Skip to main content
Image coming soon

Operational Risk Management for APRA-Regulated Firms

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

Operational Risk Management for APRA-Regulated Firms

Build the six artefacts APRA examiners actually score, from risk appetite statement to board reporting pack.

The APRA examination report lands and four of the six findings carry "partially addressed" status from the previous cycle. The examiners noted them in the opening remarks. The issue is not the controls, which are largely functional, but the evidence packaging, the narrative threading the RCSA through to the risk appetite attestation, and the board reporting pack that does not reflect how the risk program actually operates. That gap between a functional risk program and an examinable one is what this course closes.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

A senior risk or compliance manager at a major financial institution typically runs a capable program. Controls are documented, RCSAs are refreshed, board papers are produced on schedule. The problem that surfaces in APRA examinations is different: the artefacts do not speak to each other. The risk appetite statement uses different language from the RCSA categories. The scenario analysis results do not connect to the capital discussion. The material service provider register was last updated before a significant outsourcing change. Examiners notice these disconnections not because they are looking for failures but because they are trying to understand whether the second line genuinely understands the firm's operational risk profile. This course bridges from a functioning program to an examinable one.

What you walk away with

  • A completed risk appetite statement that connects to business-line thresholds and board attestation.
  • An RCSA methodology and workshop facilitation guide your team can repeat across all business units.
  • A material service provider register built to CPS 230 requirements with an annual oversight program.
  • A control testing framework with evidence templates, remediation tracking, and committee reporting.
  • An APRA examination readiness pack covering information requests, evidence structures, and finding responses.

The 12 modules

Module 1. Risk Appetite Framework Design
The risk appetite statement is the document APRA examiners start with. This module walks through the structure: quantitative thresholds at business line level, qualitative statements for conduct and reputational risk, the board approval pathway, and the connection to the RCSA. You draft your institution's risk appetite statement section by section, with worked examples from different risk categories and a template the board risk committee can sign off.
Module 2. RCSA Methodology and Rollout
The RCSA is only as useful as the methodology behind it. This module covers: how to scope the risk universe per business unit, how to rate inherent and residual risk consistently across teams, how to set control effectiveness criteria that hold up under examination, and how to run the facilitated workshop that captures real business-line risk rather than compliance theatre. Template RCSA sheets and facilitator guides are included.
Module 3. Operational Loss Data Taxonomy
Operational loss data collection fails at categorisation. This module builds your loss event taxonomy from the Basel event type categories down to the internal sub-categories specific to your business mix. You work through threshold settings for collecting near-misses versus reportable events, the escalation rules for losses above material thresholds, and how to structure the loss database so it feeds both internal reporting and the APRA regulatory returns.
Module 4. Scenario Analysis Program
Scenario analysis is the hardest operational risk discipline to make credible. This module covers: how to select scenarios that are plausible but severe, how to quantify scenarios without fabricating false precision, how to run facilitated scenario workshops with senior business owners, and how to document results in a format that satisfies APRA's expectations for firms under both standardised and advanced approaches. Includes four worked scenario templates across different risk categories.
Module 5. Material Service Provider Oversight
CPS 230 introduced specific requirements for material service provider identification and ongoing oversight. This module builds the MSP register from scratch: criticality assessment methodology, how to set the materiality threshold, the annual oversight program including due diligence questionnaires and on-site review schedules, and the board paper format for reporting MSP risk. Worked examples cover technology providers, payment processors, and offshore service centre arrangements.
Module 6. Control Testing Framework Design
Control testing evidence is what APRA examiners request first. This module designs your control testing framework: how to classify controls by testing frequency and method, how to write testing procedures that produce useful evidence rather than tick-box confirmation, how to manage the remediation pipeline for failed controls, and how to report testing results to the risk committee in a format that shows genuine assurance. Templates for every control category.
Module 7. Regulatory Change Management
New APRA prudential standards, ASIC regulatory guides, and Treasury consultation papers arrive continuously. This module builds the regulatory change management function: how to scan and triage incoming changes, how to assess impact on existing controls and frameworks, how to track implementation milestones across business lines, and how to close out regulatory changes with documented evidence. Includes an obligations register template and a change impact assessment methodology.
Module 8. Board Risk Reporting Pack
The board risk committee paper is the artefact that matters most to directors and regulators. This module designs the pack from cover to close: the executive risk summary, the risk appetite utilisation table, the emerging risk commentary, the control environment heat map, and the regulatory and audit findings tracker. You build each section with worked examples and a template that adapts to quarterly, half-yearly, and annual reporting cycles.
Module 9. APRA Examination Readiness
APRA prudential reviews and thematic examinations follow a predictable pattern. This module maps that pattern: the information request stage, the interview and workshop process, the draft findings communication, and the remediation response. You build the examination readiness checklist for each major risk area, the evidence pack structure that reduces examiner query time, and the finding response template that demonstrates genuine remediation rather than paper compliance.
Module 10. Operational Risk Capital Fundamentals
How internal operational risk data connects to regulatory capital calculations is poorly understood by many risk managers. This module covers: the standardised measurement approach under Basel III, how the internal loss multiplier works, how scenario analysis feeds stress capital estimates, and what the APRA submission process looks like for operational risk capital. Not a quantitative finance module. A practical briefing on how your risk data affects the capital number.
Module 11. Compliance Monitoring Program
The compliance monitoring program sits alongside the operational risk RCSA but answers a different question: are the obligations actually being met. This module designs the monitoring plan from the obligations register down to the individual test: how to write testable compliance statements, how to sample-test compliance evidence, how to grade findings on a severity scale, and how to report breaches to the board and to ASIC under the reportable situations regime.
Module 12. Three Lines of Defence Governance
Effective three lines governance stops risk activities falling through gaps between business, risk, and audit functions. This module builds the governance model: the three lines charter with specific role descriptions for operational risk activities, the RACI matrix for risk framework activities, the escalation protocol for first-to-second line referrals, and the committee structure that routes risk issues to the right decision-makers. Includes board-ready three lines diagram.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Your risk appetite statement uses different language from the board paper that cites it.
The RCSA was refreshed but the control ratings do not connect to the loss event data.
The APRA examination information request arrives and it takes three days to locate the right artefacts.
The material service provider register does not reflect the outsourcing arrangements added in the last 18 months.

