The Board can’t outsource CPS 230 accountability… and APRA knows it

Once upon a time, operational resilience lived somewhere deep in the building. Usually near compliance. Sometimes in IT. Always far from the boardroom table.

That era is over.

APRA’s new standard drags resilience out of the server room and drops it squarely in front of directors. Not as a polite suggestion, but as a legal responsibility. And when the lights go out - literally or figuratively - the regulator won’t be asking your CIO for answers. They’ll be asking you.

The new rulebook now in force

CPS 230 is live. APRA expects boards to approve operational risk frameworks, set tolerance levels for critical operations, and ensure those tolerances are tested through severe but plausible scenarios.

In APRA’s own words, boards must ‘oversee the operational risk management of the entity’ and be satisfied that ‘operational resilience is maintained in the face of disruptions’. That’s regulator-speak for: you are personally accountable.

This isn’t a backroom policy refresh. It’s a governance shift with teeth. Non-compliance can lead to enforceable undertakings, licence conditions, or in extreme cases, loss of the licence itself.

The governance gap APRA is looking for

Traditionally, operational resilience was a split responsibility. Compliance interpreted the rules. IT protected the systems. Risk teams produced the reports.

Boards got an annual presentation, maybe a quarterly update, and were expected to nod sagely. That approach is now a compliance liability.

APRA has made its position clear. As summarised by Grant Thornton,

“One of APRA’s key objectives is to focus the Board on the importance of operational resilience through requiring the setting of tolerance levels for disruptions to critical operations.”

In other words, directors must be able to explain - in plain language - how the organisation protects its most critical operations, and how quickly they can be recovered. Anything less risks being seen as a governance failure.

Why outsourcing accountability fails

Yes, you can hire consultants. You can outsource your scenario testing. You can pay for thick reports with glossy graphics.

But APRA isn’t interested in who did the work. They want to know who approved it. And that’s you.

The real risk isn’t in outsourcing the tasks - it’s in outsourcing the thinking. PwC notes that while many APRA-regulated boards have increased their focus on operational resilience, much of this engagement has so far centred on education and high-level updates — with many organisations still working to translate tolerance-level discussions into robust, governance-ready reporting.

When a disruption hits — whether cyberattack, supplier collapse, or cloud outage — it’s not the existence of reports that matters, but whether the board can use them to make fast, informed decisions. That requires directors who understand the details, challenge assumptions, and take ownership of the resilience framework, not just sign off on it.

The upside of owning it

Handled well, CPS 230 compliance is more than a defensive shield; it’s a market signal. Investors are paying closer attention to risk and resilience disclosures.

McKinsey’s analysis of nearly 500 operational-risk events shows that failures in resilience aren’t just costly; they’re punished by the market.

In the months following an operational disruption, companies suffer not only direct losses but also investor confidence: total shareholder returns dropped 2.7% on average over 120 days — nearly four times the initial loss magnitude.

Handled badly, it’s a front-page story. Think of the high-profile service outages in the banking and superannuation sectors over the past five years. The media coverage wasn’t about the CIO. It was about the brand, the customers stranded, and the regulators asking “Where was the board?”

What the best boards are doing

The leaders aren’t waiting for the deadline. They’re:

• Folding resilience into regular board agendas.

• Asking for independent assurance alongside management reports.

• Demanding to see mapping of truly critical operations — not just “big systems.”

• Reviewing scenario test results and questioning unrealistic recovery assumptions.

APRA’s Deputy Chair, Helen Rowell, underscored this shift in a speech to the Governance and Risk Management Forum, emphasising that post-HIH and pandemic, boards have to “run their institutions prudently… it is not a one-off, set-and-forget exercise but rather requires ongoing attention and enhancement.”

From compliance to confidence

Ultimately, the buck stops at the board table. You can outsource the work, but not the accountability.

CPS 230 has made operational resilience a live legal obligation, and a platform for foresight. 

Boards that treat it as readiness, not recovery, are better placed to see risks before they crystallise, anticipate regulatory expectations before they’re enforced, and lead with the kind of confidence that comes from being prepared for what’s next, not just for what’s already happened.

That’s where Drova comes in. Our CPS 230 Operational Resilience solution turns technical sprawl into governance clarity:

• Live dashboards that show your current resilience posture.

• Evidence packs aligned with APRA’s CPS 230 expectations.

• Scenario test outputs in plain English, so directors can question and approve with conviction.

For directors, that means fewer blind spots, faster oversight, and decisions backed by hard evidence - not just management assurances.

Because CPS 230 isn’t just about passing a compliance test. It’s about protecting your licence, your reputation, and your ability to lead with confidence before, during, and after disruption.

You can see exactly how it works — and exactly what APRA will see — with a free trial.