‘We’ve got it covered’: The four most expensive words in CPS 230 compliance
- Andrew Lingley
- Aug 21
- 4 min read
‘We’ve got it covered.’ It’s easy to say. Harder to stand behind.
Now that CPS 230 is in force, “we’ve got it covered” can mask dangerous realities - undocumented processes, stale test results, and dependencies no one has checked in years. When APRA asks for proof, those gaps don’t just become findings. They become public, expensive, and career-defining.
The confidence trap
For CROs and risk teams, the comfort of ‘it’s handled’ can mask dangerous blind spots.
Operational resilience isn’t static; what was true six months ago can be irrelevant today. Business processes shift. Systems change. New dependencies emerge.
Historically, much of the resilience focus sat in business continuity and disaster recovery.
CPS 230 has changed that. It isn’t a set-and-forget standard. It’s continuous, evidence-backed readiness. Yesterday’s proof doesn’t guarantee tomorrow’s compliance.
APRA’s CPS 230 Operational Risk Management is explicit. Boards must approve operational risk frameworks, set tolerance levels for critical operations, and test those tolerances through severe but plausible scenarios. CROs and their teams carry the operational weight of making that happen - and the accountability when the proof falls short.
Why APRA isn’t buying it
The regulator has seen it all: glossy policies, static frameworks, and ‘evidence’ that crumbles on inspection. APRA has seen too many examples of organisations claiming readiness without the proof to match. In operational resilience, assurances don’t count - only proof does.
That proof isn’t a policy statement buried in a governance file. It’s an up-to-date mapping of critical operations, complete with every dependency and resource. It’s tolerance settings that have been tested in realistic, high-stress scenarios. And it’s governance documentation that shows the board has been actively engaged in oversight.
As PwC notes, CPS 230 testing must be systematic, cover all critical operations, and use severe but plausible disruptions - including failures of material service providers. It’s not about doing a single ‘showcase’ test to tick a box. CPS 230 demands a repeatable, auditable process that works in both a regulator’s review and a real-world crisis.
The cracks APRA is already finding
The reality: Large, visible operations often aren’t where the failures start.
Major systems tend to be well documented. Key vendors are typically monitored. The trouble emerges in what look like ‘secondary’ processes: the overlooked dependencies that keep the big systems running.
It could be the unassuming shared database that feeds a critical payment process. The vendor contract that never made it into the official MSP register. The tolerance for customer service downtime that was set five years ago and never revalidated.
When APRA reviews, they look for these weak points. And they often find them - not because teams aren’t working hard, but because the resilience picture was incomplete. That’s why CPS 230 requires the entire critical operation to be mapped, not just its most visible parts.
The deadlines are already here
CPS 230 is no longer a distant compliance date. It’s live. As of 1 July 2025, APRA expects every regulated entity to be able to prove they meet the standard — not just on paper, but in practice.
That means your mappings, tolerances, scenario tests, and governance reporting should already be complete, current, and ready to present. Any gaps now aren’t ‘preparation issues’, they’re compliance risks.
And the pressure is building. The first Material Service Provider (MSP) register is due 1 October 2025. APRA has flagged these registers as more than administrative exercises; they are a launch point for deeper operational resilience reviews. Submitting an incomplete or outdated register is effectively inviting the regulator to dig further.
For CROs and risk teams, this means the first year of CPS 230 isn’t just about ‘getting compliant’. It’s about proving - with evidence - that the resilience framework is operational, current, and ready for scrutiny at any moment.
The cost of getting it wrong
Once cracks surface in an APRA review, the costs mount quickly. Fines may be the least of it.
Operational downtime, reputational damage, and resource diversion to remediation work can run into the millions. The bigger damage is operational disruption, board-level scrutiny, and the loss of credibility with APRA. Once confidence is eroded, both internally and externally, it’s not easily rebuilt.
From ‘we’ve got it covered’ to ‘here’s the proof’
For CROs and risk teams, the fix isn’t about working harder — it’s about working differently. Making mapping a living asset, not a one-off project. Building tolerances that are tested under realistic stress. Linking evidence to operations so you can surface it instantly.
The complexity of CPS 230 isn’t going away. But the way it’s managed can change. The most effective CROs are replacing fragmented spreadsheets, static documents, and scattered file shares with centralised, living resilience frameworks.
That means:
Continuous mapping of critical operations, updated as the business evolves.
Scenario testing designed to reflect real-world conditions, not just compliance checklists.
Evidence management that links directly to operations, tolerances, and governance records — so proof is ready before the regulator asks.
That’s the shift Drova makes possible. Our CPS 230 solution centralises evidence, links dependencies, and delivers scenario outputs you can hand to APRA before they finish asking the question.
It’s time to go from ‘we’ve got it covered’ to ‘here’s the proof’.