What you get with this course

  • 12 written modules, each building one implementation artefact for the operational risk program.
  • Downloadable templates: risk appetite statement, RCSA worksheet, MSP register, control testing schedule, board risk reporting pack.
  • APRA examination readiness checklist and evidence pack structure.
  • Hand-built implementation playbook tailored to your institution's regulatory context, delivered with course access.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Before and after

Before

The framework produces reports but the artefacts do not speak to each other. Each examination cycle surfaces the same category of documentation gap in different packaging.

After

Every major risk artefact links to every other. The board risk reporting pack reflects live risk appetite utilisation. The examination readiness checklist is maintained rather than assembled under time pressure.

What happens if you do not address this

Each APRA examination cycle that finds the same category of gap extends the regulatory relationship onto a remediation track rather than a business-as-usual track. The operational cost of managing findings across multiple cycles typically exceeds the cost of fixing the underlying framework once.

Who it is for

This course is for a senior risk or compliance professional at an APRA-regulated entity who owns the operational risk framework, the compliance monitoring program, or both. You have been in the role long enough to know the framework functions day-to-day but you carry the awareness that the next examination cycle will test artefact coherence and evidence standard. You are not a beginner to risk management. You need the implementation methodology, the template pack, and the examination readiness discipline.

Who this is NOT for. Professionals building a risk program from scratch at a startup or unregulated entity. Professionals whose primary focus is market risk, credit risk, or treasury. Anyone looking for a general risk certification pathway rather than an implementation-specific course.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. 8-12 hours of guided module work, plus the time to apply each template to your institution's actual data. Most participants complete the core modules over two to three weeks while running the framework in parallel.

Why $199 is the right number

APRA-focused training in the market is typically certification-heavy (PRMIA, IRM, Chartered Banker pathways) and covers theory without building implementation artefacts. Risk consulting engagements deliver bespoke programmes at significant cost and typically do not leave behind the internal capability to maintain them. This course delivers the artefacts and the methodology at a fraction of either alternative.

FAQ

Is this specific to CPS 230 or does it cover CPS 234 and other APRA standards?
The primary framework is CPS 230 operational risk management, but modules on control testing, compliance monitoring, and board reporting apply directly to CPS 234 information security obligations and the broader prudential standards suite. The methodology transfers across standards.
How does the course handle multi-jurisdictional requirements for firms operating across APRA, FCA, and SEC regulatory perimeters?
Module 7 (Regulatory Change Management) and Module 8 (Board Risk Reporting) include worked examples from firms with UK and US regulatory obligations alongside APRA. The core framework is designed for APRA primacy with foreign regulatory overlay.
The RCSA and scenario analysis modules reference facilitated workshops. Is there support for running those internally?
Yes. Each of those modules includes a facilitator guide with discussion prompts, time allocations, and documentation templates you can run with your own team without external consulting support.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!