As a technology vendor, Holocentric has the privilege of engaging a broad range of stakeholders affected by the CPS 230 prudential standard – regulated entities (both customers of Holocentric and non-customers), consultants and other vendors.
These conversations have prompted us to reflect on the things that we have observed are working well and giving regulated entities an edge in their compliance programs. We have collated these levers for successful CPS 230 compliance into a simplified framework of best practices to share. Our hope is to provide regulated entities with a reference point to consider how they might address opportunities and weaknesses within their own organisations.
CPS 230 is a prudential standard introduced by APRA to ensure that financial institutions have effective frameworks for managing operational risks, ensuring business continuity, and managing relationships with service providers. The goal is to mitigate risks that could disrupt critical financial services, thereby maintaining the stability of the financial system. This prudential standard comes into effect from July 2025, with APRA expecting regulated entities to be proactive in preparing for implementation (APRA, 2024).
Overview of the best practice framework for achieving CPS 230 compliance
The best practice framework to achieving compliance with CPS 230 below provide key business levers and considerations that organisations are addressing to give themselves an edge in CPS 230 compliance. It could be helping them accelerate their compliance program, improve assurance of compliance, or reducing the cost of compliance. Importantly, the best practice framework is not just another take of the CPS 230 Prudential Standard and practice guide – it focuses on levers and considerations that support CPS 230 compliance but may not be explicitly mentioned in the Prudential Standard and Practice Guide, based on our observations and discussions with those currently driving CPS 230 compliance.
The best practice framework has three main parts:
- Key Drivers (top section) – things that regulated entities put in place to create clear direction and leadership for their CPS 230 compliance program.
- Key Activities (middle section) – being undertaken or planned by regulated entities to achieve CPS 230 compliance. This is mostly from the Prudential Standard and Practice Guide but is in the best practice framework for completeness.
- Key Supports – capabilities and resources that regulated entities have acquired, leveraged or enhanced to bolster their CPS 230 compliance capabilities
In engaging with many organisations, our observation is that almost all regulated entities are actively addressing and excelling at least 2-3 key drivers and supports. It is likely that no regulated entity is addressing and excelling at all of the key drivers and supports. Importantly, it is unlikely that regulated entities need to get everything right. What regulated entities should do is to pick and choose which elements to focus on, so that they are addressing weaknesses and leveraging strengths within their organisations to get the best possible outcomes for their CPS 230 compliance.
By using the best practice framework as a guide, regulated entities can align their compliance efforts with their overall strategic goals and strengths. This allows compliance efforts to go beyond a mere checkbox exercise and opens up opportunities for material operational enhancements and risk mitigation.
Key Drivers
Strategy
Effective CPS 230 compliance begins with integrating compliance efforts into the very fabric of the business strategy. It allows compliance efforts to be more than a checkbox exercise: it proactively identifies opportunities for operational enhancements and risk mitigation based on a deep understanding of business operations, a forward-thinking mindset, and a commitment to continuous improvement. Operational risk controls are not just tacked on to existing processes and are in fact integral to them.
Organisations that do this well are more likely to have their CPS 230 compliance enable their core objectives, instead of being an isolated cost centre in the long term. In such organisations, compliance activities support growth and optimise resource allocation, while vice versa, other strategic initiatives tend to contribute to the resilience and robustness of operations.
Leadership
Strong leadership in risk management means anticipating potential issues and addressing them proactively, rather than reacting to crises.” – Gary Cohn
Clear and strong leadership plays three key roles in the context of CPS 230 compliance: taking ownership, providing thought leadership and driving the risk culture necessary for successful long-term compliance.
Effective leadership of CPS 230 compliance begins with owning the CPS 230 problem – the right senior management figures taking accountability and exercising their authority to allocate or consolidate necessary resources to address the challenge. They also provide clear direction by outlining how the organisation will address the CPS 230 challenge. They demonstrate understanding of the opportunity and challenge that is CPS 230 and ability to apply robust strategic thinking in the approach. While they need not be the ones who come up with the solution (effective leaders often lean on more capable experts for such problems), they certainly are the ones to champion the approach in a compelling manner.
