third-party resilience without overwhelming your team. Covers how to handle a provider who cannot or will not provide adequate attestation, and the escalation path to senior management and the board.
Module 6. Fourth-Party and Concentration Risk Mapping
A significant resilience exposure sits in the providers your service providers rely on. This module covers how to identify material fourth-party dependencies through your service provider attestation process, how to assess concentration risk where multiple critical operations depend on a common infrastructure or vendor, and how to document fourth-party exposure in a way that is proportionate to its materiality. Includes a concentration risk register template and a threshold-setting methodology.
Module 7. Crisis Response and Escalation Runbooks
When a critical operation is disrupted, the response quality depends on whether the runbook exists and whether people can find and follow it under pressure. This module covers the structure of a crisis response runbook for a large financial group: trigger conditions, notification tree, decision authority at each escalation level, customer communication obligations, and the handoff when an incident transitions to executive crisis management. Covers how to test a runbook without a full scenario exercise.
Module 8. Governance Committee Reporting for Resilience
Board risk committees and the executive resilience committee need different things from the same program. This module covers how to design a reporting framework that serves both without doubling your workload. Covers the metrics that matter at executive level (scenario test completion rate, critical operation coverage, finding remediation status, third-party oversight currency), the narrative structure that explains what the metrics mean, and the red/amber/green thresholds your governance chair can use to make a quick judgment on program health.
Module 9. APRA CPS 230 Self-Assessment Against the Prudential Standard
Before APRA comes to you, know where your program stands against the prudential standard. Map each CPS 230 obligation to the artefact that evidences compliance, identify gaps where the artefact is not yet at the required standard, and produce a gap register with owners and target dates. Covers how to present the self-assessment to your Chief Risk Officer and how to handle a finding that cannot be remediated before the next review cycle.
Module 10. Connecting Resilience to the Broader Risk Framework
Operational resilience does not sit in isolation. This module covers the connections between your resilience program and operational risk management (incident taxonomy, loss event reporting), information security (cyber scenario testing, data availability requirements), and business continuity (legacy BCP plans and their relationship to the new critical operations register). Covers how to avoid duplication of effort across teams and how to present a unified picture of non-financial risk to the board.
Module 11. Program Uplift Planning: From Current State to Target State
Most resilience programs at large financial groups are partway through a CPS 230 uplift. This module covers how to build a credible uplift plan from a current-state assessment: prioritise gaps by regulatory exposure, assign owners, set realistic target dates, and track progress through a program governance cadence. Covers how to handle scope creep from business units, and how to present an uplift plan to the board that is both credible and achievable.
Module 12. Sustaining the Program: Ongoing Testing, Reviews, and Team Capability
Standing the program up is the easy part. Sustaining it after the uplift is done is harder. This module covers the annual program calendar: scenario test schedule, service provider attestation cycle, critical operations review triggers, and governance reporting cadence. Covers how to build team capability so the program does not depend on one person, and how to handle a leadership change or restructure without losing program continuity.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

You have a scenario test due and no standard report template: modules 3 and 4.
Your critical operations register exists but the MTPoDs are not yet documented to APRA standard: modules 1 and 2.
Your board resilience committee wants a dashboard and is not happy with the current narrative format: module 8.
Your third-party oversight list is out of date and a service provider review is coming: modules 5 and 6.

What you get with this course

  • Twelve written modules covering the full CPS 230 program lifecycle from critical operations scoping through board reporting.
  • Downloadable templates: critical operations register, scenario test planning script, scenario test report structure, third-party resilience attestation questionnaire, concentration risk register, governance committee reporting dashboard, APRA CPS 230 self-assessment gap register, program uplift tracker.
  • Worked examples drawn from large financial group resilience program contexts.
  • Hand-built implementation playbook tailored to your specific role and organisation type, delivered alongside course access.

What you will have in hand by Day 1, Week 1, Month 1

Course access provisioned within 24 hours of purchase.

Hand-built implementation playbook delivered alongside course access within the same 24-hour window.

No expiry. Return to any module when a scenario test, APRA review, or board reporting cycle requires it.

Before and after

Before

A scenario test debrief with open findings, a critical operations register that does not yet document MTPoDs to the required standard, a third-party oversight list that has grown faster than the process to manage it, and a board committee that is asking harder questions than the current reporting format can answer.

After

A board-submittable scenario test report with a closed findings register, a CPS 230-compliant critical operations register, a tiered service provider oversight framework with attestation templates on a repeating calendar, and a governance committee reporting dashboard your resilience committee can use to make decisions.

What happens if you do not address this

APRA CPS 230 is not a future requirement. It is in force. An APRA review that finds gaps in scenario test evidence, incomplete MTPoD documentation, or an absence of formal third-party resilience oversight will result in a formal finding. For a Senior Manager who owns the program, that finding sits with you.

Who it is for

This course is for a Senior Manager or Head of Business Resilience at a large Australian or APAC financial group. You own the CPS 230 program delivery: critical operations mapping, scenario testing, third-party resilience oversight, and governance reporting. You are not building from scratch but you are building fast, and the gap between what the program currently documents and what a regulator or board needs to see is real and time-bounded.

Who this is NOT for. Not for risk consultants scoping a project engagement. Not for compliance analysts who need an introduction to operational resilience concepts. Not for technology teams building disaster recovery runbooks at the infrastructure layer. This course is for the person who owns the enterprise resilience program and needs to produce the artefacts that prove it works.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Twelve modules. Most practitioners complete two to three modules per sitting. The scenario test and governance reporting modules are the most frequently revisited; plan for reference use alongside your live program work, not just initial read-through.

Why $199 is the right number

APRA guidance documents describe what is required. They do not show how a large financial group actually builds it. Consulting engagements can build the artefacts for you, at significantly higher cost, without leaving your team with the capability to maintain them. This course builds that capability in the team that has to own the program after any engagement ends.

FAQ

Is this specific to APRA CPS 230 or does it cover other frameworks?
The program methodology is built around CPS 230 as the primary standard. The critical operations mapping, scenario testing, and governance reporting modules are directly applicable to CPS 232 and have significant overlap with DORA operational resilience requirements for groups with European regulated entities.
We already have a BCP program. How does this relate to it?
Module 10 covers the relationship between the legacy BCP program and the CPS 230 critical operations framework directly. The short answer: BCPs at the system or team level are inputs to the critical operations recovery methodology, not replacements for it. The course shows how to rationalise the two without discarding work that is already done.
Does this cover third-party oversight at the contract level?
Module 5 covers the resilience-specific clauses you need in service provider contracts and the attestation process that sits alongside them. It does not cover broader vendor contract negotiation. The focus is the resilience oversight framework and the documented evidence that it is operating.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!