Confidently achieve APRA compliance with the leading Operational Resilience solution

Data breaches. The COVID pandemic. Devastating climate events. It’s not a case of ‘if’ disruption might happen, but when. Meet APRA's CPS 230 requirements and be confident you can prepare for and respond to these events quickly and effectively.

Comply with the new Operational Resilience framework set in place by the Australian Prudential Regulation Authority (APRA) in time for the 1 July 2025 deadline.

Identify and map your critical operations and the critical processes and resources that support them.

Conduct robust scenario testing to assess your ability to stay within impact tolerances and ensure you are prepared against the maximum level of disruption.

Report on your readiness and results to APRA, auditors, the Board and senior management.

Comply with APRA's CPS 230 Operational Risk Management Standard

Ensure your firm is prepared for any future scenario. Book a demo of Ansarada GRC today.

Book a demo Download the brochure

Why is Operational Resilience so crucial now?

Why is Operational Resilience so crucial for Australian Financial Services firms now?

Most companies simply aren’t prepared for disruption. Data from BCG shows that only 10% are resilient and thriving. That’s why the Australian Prudential Regulation Authority (APRA) has finalised a new prudential standard for insurers, banks and superannuation firms - CPS 230 Operational Risk Management - to ensure they better manage operational risks and business disruptions.

The new CPS 230 Operational Risk Management Standard (CPS 230) sets out key requirements for managing operational risk, including updated requirements for business continuity and service provider management. Regulated firms must comply with the new standard by July 2025.

APRA's CPS 230 requirements

The CPS 230 standard is made up of three strategic pillars.

Objectives:

Improve operational risk practices through enhanced focus of Boards and senior management
Minimise the impact of disruptions to customers and the financial system

Key features:

Entities must manage operational risks with effective internal controls, monitoring and remediation
Entities must be able to respond to disruptions and maintain continuity of critical operations
Entities must understand and manage risks from the use of service providers
Entities must now report on certain events and relationships with service providers

Source: APRA

Ansarada GRC for Operational Resilience

Address all three of APRA's CPS 230 pillars while building an operationally resilient firm.

Identify and manage critical operations and processes

Stage 1 is identifying your critical operations and mapping out the processes and resources that support them. For each important service, break down critical processes into the resources that support them, mapping each process flow to understand its conditions and resource dependencies.

Use Ansarada GRC to:

Create a centralised and accessible register of critical services
Assign these to stakeholders and rate their priority & criticality
Link services to other records throughout the GRC system, enabling links to third parties, time-based metrics, risks, events and scenarios
Ensure the resources that enable critical services and processes can adapt in the event of disruption

Be confident you are within acceptable impact tolerances

Set clear impact tolerances for the maximum level of disruption you are willing to accept. Critical operations must be maintained within tolerance levels - before they cross into ‘intolerable harm’ - and calibrated with regular scenario testing.

Use Ansarada GRC to:

Establish tolerance levels across processes and resources
Define what is an ‘inconvenience’ vs. ‘intolerable harm’
Put in controls and mitigants to ensure you can withstand the shocks you are testing for
Maintain critical operations within tolerance levels
Ensure that all relevant people are fully aware if the firm is operating within acceptable impact tolerances
Be able to confidently demonstrate this to APRA

Conduct robust scenario testing

APRA requires robust scenario testing, using severe but plausible scenarios to assess your ability to remain within your defined impact tolerances. Find drivers, triggers and other factors to inspire useful scenarios in our AI-powered Scenario Library, which includes any mandatory testing required or suggested by APRA.

Coming soon to Ansarada GRC:

Access a library of suggested scenarios
Guided scenario tests are set up for you to execute at the click of a button
View the results of your tests and how they stack up against your impact tolerances
Measure your tolerance across a specific duration and see how long recovery would take to ensure that you are not crossing into ‘intolerable harm’ levels
Maintain a detailed audit trail of all your scenario tests in the centralised platform

Be prepared with Business Continuity Planning (BCP) in place

APRA-regulated firms must have BCPs in place that outline how the firm identifies, manages, and responds to disruptions within tolerance levels. These BCPs must be regularly tested with severe but plausible scenarios.

BCPs must include Disaster Recovery (DR) planning for critical information assets, ready to be activated during a disruption before returning to normal operations.

Use Ansarada GRC to:

Map critical processes and contingencies to allow for integrated BCP testing
Identify resources (people, information, assets, third-party suppliers) for BCP testing and oversight
Provide the Board an inside-out (business critical process) to plausible scenario analysis view of BCP operations and capabilities
Operational resilience task management provides required systematic testing program, tailored to material risks
Establish governance via assigned roles and responsibilities

Manage risk associated with third-party service providers

Under CPS 230, firms must maintain a register of material service providers and manage risks associated with them. Regularly monitor material arrangements, assess performance, evaluate risk controls, and ensure compliance with the service provider agreement.

Use Ansarada GRC to:

Track and identify all third-party resources (assets, facilities) that enable your critical operations
Maintain a register of your material service providers and manage all contracts with third parties in the centralised platform
Conduct attestations and due diligence on service providers
Maintain visibility and manage financial and non-financial risks by linking your service provider contracts to your risk and compliance records
Test resources managed by service providers through integrated scenario testing

Ansarada GRC for Operational Resilience

There's only so far spreadsheets can take you when it comes to meeting your firm's Operational Resilience requirements. Manage current and future risk with purpose-built software.