Leading CPS 230 effectively also means visibly championing and role modeling the desired behaviours, encouraging open communication about regulatory challenges and ensuring that employees at all levels understand the importance of operational resilience. By visibly supporting compliance efforts and demonstrating a commitment to regulatory adherence, leaders can inspire a culture of compliance throughout the organisation.
Empowering leadership extends beyond mere advocacy; it involves providing teams with the necessary tools, training, and support to navigate the complexities of the compliance landscape. This means equipping teams with advanced risk management tools, offering continuous training on regulatory updates, and fostering a supportive environment where employees feel accountable and motivated to uphold compliance standards. By doing so, leaders instil a sense of accountability and ownership among employees, which is crucial for embedding a culture of compliance into the organisation’s DNA (RAPS, 2022; Everfi, n.d).
Importantly, CPS 230 is unique such that it likely requires collaboration across different parts of the business. Clear and strong leadership is therefore likely to be required across the multiple participating parts of the organisation.
Governance
Effective governance structures are the backbone of any robust compliance program. In the context of a CPS 230 compliance program, establishing clear roles, responsibilities, and reporting lines is essential for the success of the program. This includes having necessary governance committees, oversight processes, and a framework for continuous improvement.
Good governance fosters transparency and accountability, enabling a coordinated response to operational risks. It ensures that compliance initiatives are consistently executed across the organisation and that any discrepancies or issues are addressed promptly. Structured governance helps maintain high standards of regulatory adherence and operational integrity.
Getting the balance between creating new governance structures and leveraging existing ones is key. It may be tempting to create governance arrangements that are specific to the CPS 230 program. Indeed, creating new governance arrangements specifically for CPS 230 provides some advantages: Clearer accountability, enhanced focus and increased potential to address the compliance requirements innovatively. But they also have the potential to create more complexity, meet more resistance, and consume more time and resources (Deloitte, n.d.).
For example, the CPS 230 Prudential Standard specifically includes requirements for Board, Executive and management oversight. Regulated entities need to consider how these requirements integrate into existing governance structures and processes in the different layers of the organisation to comply and do so cost-effectively. And the answer might be different for each organisation. Regulated entities need to consider the pros and cons of tweaking current frameworks or establishing new parallel governance at each layer of their organisation in a way that will enable them to meet the standard’s obligations efficiently.
Again, because CPS 230 required collaboration across the organisation, regulated entities need to also consider how the organisation makes cross-functional decisions today: whether it has a culture of hierarchical, top-down, or consensus-driven decision-making culture.
By having the right governance arrangements in place, regulated entities can make decisions and have just enough oversight to maintain high standards of regulatory adherence and operational integrity.
Key Activities
1. Define and Identify Critical Operations
As per the CPS 230 Prudential Practice Guide, identifying critical operations is the first thing regulated entities should do. Not only because APRA has set a July 2024 deadline, but also because it forms the foundation of robust compliance. Qualifying and identifying operations that are critical to the regulated entity creates clarity and focus in its management of operational risk. The list of critical operations will vary for each organisation; what’s important is how they determine and can attest to why an operation is critical or not. This top-down approach ensures that material risks are identified and prioritised, forming an effective risk management framework (APRA, 2024).
How regulated entities are addressing this: Most entities start by clarifying what they mean by a critical operation. This could be done in one of a few ways but the most common is using a scorecard approach to assess operations against agreed criteria such as those provided in the CPS 230 Prudential Practice Guide.
2. Identify Processes and Resources for Critical Operations
For each of the critical operations identified, it is essential to understand the key processes and their resource dependencies. As APRA rightly calls out in the Prudential Practice Guide, the more comprehensive the information underpinning this understanding, the more robust its compliance would be. It explicitly states the need to document processes and their dependencies on people, technology, information, facilities and services providers. Importantly, APRA’s stance on proportionality means APRA would be expecting stronger and more robust practices in larger and more significant regulated entities. APRA also expects regulated entities to mature their practice over time (APRA, 2024).
