Meeting APRA CPS 230 and Adopting Operational Resilience as a Strategic Imperative

Across Australia, organizations within the Banking, Insurance and Superannuation industries are assembling cross-functional ‘tiger teams’ and initiating transformational projects to meet the requirements of APRA CPS 230, which will come into enforcement on 1 July 2025. CPS 230 is the Australian Prudential Regulatory Authority’s (APRA) regulation designed to ensure that regulated entities are resilient to operational risks and disruptions and follows many previous equivalent regulations globally.

The regulation itself sets a bar to ensure organizations are prepared to anticipate, withstand, recover from, and adapt to severe but plausible operational scenarios in order to continue to deliver its services within defined tolerance levels. It focuses particularly on the following areas:

  • To assign appropriate governance, leadership, and accountability for Operational Resilience. 
  • To identify critical operations and set impact tolerances defining the capability to anticipate, withstand, recover from, and adapt to severe but plausible operational scenarios.
  • To adopt effective technology risk management controls and processes in order to ensure that impact and risk tolerances continue to be achieved. 
  • To effectively manage the risk with third parties and other service providers where they are involved in delivering critical operations.

 

Why is an Inventory and Map Important?

Taken together with CPS 234 (which focuses on cyber security and resilience), CPS 230 has many similar equivalents across the globe:

  1. FFIEC and OCC handbooks and ‘Sound Practices for Operational Resilience (2019)
  2. United Kingdom FCA / PRA regulations on Operational Resilience (March 2022)
  3. European Union Digital Operational Resilience Act (DORA, January 2025)
  4. Singapore MAS Financial Services and Markets Act (April 2022, enforcement from 2023)
  5. ASIC market integrity rules for Australian Market participants (August 2022 but seeing renewed enforcement focus in 2024).

Each of these regulations recognise the increasing criticality of digital operations to the delivery of financial services and the ongoing stability of societies and markets based upon the importance of digital payments and services.

Over the past few years we have seen organizations recognise the importance of adopting sustainable and integrated systems and processes for the management of their technology and ICT risk in contrast to early compliance efforts which involved expensive, disruptive, and ultimately ineffective manual ‘moment in time’ assessments and reviews. As the UK regulations were initially adopted in early 2022, annual manual mapping exercises and manual risk assessments were implemented by many institutions, often leveraging external consultants.

Many issues were identified with this approach:

  1. Expense – manually (or semi automated with analysts driving scripts and spreadsheets) gathering the information required to map critical services, their dependencies and executing risk assessments is time consuming and can become extremely expensive where third parties and consultants are leveraged.
  2. Disruptive – even where external resources are leveraged, they need to work with internal subject matter experts in order to gather information and conduct reviews.
  3. Inaccurate – in complex, fast changing, and highly interconnected environments, manual reviews result in partial, inaccurate, and quickly outdated information. Even where initial assessments are correct, within six months of operational changes (particularly where CI/CD and cloud technologies are leveraged to accelerate innovation) they are outdated and useless. Where an incident occurs resulting from incorrect or outdated information, then the institution is still held responsible for process shortcomings. For this reason we are seeing organizations such as the EU mandating more frequent reviews and continuous risk assessments. The direction of travel here is towards continuous capabilities, which are impossible to achieve without automated and integrated tooling and processes.
  4. Unsustainable – While consultants might often be engaged to assist with the adoption of new processes, annual engagement in a manual and disruptive process soon becomes unsustainable. As CI/CD and cloud have transformed digital delivery of services and products, further technical innovation is required to automate and streamline risk management. Using outdated approaches to risk manage modern digital environments is not the solution.
  5. Ineffective – ultimately, the initial ‘tick box’ efforts using ‘moment in time’ assessments failed. They failed because innovation and change does not occur annually, and continuous change requires equally continuous and streamlined risk management capabilities.

Organizations that have adopted automated and continuous risk management tools and processes are now benefiting from embedding risk management as part of their operational fabric in order to deliver strategic advantage to their customers, the markets, and their partners. Continuous discovery, mapping, and risk management enables organizations to ‘move fast’ with assurance, to recognize risks as they occur, make changes with certainty, and identify and recover from incidents rapidly.

