The date is set for the implementation of CPS 230. While there is now a clear deadline for the implementation, the question is not about the when but rather if everything can be put in place by that date.
Many organisations will have already been practising several of the components that CPS 230 requires but generally not with the same interaction that is not mandated by CPS 230. And there are number of new aspects that will require focus.
Operational Risk Management practices have generally been established by most organisation for a number of years. Third Party Risk Management is also not a new topic. Business Resilience and BCP have been elevated in importance significantly especially due to the pandemic.
So what is it that is really new about CPS 230. Probably the main item from my perspective would be the identification and monitoring of Critical Operations. APRA defines Critical operations as "processes undertaken by an APRA-regulated entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on its depositors, policyholders, beneficiaries or other customers, or its role in the financial system." (refer point 35. page 8 Prudential Standard CPS 230, APRA, July 2025)
Critical Operations
Most organisations will have done some form of Business Process mapping and also may have worked on identifying the risks and controls in the different processes. However, very few if any will have applied the sense that APRA now wants to have applied for the Critical Operations. So while there may be some cross-over between the standard business processes and Critical Operations, this will largely be a new data point that will need to be articulated.
APRA does provide some guidance on what Critical operations could be but it is up to each organisation to identify, document and justify what the respective critical operations are and why some are included and others might not be (refer point 36. on page 23 of CPG 230).
Documentation
Assuming that is done, the next challenge will be to decide where that information will be stored and connected to the other pieces to get the holistic view of the Critical Operations Risk Profile. Not every organisation has a single system that brings Operational Risk Management, Third Party Risk Management, and Business Resilience and BCP together. While there are certainly platforms out there that generally will allow you to manage these, more often than not, disparate systems are used to allow for the specifics and have a "best of breed". This approach however, does not come without its challenges. So where should you store the Critical Operations information:
Option 1: Enterprise GRC System
Your Enterprise GRC system that supports your Operational Risk Management standards is the second option. Documenting your Critical Operations here could enable your linkage to risks and controls to the critical operations therefore allow you to get a more holistic risk profile of each of the critical operations. If that system also handles your business disruption incidents and does allow for linkage to this new data point of critical operations, you are in a very good position.
Option 2: Business Resilience / BCP system
Especially the need to have visibility of impacts to Critical Operations early would lend itself to defining and keeping these Critical Operations in the system that handles your Business Resilience and BCP. However, depending on your technology setup, this may not be your enterprise GRC system that documents and manages your Risks, Controls, operational risk and compliance incidents, etc.
Especially for option 2, you will need to look at how you get the information synchronised/linked between different systems. The most common approaches would be APIs, reporting or a mixture of these. While APIs and direct integrations between different systems (and oftentimes different vendors with different technologies) are certainly an option, there are often added complexities that may not be warranted for this specific scenario. Another option could be to use reporting to bring it all together by using your data warehouse, data lake, or enterprise reporting solution to bring the data together. Regardless of the approach, there will be a challenge to bring two systems together to ensure accurate mapping.
So where in your CPS 230 journey are you and what is your approach? Keen to hear your thoughts.
Comments