It has been over six months since #CPS230 came into effect. Throughout 2024 and most of 2025, the industry was in sprint mode:

• Defining critical operations

• Mapping end-to-end processes

• Identifying material service providers

• Updating contracts

• Refreshing risk frameworks

• Establishing impact tolerances

• Preparing Boards

Now the urgency has faded.

And a more confronting question is emerging:

Can you prove you are compliant?

We’ve entered “Day 2” — the shift from building the plane to flying it. And across the industry, we’re already seeing warning lights.

At Capital Consult, we’re working with FSIs to assess readiness for APRA’s first tranche of compliance reviews. Patterns are emerging: frameworks exist, but many are not fully embedded. In several cases, there are material weaknesses resulting in non-compliance.

Here are five “Day 2” challenges we’re seeing right now.

1. The “Recovery vs. Tolerance” Identity Crisis

One of the most persistent misunderstandings is the conflation of Recovery Time Objectives (RTOs) with Impact Tolerances.

They are not the same.

• Impact Tolerance = The maximum level of disruption your entity can withstand before causing intolerable harm to customers, the organisation, or the financial system.

• Recovery = The mechanism used to avoid breaching that tolerance.

If your tolerance is set at the same duration as your RTO, you’ve likely misunderstood the CPS 230 intent.

The risk: Testing becomes IT-centric and recovery-focused, rather than end-to-end resilience testing. Many organisations are struggling to demonstrate their ability to operate within tolerance — not just recover systems.

Component testing (e.g. DR alone) is no longer sufficient.

2. The 4th Party Blind Spot

Third-party risk management is generally established (though assessing third-party control effectiveness remains a challenge).

Fourth-party risk? That’s the black box.

Clients consistently tell us:

• They lack a structured approach to identifying and managing 4th party risk

• Industry and regulatory guidance remains limited

• Concentration risk is poorly understood

If several material service providers rely on the same 4th party, you don’t have several risks — you have one aggregated point of failure.

APRA’s focus is shifting toward how well entities understand and manage this concentration risk. Across the industry, maturity remains low.

3. Business Continuity Is Bigger Than IT

For years, resilience was treated as an IT issue.

CPS 230 has fundamentally shifted that paradigm.

Resilience now demands an end-to-end understanding of the resources required to deliver critical operations:

• People

• Technology

• Information

• Facilities

• Service providers

If your primary system fails, “IT is working on it” is not a sufficient response.

The real question is:

How does the business continue operating within tolerance?

Many organisations are discovering that their manual workarounds are theoretically possible — but practically unworkable at scale. Minimum service levels during disruption are often not clearly defined, tested, or evidenced. This is an APRA expectation.

4. The Line 1 Culture Test

CPS 230 is not a compliance project. It’s an operating model shift.

That requires change ownership — and this is where we see divergence.

Mature organisations: Line 1 embraces accountability. Business owners work collaboratively with Line 2 to embed risk ownership into day-to-day operations.

Struggling organisations: Line 1 attempts to push responsibility back to Line 2. CPS 230 is treated as a regulatory overlay rather than a fundamental change in how risk is managed.

Risk responsibilities must be documented — and demonstrated in practice.

APRA is looking for clearly defined operating models.

5. The Boardroom Question: Are the Green Lights Real?

Boards are often presented with dashboards full of green indicators.

But are they green because controls are effective — or because scrutiny hasn’t been deep enough?

Directors should be asking:

• How has this been independently validated?

• Are we seeing near misses that signal tolerance pressure?

• Are remediation plans funded, resourced, and time-bound?

• How has Board behaviour changed since CPS 230 implementation?

Reporting “green” without robust assurance is no longer defensible.

APRA will look closely at how Board oversight and challenge have evolved under CPS 230.

Is Your CPS 230 Readiness Ready for APRA’s Scrutiny?

The transition from implementation to operational maturity is where many organisations are now exposed.

Common gaps include:

• Weak 4th party visibility

• Immature tolerance testing

• IT-centric resilience thinking

• Cultural resistance in Line 1

• Over-optimistic Board reporting

Capital Consult is supporting FSIs through independent “Day 2” CPS 230 APRA readiness reviews. We assess evidence and maturity against regulatory expectations and industry practice.

Because implementation was the starting line.

Day 2 is where compliance is proven.

About the authors: Tobi Groos and Andre Kreicers, are from Capital Consult, a specialist provider of advice, consulting, and services to the Financial Services industry since 2008. Capital Consult assists organisations in interpreting and achieving compliance with APRA prudential standards, guidelines, and supervisory directions. They have extensive experience in helping FSI clients manage their APRA and regulatory obligations, especially in the context of operational and technology risk and resilience.