Effective ICT risk management increases resilience and allows organizations to innovate faster. Fortunately, for Australian institutions, this lesson has been established and proven by other organizations who were required to travel the path to Operational Resilience first.

 

The CPS 230 requirements for technology and ICT Risk Management

Technology Risk Management principles are globally consistent, essentially boiling down to the requirement to identify and map, test against impact tolerances, assess risk, and ensure controls continue to be effective. vArmour has proven how the Relationship Cloud service automates and streamlines these processes, and ensures they are continuously effective — even in the most dynamic environments.

Requirement #27 – Inventory and Mapping
Identify the key components and dependencies required to deliver Critical Operations.

You cannot manage risk or make effective operational decisions if you lack accurate information about the components and dependencies required to deliver your critical operations. The vArmour Relationship Cloud integrates with an organization’s existing log and telemetry feeds to establish and continuously maintain a baseline of the environment. This first step eliminates thousands of hours of manual and inaccurate effort and forms the basis of effective operational risk management 365 days of the year.

See how vArmour simplifies CPS 230 inventory and mapping requirements in this video.

 

Requirement #27c and #44 – Scenario Testing
(27c) Conduct scenario analysis (also known as Scenario Testing in other theaters) in order to identify the impact of severe risks events.
(44) The testing program must be tailored to the material risks of the APRA-regulated entity and include a range of severe but plausible scenarios.

Once you have accurate information about your Critical Operations and their constituents then you can begin to ask questions around specific risks and failure scenarios. The vArmour map makes this easy to conduct using a traditional table-top approach but also enables the encoding of rules to detect when specific impact and risk tolerances are breached (for example, where RTOs of dependent systems cease to be consistent). With Relationship Cloud, scenario analysis can begin to become continuous.

See how to achieve CPS 230 scenario testing requirements with vArmour in this video.

 

Requirement #28 – Risk Assessment
Conduct a comprehensive risk assessment before providing a material service to another party.

The basis of any effective risk assessment is accurate information which is provided by Relationship Cloud within the map. This information enables service owners to identify specific areas where risk tolerances are breached, and also to encode policies that monitor for breaches of the risk tolerance as risks and services change.

 

Requirement #30 – Continuous Controls Monitoring
Regularly monitor, review and test controls for design and operating effectiveness, the frequency of which must be commensurate with the materiality of the risks being controlled.

Once controls and procedures are applied, it is critical to ensure they continue to be effective. By establishing baseline behaviours and enabling the definition of control objectives, vArmour Relationship Cloud can notify service owners and risk managers as material changes occur. This approach facilitates an effective ‘closed loop’ within an organization’s risk management processes without overwhelming teams with false positives and noise.

See how vArmour automates CPS 230 requirements for risk assessment and continuous controls monitoring in this video.

 

Meeting CPS 230 and adopting Operational Resilience as a Strategic Differentiator

Regulated Institutions will be assessed against the requirements of CPS 230 from July 2025, and 18 months is not long to transform operational processes. At the same time, we are witnessing an increasing number of high profile operational incidents affecting the consumer and the institution’s reputation.

Something needs to change now.

Fortunately, the lessons learned from meeting other global Ops Res regulations clearly shows the way — continuous and automated controls and processes which deliver the benefits of mapping, testing, risk assessments and controls monitoring as part of the automated fabric and workflow of an institution. At vArmour we use the power of an institution’s existing telemetry and metadata, alongside powerful cloud based analytics to deliver the map they need in order to meet their obligations. By taking this approach, Operational Resilience ceases to be a regulatory box to tick and becomes a strategic differentiator for the digital financial institution of the future.

Request a demo here to see firsthand how vArmour Relationship Cloud streamlines your journey to meet APRA CPS 230 requirements.

Related

Read More
December 13, 2023
Decoding DORA ICT Risk Management Requirements: Step 3 - Executing Business Impact Analysis and Risk Assessments
READ MORE
Read More
December 6, 2023
Decoding DORA ICT Risk Management Requirements: Step 2 - Mapping your Business Functions and their Dependencies
READ MORE
Read More
November 28, 2023
Decoding DORA ICT Risk Management Requirements: Step 1 - Identifying and Classifying ICT Functions
READ MORE
close

Timothy Eades

Chief Executive Officer