Skip to main content
Image coming soon

Operational Risk Frameworks That Satisfy Regulators

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

Operational Risk Frameworks That Satisfy Regulators

A skills course for operational risk professionals who need their RCSA, scenario analysis, and risk appetite work to hold up under APRA scrutiny.

Your RCSA gets returned with review notes for the third time this quarter. The scenario analysis narrative doesn't connect to the risk appetite statement. The control ratings lack the evidence trail APRA expects. You are doing the work but the framework isn't producing defensible outputs.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Operational risk practitioners at investment banks carry an unusual burden: they must produce technically credible outputs (scenario analysis, loss data, RCSA, KRI frameworks) that can withstand both internal second-line challenge and direct regulatory scrutiny under APRA CPS 220. The failure mode is not laziness. It is a structural gap between what teams produce and what a regulator expects to see as evidence of a functioning risk management framework. Generic control descriptions, scenario narratives that don't link to capital models, and risk appetite statements that sit in isolation from day-to-day risk indicators are the three most common reasons regulatory submissions require rework. This course closes those gaps with buildable artefacts, not conceptual overviews.

What you walk away with

  • Build an RCSA that passes second-line challenge on the first submission, with evidence trails regulators can follow.
  • Connect scenario analysis outputs directly to risk appetite statements and capital adequacy narratives.
  • Design a KRI framework where threshold breaches automatically trigger escalation protocols documented in advance.
  • Produce loss data submissions that satisfy APRA CPS 220 data quality requirements without manual rework cycles.
  • Write a risk appetite statement with measurable tolerances that link to operational metrics, not just qualitative declarations.
  • Construct a three-lines-of-defence operating model that is demonstrably functional, not just described in a policy document.

The 12 modules

Module 1. What APRA CPS 220 Actually Expects
A close reading of CPS 220 requirements for operational risk management frameworks, focusing on what 'adequate' means in practice versus how it is typically interpreted. Covers the specific artefacts APRA reviewers look for during a prudential review, the common gaps between policy language and documented practice, and how to map your current framework against the regulatory standard before the regulator does it for you.
Module 2. RCSA Architecture: From Generic to Defensible
The difference between an RCSA that survives challenge and one that doesn't is structural, not cosmetic. This module covers how to define risk boundaries precisely enough that control descriptions can be specific, how to rate control effectiveness using observable evidence rather than judgment, and how to document the rating rationale so second-line reviewers and auditors can follow the logic without asking questions.
Module 3. Control Evidence Standards
Most RCSA failures trace back to controls described in policy terms rather than operational terms. This module covers the distinction between control design adequacy and operating effectiveness, how to select and document evidence that demonstrates a control is functioning at the frequency and scope claimed, and how to build an evidence library that supports continuous rather than point-in-time assurance.
Module 4. Scenario Analysis: Connecting Narrative to Number
Scenario analysis outputs are only useful if they connect to something. This module covers how to structure scenario workshops that produce outputs your capital modelling team can actually use, how to write scenario narratives that link to both the risk appetite statement and the loss distribution assumptions, and how to document the methodology in a way that satisfies both internal model validation and regulatory review.
Module 5. Risk Appetite Statements with Measurable Teeth
A risk appetite statement that cannot be measured is a compliance document, not a management tool. This module works through how to translate qualitative appetite declarations into quantitative tolerances, how to link those tolerances to operational metrics that are already being collected, and how to write the statement in language that is specific enough to generate escalation triggers when thresholds are approached.
Module 6. KRI Framework Design and Threshold Calibration
Key risk indicators are most commonly designed backwards: a list of available metrics dressed up as risk indicators. This module covers how to design KRIs from the risk scenario forward, how to calibrate thresholds using loss history and scenario outputs rather than arbitrary percentiles, and how to document the escalation protocol so that a breach automatically generates a defined response, not a discussion about whether the breach is significant.
Module 7. Loss Data Collection and CPS 220 Data Quality
Loss data submissions under CPS 220 carry specific data quality expectations that most internal loss capture processes do not meet without deliberate design. This module covers the minimum data fields required, how to set capture thresholds that avoid both over- and under-reporting, how to handle near-miss and external loss data, and how to build a quarterly reconciliation process that produces a clean submission with no manual intervention on the day.
Module 8. Three Lines of Defence: Functional Not Ceremonial
Many three-lines models exist as org chart diagrams rather than operating frameworks. This module covers how to define the boundary between first and second line in operational terms (who owns the control, who tests it, what the handoff looks like), how to document second-line oversight activities in a way that demonstrates genuine independence, and how to produce a summary that a regulator can read as evidence of a functioning model rather than a structural diagram.
Module 9. Risk Committee Reporting: What the Pack Needs to Show
Risk committee papers are where framework outputs become visible to governance. This module covers what a credible risk committee pack contains for operational risk, how to present RCSA findings and KRI breaches in a format that supports decision-making rather than information delivery, and how to structure the narrative so that a non-executive director can ask a substantive question about risk exposure rather than a clarifying question about format.
Module 10. Regulatory Submission Preparation
Preparing for an APRA prudential review or responding to a regulatory request for information requires a different skill than producing internal risk reporting. This module covers how to structure a regulatory submission pack, how to anticipate the questions that follow a submission and prepare documented answers in advance, how to manage the information request process so that responses are consistent across different parts of the organisation, and how to handle findings without amplifying them.
Module 11. Emerging Risk Identification and Integration
Operational risk frameworks that only capture historical losses and current controls have a structural blind spot. This module covers how to build an emerging risk identification process that surfaces forward-looking exposures before they appear in the loss data, how to integrate emerging risk findings into the scenario analysis cycle and the risk appetite review, and how to document the identification methodology in a way that demonstrates proactive risk management to a regulator.
Module 12. Framework Maintenance and Continuous Improvement
A framework that was credible at implementation degrades without deliberate maintenance. This module covers how to build an annual review cycle for the RCSA, risk appetite, and KRI framework that is proportionate to actual risk change rather than calendar-driven, how to document framework changes in a way that preserves the audit trail, and how to produce a self-assessment of framework effectiveness that can be shared with regulators as evidence of ongoing governance.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

