As the 1 July 2025 effective date for CPS 230 looms — now just days away — ReadiNow has continued its engagement with senior leaders across banking, insurance, superannuation, and financial services through a new series of roundtable discussions. These sessions build on insights gathered in 2024 and reveal a clear evolution in focus: from designing and building to embedding capabilities that will endure in BAU post effective date.

Participants also completed a short survey ahead of the discussions. The combination of real-time insights and structured feedback paints a compelling picture of an industry accelerating its transition from compliance programs to sustained operational resilience.

Key Takeaways

What FSIs Must Do Now

1. Shift from Compliance to Continuous Resilience
   Move beyond meeting the July deadline by establishing clearly defined, resourced BAU models that sustain operational resilience long-term.
2. Get Granular with Critical Operations and Controls
   Resolve lingering complexity by aligning critical operations with tolerances, risks, and controls — and ensure clear accountability for each.
3. Integrate Technology and Prepare to Scale
   Break down silos and invest in platforms that support flexible automation, real-time insights, and integration with other platforms that assist generate insight.
4. Uplift Third-Party and Procurement Governance Now
   Act quickly to mature MSP oversight — embed due diligence, contract controls, and continuous monitoring into procurement workflows.
5. Turn AI into a Trusted Risk Management Tool Used Every Day
   Pilot AI in control testing, obligation management, and incident response — and define governance frameworks to ensure ethical, auditable use.

What Stage of the CPS 230 Program Are You Most Focused on Today?

In 2024, most respondents were in the design and build phase. In March 2025, the majority were focused on implementation, though only around 20% had moved into embedding their new frameworks and processes.

That said, a powerful theme emerged: compliance is not a destination. As one participant put it, "We’re not aiming to cross a finish line — we’re building a new operating rhythm."

Key concerns included:

• Whether BAU teams are ready to take ownership after program teams roll off.
• The loss of deep CPS 230 expertise as delivery resources transition out.
• Uncertainty around APRA’s post-implementation supervisory approach — will we see thematic reviews? Or stricter enforcement for partial compliance?

Some institutions are responding proactively. One major bank’s first-line COO is establishing a “Resilience Hub” to sustain oversight and drive enterprise-wide capability uplift beyond go-live.

Which CPS 230 Requirement Areas Are You Most Focused on Today?

While all CPS 230 components remain in focus, the top three areas receiving the most attention are:

• Critical Operations — Organisations continue to struggle with defining operations at the right level of granularity and connecting those definitions across risk, control, tolerance, and third-party domains.
• Risk & Control — Risk-control-obligation mapping is being refined, with greater effort being placed on ownership, action tracking, and ongoing testing to increase confidence.
• MSP Management — Most institutions quickly defined material service providers, but implementing robust governance and risk oversight remains difficult due to fragmented models and manual processes.

Legacy incident management frameworks are also being redesigned to include critical operation owners, control owners, and service provider leads — a necessary step given the increased scale and complexity of incident scenarios under CPS 230.

Which Operating Model Layer Are You Most Focused on Changing?

Whilst the number one focus is still on Policy  Framework and Processes, this has significantly reduced from 6 months ago, with the focus on Technology and Systems, and Data and Reporting, significantly increasing.

Organisations shared concern that recent tech investments may be point solutions that lack integration — and may not be ready to support the next generation of AI-powered resilience.

One attendee noted:

"We’ve made quick tech investments, but they aren’t future-proof. They won’t be able to take advantage of emerging AI capabilities."

In parallel, organisations are:

• Uplifting data quality and accessibility to support better risk decision-making
• Reinvigorating governance forums that consume risk data and escalate emerging issues
• Beginning to align CPS 230 operating models with FAR accountabilities, particularly around responsibility mapping and demonstrating reasonable steps
  

Which Functions are Experiencing the Most Change?

While risk, compliance, and technology teams remain heavily involved, 2025 is seeing more emphasis placed on first-line executives, control owners, and procurement functions, enabling hand over to BAU.

Procurement was consistently identified as a low-maturity capability, now under pressure to:

• Improve due diligence and onboarding of material service providers
• Embed ongoing risk monitoring
• Establish contract controls aligned to CPS 230 expectations

For many, this represents a major step-change — and a steep learning curve.

Where Do You See the Most Value from AI in Supporting CPS 230 Compliance?

AI is no longer a futuristic concept — it is now being seen as a critical enabler of scale, efficiency, and insight.

Priority use cases include:

• AI-Assisted Control Testing
  Automated and facilitated control testing offers significant time and quality gains.
• Regulatory Change Monitoring
  AI agents trialled by participants have reduced human effort by over 50% in interpreting and actioning regulatory updates.
• Incident Detection and Response
  Risk leaders see strong potential for AI to triage incidents, connect related records, generate insights, and drive follow-up actions.

ReadiNow’s upcoming AI Agent Builder and OOTB AI Agents generated strong interest during the sessions, with many participants keen to explore practical applications in their environments.

Call to Action for Risk Leaders

To deliver strong outcomes by the CPS 230 effective date and beyond, risk leaders should consider:

1. Define and document a sustainable operating model — Ensure your program has clear handover criteria and BAU readiness plans.
2. Build integrated, automated operational risk processes — Focus on technologies that support data-driven decision-making and resilience beyond go-live.
3. Experiment with AI now — Start small, learn fast, and build trusted AI practices that improve control, oversight, and efficiency.

Conclusion

The 2025 roundtables highlighted a significant mindset shift:

• From “how do we comply?” to “how do we sustain capability?”
• From documentation to embedded, automated, transparent processes
• From tactical projects to strategic, AI-enabled ecosystems

CPS 230 is ultimately a test of organisational maturity — in culture, change leadership, governance, and technology.

We thank all participants for their insights. ReadiNow remains committed to supporting this journey — with the tools, intelligence, and innovation required to build operational resilience that lasts.

With the July 2025 deadline fast approaching, now is the time to take stock of your CPS 230 readiness. If you’d like to discuss where your organisation stands, explore potential gaps, or see how AI can support a more efficient and confident approach to compliance, we’d be happy to connect.

Get in touch today!