Next week, next month, as soon as we’ve finalised this policy, when we have this process in place, once we have filled these positions… then, that’s when I’ll be comfortable that we are in a good position with respect to our risk and risk management. But of course, the time never comes. There’s always another project, a new requirement, an unexpected event in the sector.

At a macro level, geopolitical, climate and technology and cyber driven risks are rapidly increasing, diversifying, and intersecting in multiple ways. More broadly, where once we could rely on somewhat predictable cycles and face only rare black swan events, we are now in a period where the risks are constantly shifting and changing – a cycle of no cycles.

The increasing complexity of both the businesses we operate and the environments in which we operate them demand a different approach. This unpredictability requires a shift in mindset from risk identification to embedded endurance.

Enter CPS 230.

Regulated firms have now had a lengthy amount of time to consider the requirements and obligations. At first glance, Prudential Standard CPS230: Operational Risk Management might have seemed the same as other regulatory change initiatives, a new requirement and another task to add to the pile. But savvy firms are capitalising on this as an opportunity to transform their operations and leap frog competitors by using it as a strategic and competitive advantage.

Organisational transformation through CPS 230

The intent of CPS 230 is to drive a foundational shift in how firms manage operational risk, with resilience as the end game.  It introduces a demanding set of new and uplifted obligations around operational risk, maintaining critical operations through disruption and the management of service provider risk. At a basic level, CPS 230 introduces new requirements around operational risk and also rolls up several existing standards – aligning regulatory expectations across business continuity planning and outsourcing arrangements. This should be the first step towards alignment at the business level – the integration of these resilience mechanisms is essential. As James Gorman, Executive Chairman of Morgan Stanley noted at a recent New York Fed conference, banking’s ‘’really not that hard”.

Mapping service providers and the arrangements with them will be necessary, but considered through a transformational lens, CPS 230’s requirements should demand a reconsideration and streamlining of service providers. Is it necessary to have 50 or 60 services providers (not to mention their downstream providers) with material arrangements? Is there opportunity to eliminate certain arrangements or certain suppliers? Are complex multilayered operations with multiple services providers in multiple jurisdictions really serving the business? There are real opportunities for rationalisation and simplification, which together will result in better outcomes for customers as well as stronger risk management.

When it comes to critical operations – identifying and mapping these processes is a necessary step for compliance with the standard. Shifting mindsets away from business continuity towards maintaining specific processes that are critical for the customer may not be so straightforward. Done well and with the right leadership, the identification of these processes and their dependencies should also make investment decision making easier – when it is very clear what is critical, it becomes obvious where investments must be made. We expect this will drive investments in automation and technology to reduce the need for human resources and reduce the chance of human error.

However, the most significant opportunity from CPS 230, and what risks being missed in the rush to list service providers and create new policies, is the powerful horizontal lens it asks firms to apply to operational risk management, by deeply understanding and protecting critical operations. We often see, especially as firms grow, and particularly in the context of executive accountability requirements, that there is an increasing failure to test assumptions, to catch the feedback loops and to identify the interconnectedness across a firm. In considering CPS 230 through a transformational lens, we see an opportunity to reconfigure processes and to shift mindsets around the end-to-end of these critical operations. Implementing this standard in a holistic way will, in the longer term, mean a more agile and adaptive approach to risk and enhanced organisational performance.

Implementing CPS 230 in a holistic way also means a commitment to testing and training. In a world where risks are more unpredictable; risk events are more frequent; and expectations for firms’ responses are higher than ever; firms that build ‘fitness’ through testing, training and adapting will have an advantage when it comes to resilience. Plans rarely go to plan when an event inevitably occurs, however, well-rehearsed play-books can make the difference that means you last the distance.

At the Board level, better understanding (and challenging) tolerances for disruption in critical operations and applying this lens to decision-making helps to sharpen focus on the essential aspects of operations. Boards can use CPS 230 to seek to identify the unseen factors driving risk appetite and tolerance, particularly the cultural aspects. Having an improved understanding of the interdependencies, along with simplified and streamlined operations will support strategy setting and enable faster and better responses in the inevitable event of disruption.

Balancing the horizontal and the vertical

With the introduction of the Financial Accountability Regime, much recent focus has (understandably) been on the responsibilities of given executives for the totality of the activity under their purview. Of course, the introduction of this kind of regime was largely a response to the perception that there was a lack of accountability at the senior level for problems that occurred in financial institutions, and the intention of the regime was indeed for this model of ownership. But the attention on individual accountability (for what am I accountable, and more importantly, for what am I not?) has potentially shifted focus too far from the interconnectedness and interdependencies across the firm.

CPS 230 brings the horizontal squarely back into the frame. Firms that find the right balance of individual accountability from bottom to top, together with cross-organisational coherence should expect this to deliver stronger customer outcomes, higher staff engagement and better bottom line results.

Risk management as a strategic advantage

The velocity of risk events has increased, meaning that predicting and avoiding risk is no longer as effective as it once was. What is needed is resilience – the ability to withstand a range of unpredictable events, to operate through disruption and to recover rapidly. It’s no surprise that this is a key focus for regulators.

With a little more than a year until implementation there is still time to take a considered and strategic approach to CPS230. There are plenty of resources available on the technical details and the timelines for implementation. APRA itself provides detailed guidance in its CPG 230. But don’t let the technical detail overwhelm the bigger picture opportunity to connect the dots and ensure coherence across programs of work. A perspective shift is necessary, and those who can make it will use this new standard as the basis for an enhanced approach to surfacing and aggregating emerging risks, revealing hidden risk concentrations and responding rapidly to changing conditions; as well as a source of strategic insights.

Rhizome works with firms across the financial sector to understand, prepare for, and implement regulatory change, including as it relates to CPS 230 Operational Risk Management. Rhizome also undertakes comprehensive reviews of risk management frameworks as required in CPS 220 Risk Management and to support stronger risk and resilience practices.

Please reach out to us for more information.


This communication provides general information which is current at the time of production. The information contained in this communication does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Rhizome Advisory Group Pty Ltd shall not be liable for any errors, omissions, defects or misrepresentations in the information or for any loss of damage suffered by persons who use or rely on such information (including for reasons of negligence, negligent misstatement or otherwise).