(Hint: It’s not another RAG dashboard.)

Here is a common scene.

It is the monthly Board Risk Committee meeting. The CRO presents the operational risk dashboard: a reassuring sea of green, with the occasional amber.

The Board nods. The meeting moves on.

But as the industry settles into the operational reality of APRA’s CPS 230 standard, and as APRA is conducting deep-dives on CPS 230 adherence, many Directors are recognising a difficult truth:

Green lights do not equal operational resilience.

In many cases, they conceal underlying vulnerabilities.

At Capital Consult, we are working closely with FSI clients, in particular Critical Operations owners, to operationalise CPS 230 and prepare for APRA reviews — translating regulatory obligations into practical reporting, information and decision-making insights.

And when we speak with Executives and Directors alike, the feedback is remarkably consistent:

The issue is not a lack of data or reports. It is a lack of meaningful insights.

Under CPS 230, Boards must receive insights on material operational and technology risks related to critical operations. These should be aligned to risk appetite and include control effectiveness and overall risk exposure - both internal operations and services provided by material service providers.

Boards can only exercise meaningful oversight if the information placed before them is truly reflective of operational reality. We are finding an absence of reporting from Critical Operations owners that provides a substantiated view of operational resilience, where controls are performing or weak, and where they are not.

Many organisations are unintentionally limiting effective Board oversight through three common reporting failures:

1. The Legacy KPI Trap

Attempting to retrofit pre-CPS 230 metrics into a fundamentally different risk view of resilience, service providers and critical operations.

Traditional KPIs measured steady-state operational performance — system uptime, processing times, SLA adherence. Boards now need visibility into the resilience of critical operations against defined impact tolerances.

When disruption occurs, the key question is no longer: “Did the system stay available?”

It is: “How close did we come to causing intolerable harm?”

Legacy KPIs rarely answer that question.

2. Functional Reporting vs Critical Operations

Traditional reporting structures are heavily siloed by division.

Boards receive separate updates from Technology, Operations, HR, Procurement and Risk — each presenting their own view of performance.

But critical operations do not operate in silos.

A critical operation — whether processing insurance claims, settling payments or onboarding customers — spans multiple functions, systems, data, processes and service providers.

CPS 230 requires organisations to report horizontally across the entire operational chain. This is the responsibility of the Critical Operations owner.

Because ultimately, it does not matter on system availability if the broader end-to-end process fails under stress.

3. Stop Reporting Gaps. Start Reporting Actions.

Control testing will always uncover weaknesses. That is expected.

The real issue is how those weaknesses are communicated and managed.

Too often we see Executives and Boards receive long lists of “Amber” findings accompanied by vague commentary that management is “investigating.”

That is not decision-useful reporting.

Directors need clarity on:

• What remediation activity is underway

• Who is accountable

• Whether funding has been approved

• Target completion dates and progress against plan

• Evidence of completion

An unfunded remediation plan is not a remediation plan. It is simply accepted risk.

Closing the Disconnect

CPS 230 is not a reporting uplift.

It is an operational and governance reset.

If Critical Operations owners continue relying on legacy KPIs, siloed functional reporting and superficial control status updates, they risk flying blind into the next operational incident.

The conversation now needs to shift from:

“Did we experience an incident?” to: “Are our critical operations genuinely resilient?”

About the author: Tobi Groos is from Capital Consult, a specialist provider of advice, consulting, and services to the Financial Services industry since 2008. Capital Consult assists organizations in interpreting and achieving compliance with APRA prudential standards, guidelines, and supervisory directions. They have extensive experience in helping FSI clients manage their APRA and regulatory obligations, especially in the context of operational and technology risk and resilience.