How regulated entities are addressing this: There seems to be a diverse range of approaches in how entities are approaching the identification of processes and resources. What most entities are guided by is APRA’s guidance on proportionality. Larger, significant and complex entities tend to be investing in more detailed process documentation to support identification and validation of material service providers, technologies, information, facilities, etc. This is somewhat inevitable as a critical operation for a large entity is likely to contain more variations in process. For example, a large bank might have different processes, service providers and systems for its different brands, products and channels. Interestingly, entities that are investing in more comprehensive process documentation to support resource identification are uncovering opportunities for significant improvements to not just operational resilience but also other business outcomes such as customer experience and productivity.
3. Define and Refine Tolerance Levels, Business Continuity Plans and Service Provider Arrangements
APRA explicitly points to tolerance levels, business continuity plans (BCPs) and service provider arrangements as interconnected components that ensure resilience of regulated entities against operational risks and disruptions. APRA not only expects regulated entities to define tolerance levels and put BCPs and appropriate service providers in place, but it also explicitly mentions the need to undertake scenario analysis to identify and mitigate the potential impact of severe operational risk events.
How regulated entities are addressing this: As of July 2024, most regulated entities have either just started or have not yet started defining tolerance levels and refining their BCPs and service provider arrangements. There are some commonalities across their planned approaches: Most organisations are documenting the interdependencies between tolerance levels, BCPs and service provider arrangements. For example, how the recovery time objectives (RTO) of the systems and service providers, and any alternate arrangements for a critical operation contributes to or prevents the regulated entity meeting the maximum period of time the entity would tolerate a disruption to that operation. They are using scenario testing (a mix of table-top and full-scale simulation of plausible disruptions) to assess if the tolerance levels still hold true. These scenario tests would be documented, including the scenarios used for testing, the findings and plans to implement new or amend existing controls. And finally, they plan to refine their tolerance levels, BCPs and service provider management through iterative scenario testing.
4. Operationalise Monitoring, Reporting and Continuous Improvement
APRA makes it clear in the CPS 230 Prudential Standard and Practice Guide that it expects regulated entities to not only continuously manage operational risk, but also mature their practices over time. This means that initial compliance is just the starting point. Regulated entities need to keep documentation of critical operations, processes and resources, tolerance levels, BCPS and service provider arrangements current, continuously and iteratively test and refine all the above, while improving the comprehensiveness and robustness of its approach.
This presents a number of challenges for regulated entities and the one at the forefront of the mind of many currently leading CPS 230 compliance is certainly the cost and resources required to manage compliance on an ongoing basis. Most organisations we spoke to have suggested that it is simply not viable to replicate what is being done to achieve initial compliance.
How regulated entities are addressing this: A small number of regulated entities have anticipated the potential resource intensiveness of complying to CPS 230 in the long run and committed to addressing this right from the get-go. They are designing their CPS 230 compliance approaches, processes and systems to be as efficient and repeatable as possible. However, most entities intend to draw learnings from their initial compliance activities to inform how best to comply on an ongoing basis. They expect to have an explicit exercise of transforming the processes and assets created for initial compliance to support ongoing compliance. Either way, what is consistent amongst entities is the intent to leverage contemporary technologies, tools, data and document management, and partnerships to support the operationalising of CPS 230 compliance. We will discuss these in more detail in the next section.
Key Supports
Technology and Tools
Adopting the right technologies and tools can significantly increase the effectiveness and efficiency of CPS 230 compliance. They can reduce manual effort, increase accuracy and timeliness of compliance activities, and ensure currency of compliance documentation. On the flipside, not considering and adopting the right technologies and tools can not only introduce risk to the compliance program, but also introduce operational inefficiencies, change resistance and competitive disadvantages.
Regulated entities should consider how technologies and tools can support not only each element of CPS 230 (management of the risk profile, critical operations, BCP and supplier arrangements) but also integration of these domains to provide holistic oversight and management. It is unsurprising that at a recent CPS 230 Summit in Melbourne, the audience was keen to discuss the question of how regulated entities are managing the complexity of consolidating and integrating the many datasets that CPS 230 requires.
