'we’ve got it covered': The four most expensive words in CPS 230 compliance
Assurances don’t count in CPS 230—only proof. Here’s why “we’ve got it covered” is now a multimillion-dollar liability.
The confidence trap
“We’ve got it covered” hides the fast-changing nature of operational resilience. CPS 230 expects live mappings, fresh tolerances, and board oversight—not assumptions based on last quarter’s state.
Why APRA isn’t buying it
APRA has seen the gap between polished policies and brittle evidence. CPS 230 demands up-to-date mappings of critical operations, dependency lists, tolerance settings, and scenario tests that stand up to a severe-but-plausible review.
Where CPS 230 cracks emerge
Failures begin in “secondary” dependencies—shared databases, dormant vendor contracts, outdated tolerance settings. CPS 230 forces teams to map full critical operations so nothing hides off to the side.
The deadlines are already here
As of 1 July 2025, CPS 230 evidence must be complete. MSP registers land 1 October 2025, giving APRA an immediate starting point for deeper reviews. Gaps today are compliance failures, not prep issues.
What “we’ve got it covered” costs
Once APRA finds cracks, the bill spans remediation work, board scrutiny, reputational damage, and regulatory distrust—far beyond fines.
From words to proof
- Continuous mapping: keep critical operations, dependencies, and resources current.
- Scenario testing: run severe-but-plausible exercises, not showcase drills.
- Evidence management: link every test, tolerance, and governance decision to instantly retrievable proof.
Drova’s CPS 230 solution centralises mapping, scenario testing, and evidence so CROs can show the regulator proof before they finish asking.
Drova centralises critical operations, tolerances, tests, and evidence so you can hand APRA proof on demand.