RCSA keeps getting returned by second-line review: Modules 2, 3
Scenario analysis doesn't connect to capital adequacy: Module 4
Risk appetite statement is qualitative and unmeasurable: Module 5
KRI thresholds don't generate consistent escalation: Module 6

What you get with this course

  • 12 written modules covering RCSA design, scenario analysis, risk appetite, KRI frameworks, loss data, and regulatory submission preparation
  • Downloadable templates for RCSA control evidence documentation, scenario analysis narratives, and risk appetite statement structure
  • Implementation playbook tailored to operational risk roles at financial institutions, delivered alongside course access
  • Self-assessment checklist mapping your current framework against CPS 220 requirements

What you will have in hand by Day 1, Week 1, Month 1

Access to all 12 modules provided within 24 hours of purchase

Hand-built implementation playbook delivered alongside course access

Self-paced: most practitioners complete the course in three to four weeks while applying each module to their current framework

Before and after

Before

RCSA returns with review notes every cycle. Scenario analysis narratives sit disconnected from capital models. Risk appetite statement is a policy document nobody measures against. Regulator submissions require significant manual rework to reach a defensible standard.

After

RCSA rated and evidenced in a format that passes second-line challenge on first submission. Scenario outputs connected to risk appetite tolerances and loss distribution inputs. KRI thresholds calibrated to generate automatic escalation. Loss data submissions clean and consistent every quarter.

What happens if you do not address this

Operational risk frameworks that produce recurring review cycles consume significant team capacity without improving the quality of the output. Each APRA prudential review that finds the same structural gaps creates a documented finding that carries forward. The cost of a defensible framework is one build; the cost of a non-defensible one is a recurring remediation cycle plus regulatory relationship friction.

Who it is for

You are an operational risk professional at a major financial institution, working in the second line or close to it. You produce or review RCSAs, contribute to scenario analysis cycles, and are accountable for outputs that go to risk committees and regulators. You understand the theory. You need the build.

Who this is NOT for. Risk managers whose primary accountability is first-line process ownership rather than framework and methodology. Those looking for an introduction to operational risk concepts rather than a build-and-implement course.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Approximately 3 to 4 hours per module, with additional time for applying templates to your current framework. Most practitioners complete the full course in four to six weeks alongside their regular workload.

Why $199 is the right number

Internal training programs cover framework concepts but rarely build the specific artefacts that regulators review. External consultants charge significantly more per engagement and produce deliverables you cannot maintain independently. Generic risk management certifications cover theory without the operational build. This course produces working artefacts you own and can iterate on.

FAQ

Is this course specific to Australian financial institutions?
The course uses APRA CPS 220 as its primary regulatory reference because that is the standard most directly applicable to major financial institutions operating in Australia. The RCSA design, scenario analysis, and KRI framework modules are applicable to any operational risk role regardless of jurisdiction. The regulatory submission module covers APRA-specific requirements in detail.
Do I need prior operational risk certification to take this course?
No. The course assumes you are already working in an operational risk role and understand the basic concepts. It is designed for practitioners who need to build better artefacts, not for people learning what operational risk is.
How is the implementation playbook tailored to my situation?
The playbook is hand-built by Gerard Blokdijk following your purchase, drawing on the specific role and context you provide. It maps the course modules to your current framework gaps and suggests a sequenced build order based on your most pressing regulatory exposure.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!