CPS230 Roundtable Insights: Moving from Design to Deployment in 2025

October 31, 2024

With the deadline for APRA’s CPS230 Operational Risk Management standard fast approaching, the pressure is on institutions to deliver outcomes and benefits that demonstrate compliance. As institutions navigate the shift from building and implementing to embedding new operational risk management capabilities, it’s clear that success hinges on immediate, decisive steps to finalise the documentation of critical operations, engage of third parties, and embed automated and integrated processes. In a series of roundtable discussions hosted by ReadiNow, over 50 senior risk professionals from 40 institutions shared their insights on the challenges, progress, and urgent priorities for achieving CPS230 compliance before time runs out. Below are the key insights from these discussions 

 CPS230 Compliance Progress: Where Financial Institutions Stand 

From the insights gathered, it’s clear that most organisations have moved beyond the design and build phases of their CPS230 compliance programs and are preparing for full implementation and the embedding of new processes in 2025. However, the pace of progress varies significantly between institutions. The banking sector is leading the way, with insurers following and superannuation funds making slower progress. Larger organisations are notably further ahead compared to their smaller counterparts, but even among the larger institutions, many have yet to fully embed their new operational risk capabilities. Readinow Chart-04

Critical Focus Areas for Achieving CPS230 Compliance

One of the primary challenges institutions face is documenting their critical operations. This includes identifying associated risks, controls, vulnerabilities, tolerances, and third-party dependencies. This documentation process has proven to be iterative, as organisations struggle to find the right balance between satisfying regulatory expectations and maintaining operational efficiency. While many institutions have made strides, getting the necessary level of detail remains an ongoing challenge. Readinow Chart-03

Transforming Operating Models to Meet CPS230 Standards 

To comply with CPS230, many organisations are undergoing significant changes to their operating models. This transformation is happening in a cascading manner. The first wave of changes is occurring at the policy, framework, and process levels. These changes are then driving updates in technology and systems, which in turn are improving data quality and reporting. Ultimately, these enhancements are expected to strengthen governance. However, most organisations are still grappling with the extent of changes needed in roles, responsibilities, and resourcing, and few have begun measuring the cultural impact of these shifts. Readinow Chart-01Key Teams Leading the Charge 

Clarity of accountabilities and future operating model roles, responsibilities and resourcing is being enhanced on an iterative basis.  Considerable impact is being felt by the business, particularly by the technology departments who are tasked with delivering the largest share of the changes necessary to achieve compliance – ranging from owning specific critical operation through to mapping IT vulnerabilities and enhancing governance over growing number of material service providers. The second line of defence—risk and compliance teams—must also evolve to guide the business through these changes. Additionally, first-line teams such as operations, procurement, and legal will need to undergo significant adjustments to align with the new compliance requirements. Readinow Chart-02

 CPS230 Action Plan: Preparing for Full Implementation for 2025 and Beyond 

As institutions prepare for the implementation and embedding phases in 2025, several critical actions should be prioritised to ensure success: 

  1. Define Exit Requirements: Institutions need to sharpen their focus on moving from implementation to the embedding phase. Clear exit requirements will help them assess whether new processes and capabilities have been successfully implemented and are sustainable. 
  1. Adopt a Long-Term View: When planning enhancements to risk management solutions, organisations should take an integrated, long-term approach to ensure these solutions are scalable and flexible enough to adapt to future changes. 
  1. Engage with Third Parties: Institutions should increase their engagement with both inbound and outbound third parties. It’s essential to ensure that all dependencies and fourth-party risks are well understood and that the desired outcomes for critical operations can be achieved. 
  1. Estimate Effort for First-Line Teams: First-line teams need to better estimate the effort required to maintain the new capabilities introduced by CPS230. Proper planning and resource allocation will be crucial to sustain these capabilities in the long term. 

As the countdown to CPS230 compliance continues, organisations must shift their focus from design and build to full-scale implementation and embedding. The insights shared at our roundtable discussions highlight the areas where institutions are making progress, but also the significant challenges that remain.  

How ReadiNow Can Assist with CPS230 Compliance 

ReadiNow’s no-code process automation platform is uniquely positioned to help organisations meet their CPS230 obligations efficiently and effectively. By providing scalable, out-of-the-box solutions tailored for Operational Risk Management in FSI.

ReadiNow enables regulated institutions to document critical operations, improve governance and manage third-party vendors, incident Management and continuity plans. With ReadiNow, organisations can quickly move from implementation to embedding, ensuring compliance with APRA’s standards is met ahead of the deadline. 

Subscribe by Email

No Comments Yet

Let us know what you think