As of today, there is no single technology solution in the market can cover all aspect of CPS 230. To meet the range of obligations introduced in the CPS 230 Prudential Standard, entities need to consider a combination of Governance, Risk, and Compliance (GRC), process management, IT asset management, BCP and supplier management software; and integration and reporting across them all.
Entities need not necessarily acquire or develop all of these technologies, but they do need to consider how the presence or absence of such tooling would support or present obstacles to their organisation. By adopting the right mix of tools and technologies that align with their specific situation, needs and requirements, entities enhance the effectiveness and efficiency of its compliance activities.
Data and Documentation
The CPS 230 Prudential Standard includes obligations for regulated entities to have appropriate information systems to monitor operational risks. Regulated entities need to have data and documentation to support identification of processes and resources for critical operations, their dependencies, and for scenario analysis. The Board needs to have oversight of the entity’s operational risk management, which means they need to be able to easily draw insights from the collective set of data that relates to CPS 230.
This means regulated entities need to put in place robust data and document management across all elements of CPS 230. Data and documents relating to CPS 230 need to be accurate, complete, consistent, accessible and auditable. To do this, regulated entities should, at the very least, consider how data that is relevant to CPS 230 is structured, the formats it is stored in, where it is stored, and how data is managed from creation to deletion (Reg-360, 2023; Builtin, n.d.).
External Partnerships
Regulated entities should realise that they need not undertake their CPS 230 journeys alone. They should consider how it might engage with the regulator, other regulated entities, their existing suppliers, and external experts to help meet CPS compliance obligations.
These collaborators have the potential to bring expertise and guidance to accelerate or operationalise compliance effectively and efficiently, especially for such a complex and cross-functional set of compliance requirements. They can offer insights into best practices and emerging risk, and unlock the potential of compliance activities.
Those driving their organisation’s CPS 230 compliance program should ask: does the organisation have the necessary skills, knowledge and resources to execute and operationalise CPS 230 compliance? Would a partner with specific expertise or capabilities complement our own capabilities? How would doing things internally or engaging a partner affect the cost and time it would take to deliver the desired outcomes?
Conclusion
The best practice framework for CPS 230 compliance offers a strategic approach that goes beyond mere adherence to regulatory requirements. By focusing on key drivers, activities, and supports, regulated entities can tailor their compliance efforts to their unique strengths and weaknesses. This targeted approach not only enhances the assurance of compliance but also reduces costs and accelerates the compliance program.
The framework prompts organisations to prioritise business levers that align with their strategic goals, ensuring that compliance efforts contribute to broader operational improvements and risk mitigation. By leveraging the insights and observations from industry stakeholders, the framework provides a structured guide that supports CPS 230 compliance in a practical and effective manner.
Ultimately, the best practice framework helps regulated entities to transform compliance from a checkbox exercise into a value-adding process that strengthens their overall operational resilience and strategic positioning.
About Holocentric
Holocentric is a software provider that partners with highly regulated Australian companies and government agencies to deliver better customer, compliance and financial outcomes. Its business process management software, Holocentric Connect, helps organisations capture, communicate, and facilitate collaboration on process, system, people, risk and compliance information with ease. It helps organisations integrate and draw insights from across multiple datasets and data sources in the organisation. With CPS 230 obligations spanning multiple functions and requiring management of multiple datasets across any regulated entity, Holocentric is your ideal technology partner for CPS 230 compliance.
References
- Australian Prudential Regulation Authority (APRA). (2024). Prudential Practice Guide CPG 230: Operational Risk Management.
- Builtin. (n.d.). Data Management: A Comprehensive Guide.
- Deloitte. (n.d.). Developing an Effective Governance Operating Model: A Guide for Financial Services Boards and Management Teams.
- Everfi. (n.d.). Leader-Driven Compliance Culture.
- Reg-360. (2023). Regulators Collecting More Granular Data: Key Considerations for Regulated Entities.
- Regulatory Affairs Professionals Society (RAPS). (2022). The Leadership Role in Regulatory Affairs.