top of page
Drova website assets_APRA-12.png

Confidently achieve APRA compliance

Data breaches. The COVID pandemic. Devastating climate events. It's not a case of if disruption might happen, but when.

 

Meet APRA's CPS 230 requirements with the leading operational resilience solution and be confident you can prepare for and respond to these events quickly.

01

Comply with confidence

Comply with the new Operational Resilience framework set in place by the Australian Prudential Regulation Authority (APRA) in time for the 1 July 2025 deadline.

02

Know your business landscape

Identify and map your critical operations and the critical processes and resources that support them.

03

Be prepared for any

and all scenarios

Conduct robust scenario testing to assess your ability to stay within impact tolerances and ensure you are prepared against the maximum level of disruption.

04

Get report ready, fast

Report on your readiness and results to APRA, auditors, the Board and Senior Management

Comply with APRA's CPS 230
Operational Risk Management Standard

Ensure your firm is prepared for any future scenario. Book a demo today.

Why is operational resilience important for Australian Financial Services firms now?

Most companies simply aren’t prepared for disruption. Data from BCG shows that only 10% are resilient and thriving. That’s why the Australian Prudential Regulation Authority (APRA) has finalised a new prudential standard for insurers, banks and superannuation firms - CPS 230 Operational Risk Management - to ensure they better manage operational risks and business disruptions.

 

The new CPS 230 Operational Risk Management Standard (CPS 230) sets out key requirements for managing operational risk, including updated requirements for business continuity and service provider management. Regulated firms must comply with the new standard by July 2025.

Op Res 01.png

APRA's CPS 230 requirements

The CPS 230 standard is made up of three strategic pillars.

Objectives:
 

  • Improve operational risk practices through enhanced focus of Boards and senior management

  • Minimise the impact of disruptions to customers and the financial system
     

Key features:
 

  • Entities must manage operational risks with effective internal controls, monitoring and remediation

  • Entities must be able to respond to disruptions and maintain continuity of critical operations

  • Entities must understand and manage risks from the use of service providers

  • Entities must now report on certain events and relationships with service providers

 

Source: APRA

iStock-1053312200.jpg

Drova for operational resilience

Address all three of APRA's CPS 230 pillars while building an operationally resilient firm.

Identify and manage critical operations and processes

Stage 1 is identifying your critical operations and mapping out the processes and resources that support them. For each important service, break down critical processes into the resources that support them, mapping each process flow to understand its conditions and resource dependencies.

 

Use Drova to:

 

  • Create a centralised and accessible register of critical services

  • Assign these to stakeholders and rate their priority & criticality

  • Link services to other records throughout the GRC system, enabling links to third parties, time-based metrics, risks, events and scenarios

  • Ensure the resources that enable critical services and processes can adapt in the event of disruption
     

Op res 01_flat.png
Op res 02_flat.png

Be confident you are within acceptable impact tolerances

Set clear impact tolerances for the maximum level of disruption you are willing to accept. Critical operations must be maintained within tolerance levels - before they cross into ‘intolerable harm’ - and calibrated with regular scenario testing.

Use Drova to:
 

  • Establish tolerance levels across processes and resources

  • Define what is an ‘inconvenience’ vs. ‘intolerable harm’

  • Put in controls and mitigants to ensure you can withstand the shocks you are testing for

  • Maintain critical operations within tolerance levels

  • Ensure that all relevant people are fully aware if the firm is operating within acceptable impact tolerances

  • Be able to confidently demonstrate this to APRA

Conduct robust scenario testing

APRA requires robust scenario testing, using severe but plausible scenarios to assess your ability to remain within your defined impact tolerances. Find drivers, triggers and other factors to inspire useful scenarios in our AI-powered Scenario Library, which includes any mandatory testing required or suggested by APRA.

Use Drova to:

 

  • Access a library of suggested scenarios

  • Guided scenario tests are set up for you to execute at the click of a button

  • View the results of your tests and how they stack up against your impact tolerances

  • Measure your tolerance across a specific duration and see how long recovery would take to ensure that you are not crossing into ‘intolerable harm’ levels

  • Maintain a detailed audit trail of all your scenario tests in the centralised platform
     

Op res 03_flat.png
APRA_01_flat.png

Be prepared with Business Continuity Planning (BCP) in place

APRA-regulated firms must have BCPs in place that outline how the firm identifies, manages, and responds to disruptions within tolerance levels. These BCPs must be regularly tested with severe but plausible scenarios.

BCPs must include Disaster Recovery (DR) planning for critical information assets, ready to be activated during a disruption before returning to normal operations.

 

Use Drova to:

 

  • Map critical processes and contingencies to allow for integrated BCP testing

  • Identify resources (people, information, assets, third-party suppliers) for BCP testing and oversight

  • Provide the Board an inside-out (business critical process) to plausible scenario analysis view of BCP operations and capabilities

  • Operational resilience task management provides required systematic testing program, tailored to material risks

  • Establish governance via assigned roles and responsibilities

Manage risk associated with third-party service providers

Under CPS 230, firms must maintain a register of material service providers and manage risks associated with them. Regularly monitor material arrangements, assess performance, evaluate risk controls, and ensure compliance with the service provider agreement.

Use Drova to:

 

  • Track and identify all third-party resources (assets, facilities) that enable your critical operations

  • Maintain a register of your material service providers and manage all contracts with third parties in the centralised platform

  • Conduct attestations and due diligence on service providers

  • Maintain visibility and manage financial and non-financial risks by linking your service provider contracts to your risk and compliance records

  • Test resources managed by service providers through integrated scenario testing
     

APRA_02_flat.png

A resilient organisation means more reward

There's only so far spreadsheets can take you when it comes to meeting your firm's operational resilience requirements. Manage current and future risk with purpose-built software.

Artboard 1 copy 4_2x.png
Critical operations
& processes

Clear and easily accessible list of all your critical operations and processes

Artboard 12 copy 3_2x.png
Automated reviews

Automatic creation, allocation and notification of scheduled reviews

Artboard 13 copy 2_2x.png
Respond quickly to changes

Adhoc reviews resulting from a material change to your business

Artboard 24 copy 2_2x.png
Map to 3rd parties

Mapping to 3rd parties to show relationship considerations

Artboard 21 copy 2_2x.png
Easy-to-use dashboards

BI Dashboards for high-level analysis

Artboard 19 copy 2_2x.png
Scenario testing

Scenario testing, recording findings and resolutions

Drive operational resilience within your firm

Connect data points across your entire organisation to eliminate risk silos and
improve organisation-wide resilience with Drova.

bottom of page