Your CPS 230 Self Assessment Results

About your Results

Here are the personalized results of your self-assessment for readiness regarding the new APRA standard CPS 230. This report is tailored to your responses, offering an overview of your current state of readiness for compliance.

Please be aware that these results are based on a brief self-assessment questionnaire and provide a preliminary assessment of areas that may require attention. This is not a comprehensive gap analysis of all CPS 230 requirements. If you require a detailed gap analysis of your specific readiness please contact us.

Report structure:

The report is structured into two key sections, each crafted to provide a thorough understanding of your organization’s standing in relation to CPS 230.

  1. Visual radar chart summarising preparedness
    The longer the bars for each of the seven CPS 230 domains, the more prepared you report being.
    1.0 = minimal or no readiness
    5.0 = understanding of requirements and well in progress
  2. Recommendations on areas for uplifts
    From your results, we recommend some areas you may wish to focus on.

Readiness by Domain & Topic

Recommendations for Uplift

These are the topics that you report as being less ready for CPS 230.

Area to uplift:
Critical Operations
Why this matters:
Critical operations, if disrupted, would have a material adverse impact on depositors, policyholders, beneficiaries or other customers, or an entity’s role in the financial system. A detailed understanding of the processes and resources needed to deliver critical operations enables FSIs to manage the associated operational risks and meet the broader requirements of CPS 230.
Actions to prioritise:
  • Define, identify and maintain a register of critical operations.
  • Define the method and process for identifying and documenting the processes and resources needed to deliver critical operations.
  • In performing the above include technology, service providers, facilities, people, interdependencies, obligations, associated risks and controls, and key information / data.
Area to uplift:
Business Continuity Management
Why this matters:

To minimise the likelihood and impact of disruptions to critical operations. This includes the ability to continue to operate within tolerance levels in the event of a disruption and return to normal operations promptly.

Actions to prioritise:
  • Maintain Business Continuity Plans (including disaster recovery plans) that set out how to maintain critical operations within tolerance levels for a range of severe but plausible disruption scenarios (including disruptions to service providers).
  • Define a systematic testing program for the BCP that covers all critical operations and disruption scenarios.
  • Board approval of BCPs and tolerance levels for disruptions. Review of Board engagement and reporting regarding BCM.
Area to uplift:
Management of Service Provider Arrangements
Why this matters:

To effectively manage the risks associated with service providers relied upon to undertake critical operations or that expose an entity to material operational risk. This includes managing fourth party risks – the risks associated with providers your service providers rely on.

Actions to prioritise:
  • Have an up to date, comprehensive service provider management policy, approved by the Board.
  • Maintain a register of material service providers which must be submitted to APRA on an annual basis.
  • Uplift in service provider management frameworks, defining approaches to managing fourth party risk exposures, and review of Board and senior management reporting mechanisms.
Area to uplift:
Operational Risk Management
Why this matters:

To effectively manage operational risks and set and maintain appropriate standards for conduct and compliance. FSIs must identify, assess and manage operational risks that may result from inadequate or failed internal processes or systems, the actions or inactions of people or external drivers and events. 

Actions to prioritise:
  • Review the risk management framework (including Board & senior management roles, responsibilities & reporting) on operational risk management for completeness and coverage.
  • Assess the impact of business and strategic decisions on the operational risk profile and operational resilience.
  • Review and test the design and operating effectiveness of controls for processes delivering critical operations.
Area to uplift:
Governance including Senior Management
Why this matters:

To ensure effective governance arrangements for the oversight of operational risk. Management must provide clear and comprehensive information to the Board on the expected impacts on the entity’s critical operations and risk profile

Actions to prioritise:
  • Ensure the risk management framework identifies governance arrangements for the oversight of operational risk.
  • Control testing must be reported to senior management and any gaps or deficiencies in the control environment must be rectified in a timely manner.
  • Management must receive reporting on material service provider arrangements including assessment of performance, the effectiveness of controls, and compliance with the provider agreement.
Area to uplift:
Boards
Why this matters:

To ensure Board responsibilities, reporting mechanisms, actions and approvals reflect their ultimate accountability for oversight of operational risk management.

Actions to prioritise:
  • Review Board reporting of operational risk management and the effectiveness of key internal controls in maintaining the entity’s operational risk profile within risk appetite.
  • Approve the BCP and tolerance levels for disruptions to critical operations, review the results of testing and oversee the execution of any findings.
  • Internal audit must review any proposed material provider arrangements and regularly report to the Board or Board Audit Committee on compliance to policy. They must provide assurance regarding the BCP and its testing.
Area to uplift:
APRA Reporting
Why this matters:

APRA to have timely information as to material service provider arrangements for the FSI, and operational risk incidents and disruptions impacting the FSI.

Actions to prioritise:
  • Notify APRA of an operational risk incident or disruption likely to have a material financial or impact on the ability of the entity to maintain its critical operations.
  • Notify APRA of a disruption to a critical operation outside tolerance.
  • Notify APRA after entering into (prior for offshoring) or materially changing an agreement for the provision of a service on which the entity relies to undertake a critical operation.
  • Submit the register of material service providers to APRA on an annual basis.
Looking good...

Our assessment indicates that you are well progressed towards overall compliance to CPS 230 across all seven domains.

We recommend that as part of your readiness program that you define evidence required to report to APRA. Also understanding how CPS 230 will change ongoing responsibilities and business operations.

The Capital Consult Difference

report-icon

CPS 230 Readiness review, Gap Analysis & Report 

toolkit-icon

Toolkit of APRA-ready artefacts, processes, frameworks and templates

capability-icon

Proven capability, methodology and experience

Capital Consult can help - call us to discuss

Contact us now to discuss your results

Contact Us