Lessons Learned from the CPS 230 Front Line

With the CPS 230 compliance deadline just 8 months away, it appears that most FSIs are in a strong position regarding their readiness. In working with FSIs across the industry, and participation in various working groups, we have gained a number of insights and lessons learned:

?Critical Operations – Are they really critical?

The method for determining criticality needs to show the distinct customer outcomes and reflect a disruption’s direct and indirect customer impacts, and the impact on the stability of the Australian financial system. Customer impact statements are recommended here, as is clear differentiation between critical operations (e.g. claims) versus support functions (e.g. systems and infrastructure).

• Our Case Study: After we completed customer impact statements and defined the difference between critical operations and support functions, an FSI reduced their critical operations list from 11 to 7.

?Tolerance Level Statements – Are they useable?

Establishing clear tolerance level statements with measurable tolerance levels is key. These should define reportable criteria that enable critical operation owners to understand and fulfill their responsibilities. Start with specifying the maximum allowable duration of a disruption, the acceptable extent of data loss, and the minimum service levels to be maintained.

• Our Case Study:? A critical operations owner could not determine if tolerance had been breached as part of a CPS 230 pilot involving claims. We facilitated the tightening of the tolerance level statement language, metrics and reported information. ?

?Disruption Scenarios – How many should there be?

FSIs need to reflect on the impact of a range of disruption scenarios on their critical operations, ensuring existing business continuity plans are uplifted to address these. FSIs must be able to respond to a range of severe but plausible scenarios. Start with the BIG 5 then discuss any additional business and customer impacts that are applicable and realistic for the organisation. Ensure the final number is manageable.

• Our Case Study: An FSI reduced their list of disruption scenarios considerably when we applied a lens of “applicable and realistic” for their business.

?

?End to End Testing – Does it result in a view on operational risk?

FSIs need to document the processes, resources needed, set tolerance levels, perform risk assessments (including service provider and 4th party risks) and verify ?business continuity plans all underpinned by data and management tools. Define the end-to-end test approach (starting with one pilot critical operation) joining all these aspects that will enable critical operations owners to demonstrate compliance as part of their internal governance and reporting requirements.

• Our Case Study:? A pilot of an end-to-end test was conducted at an FSI to obtain a view on compliance readiness focussing on one critical operation. This enabled the critical operation owner to report on operational risk and areas of weakness towards compliance. ?

?

?Evidence of Compliance – How will you prove you are compliant?

CPS 230 requires APRA-regulated entities to develop new and/or?uplift existing frameworks and methods. FSI’s should have defined the assurance required (including audit), and associated artefacts and evidence to demonstrate compliance, both for internal governance and APRA review purposes. ???

Our Case Study:? We have developed a CPS 230 assurance plan for several FSIs with 27 compliance artefacts identified. This was used to inform the critical path for the project plan and Board engagement obligations, and provided greater confidence in the ability to meet the July 2025 compliance date.

About the authors: Andre Kreicers and Tobi Groos are from Capital Consult, a specialist provider of advice, consulting, and services to the Financial Services industry since 2008. Capital Consult assists organizations in interpreting and achieving compliance with APRA prudential standards, guidelines, and supervisory directions. They have extensive experience in helping FSI clients manage their APRA and regulatory obligations for CPS 230 readiness.

?

This article was originally published on the Capital Consult CPS 230 blog.