Confidently achieve APRA compliance with the leading Operational Resilience solution

Data breaches. The COVID pandemic. Devastating climate events. It’s not a case of ‘if’ disruption might happen, but when. Meet APRA's CPS 230 requirements and be confident you can prepare for and respond to these events quickly and effectively.

Comply with the new Operational Resilience framework set in place by the Australian Prudential Regulation Authority (APRA) in time for the 1 July 2025 deadline.

Identify and map your critical operations and the critical processes and resources that support them.

Conduct robust scenario testing to assess your ability to stay within impact tolerances and ensure you are prepared against the maximum level of disruption.

Report on your readiness and results to APRA, auditors, the Board and senior management.

Comply with APRA's CPS 230 Operational Risk Management Standard

Ensure your firm is prepared for any future scenario. Book a demo of Ansarada GRC today.
Book a demoDownload the brochure
Why is Operational Resilience so crucial now?

Why is Operational Resilience so crucial for Australian Financial Services firms now?

Most companies simply aren’t prepared for disruption. Data from BCG shows that only 10% are resilient and thriving. That’s why the Australian Prudential Regulation Authority (APRA) has finalised a new prudential standard for insurers, banks and superannuation firms - CPS 230 Operational Risk Management - to ensure they better manage operational risks and business disruptions.  

The new CPS 230 Operational Risk Management Standard (CPS 230) sets out key requirements for managing operational risk, including updated requirements for business continuity and service provider management. Regulated firms must comply with the new standard by July 2025.

APRA CPS 230 requirements

APRA's CPS 230 requirements

The CPS 230 standard is made up of three strategic pillars.


  • Improve operational risk practices through enhanced focus of Boards and senior management
  • Minimise the impact of disruptions to customers and the financial system

Key features:

  • Entities must manage operational risks with effective internal controls, monitoring and remediation
  • Entities must be able to respond to disruptions and maintain continuity of critical operations
  • Entities must understand and manage risks from the use of service providers
  • Entities must now report on certain events and relationships with service providers

Source: APRA

Ansarada GRC for Operational Resilience

Address all three of APRA's CPS 230 pillars while building an operationally resilient firm.

Critical Operations Register

Identify and manage critical operations and processes

Stage 1 is identifying your critical operations and mapping out the processes and resources that support them. For each important service, break down critical processes into the resources that support them, mapping each process flow to understand its conditions and resource dependencies.

Use Ansarada GRC to:

  • Create a centralised and accessible register of critical services
  • Assign these to stakeholders and rate their priority & criticality
  • Link services to other records throughout the GRC system, enabling links to third parties, time-based metrics, risks, events and scenarios
  • Ensure the resources that enable critical services and processes can adapt in the event of disruption
Be confident you are within acceptable impact tolerances

Be confident you are within acceptable impact tolerances

Set clear impact tolerances for the maximum level of disruption you are willing to accept. Critical operations must be maintained within tolerance levels - before they cross into ‘intolerable harm’ - and calibrated with regular scenario testing.

Use Ansarada GRC to:

  • Establish tolerance levels across processes and resources
  • Define what is an ‘inconvenience’ vs. ‘intolerable harm’
  • Put in controls and mitigants to ensure you can withstand the shocks you are testing for
  • Maintain critical operations within tolerance levels
  • Ensure that all relevant people are fully aware if the firm is operating within acceptable impact tolerances
  • Be able to confidently demonstrate this to APRA
Scenario library

Conduct robust scenario testing

APRA requires robust scenario testing, using severe but plausible scenarios to assess your ability to remain within your defined impact tolerances. Find drivers, triggers and other factors to inspire useful scenarios in our AI-powered Scenario Library, which includes any mandatory testing required or suggested by APRA.

Coming soon to Ansarada GRC:

  • Access a library of suggested scenarios
  • Guided scenario tests are set up for you to execute at the click of a button
  • View the results of your tests and how they stack up against your impact tolerances
  • Measure your tolerance across a specific duration and see how long recovery would take to ensure that you are not crossing into ‘intolerable harm’ levels
  • Maintain a detailed audit trail of all your scenario tests in the centralised platform
Business Continuity Planning (BCP)

Be prepared with Business Continuity Planning (BCP) in place

APRA-regulated firms must have BCPs in place that outline how the firm identifies, manages, and responds to disruptions within tolerance levels. These BCPs must be regularly tested with severe but plausible scenarios.
BCPs must include Disaster Recovery (DR) planning for critical information assets, ready to be activated during a disruption before returning to normal operations.

Use Ansarada GRC to:

  • Map critical processes and contingencies to allow for integrated BCP testing
  • Identify resources (people, information, assets, third-party suppliers) for BCP testing and oversight
  • Provide the Board an inside-out (business critical process) to plausible scenario analysis view of BCP operations and capabilities
  • Operational resilience task management provides required systematic testing program, tailored to material risks
  • Establish governance via assigned roles and responsibilities
Service Provider Management

Manage risk associated with third-party service providers

Under CPS 230, firms must maintain a register of material service providers and manage risks associated with them. Regularly monitor material arrangements, assess performance, evaluate risk controls, and ensure compliance with the service provider agreement.
Use Ansarada GRC to:

  • Track and identify all third-party resources (assets, facilities) that enable your critical operations
  • Maintain a register of your material service providers and manage all contracts with third parties in the centralised platform
  • Conduct attestations and due diligence on service providers
  • Maintain visibility and manage financial and non-financial risks by linking your service provider contracts to your risk and compliance records
  • Test resources managed by service providers through integrated scenario testing

Ansarada GRC for Operational Resilience

There's only so far spreadsheets can take you when it comes to meeting your firm's Operational Resilience requirements. Manage current and future risk with purpose-built software.

Critical Operations & Processes

Clear and easily accessible list of your critical operations and processes

Automated reviews

Automatic creation, allocation and notification of scheduled reviews

Respond quickly to changes

Adhoc reviews resulting from a material change to your business

Map to 3rd parties

Mapping to 3rd parties to show relationship considerations

Easy-to-use dashboards

BI Dashboards for high level analysis

Scenario testing

Scenario testing, recording findings and resolutions

Drive Operational Resilience within your firm

Connect data points across your entire organization to eliminate risk silos and improve organization-wide resilience with Ansarada GRC.
Book a demoDownload the brochure