top of page
Writer's pictureRachel Riley
Dec 19, 2024

Complying with the MSP requirements of CPS 230: Your practical guide

Operational resilience isn’t just about ticking APRA’s compliance boxes. It’s about building a robust foundation that keeps your business running, no matter what.


APRA’s CPS 230 Operational Risk Management sets clear requirements for managing Material Service Providers (MSPs). Our new guide simplifies the process into actionable steps, showing you how to meet the standard and safeguard your operations with Drova GRC. Download the full version here.



1. Develop Your Service Provider Management Policy


📌 What APRA says:


You need a comprehensive policy that covers how you:


  • Identify and manage Material Service Providers.

  • Mitigate risks tied to third parties and their fourth-party dependencies.

  • Approach entering, monitoring, and exiting agreements.


🛠️ How to do it with Drova GRC:


  • Use the Document Library to centralise policies and link them to risk, incident, and compliance workflows.

  • Set up Read & Certify tasks to ensure team alignment.

  • Create inline review tasks to keep your policies up-to-date.

  • Ensure compliance with the policy for all Material Service providers utilising Drovas Contract Module. This allows you to link MSPs identified (operational resilience module) to the MSPs contracts, SLA and policy attestations.



2. Identify and Manage Material Service Providers


🔍 What APRA requires:


Keep a register of your Material Service Providers (MSPs) and actively manage risks. A provider is “material” if it supports critical operations or exposes you to significant risk.


✅ Checklist for MSPs:


  1. Does the provider support a critical operation?

  2. Does the arrangement expose you to material operational risk?

  3. For banks, insurers, and superannuation funds: services like risk management, technology, or internal audit are automatically material unless justified otherwise.


🛠️ How Drova simplifies it:


  • Drova’s Operational Resilience module lets you identify and link MSPs to critical operations and assess their impact.

  • Build a live MSP Register that flags critical dependencies and auto-calculates risk levels.

  • MSPs identified in Operational Resilience (critical processes) can be automatically linked to their contracts, risks and controls.



3. Formalise Service Provider Agreements


📝 What APRA requires:


Every MSP agreement must:


  • Clearly define performance standards, risk ownership, and BCP alignment.

  • Include controls for information security as outlined in CPS 234.


🛠️ How Drova supports you:


  • Store and organise all agreements in Drova’s Contract Library.

  • Link agreements to risks, compliance requirements, and BCP workflows for full traceability.



4. Manage risks throughout the MSP relationship


📊 What APRA expects:


Proactively manage risks for the life of the MSP relationship. This includes:


  • Regular risk reviews and scenario testing.

  • Monitoring performance, disruptions, and incident responses.

  • Ensuring risks and updates reach the Board.


🛠️ Drova’s approach:


  • Use automated workflows to trigger risk reviews and performance checks.

  • Link MSP risks to critical operations and underlying contract details for seamless reporting.

  • Generate Board-ready reports that provide clear oversight of provider performance and risk exposure.

  • Test disruption scenarios in our Operational Resilience module directly against MSP managed resources impacting your critical operations and auto create tasks and remediation actions.



5. Notifications to APRA


🛎️ What APRA requires:


Report any disruptions or significant incidents involving MSPs that affect critical operations. APRA expects timely, accurate notifications.


🛠️ How Drova makes it easy:


  • Set up notifications and reminders for reporting deadlines.

  • Use Drova’s automated tracking to ensure incidents are logged, managed, and reported on time.



6. Ongoing monitoring, reporting, and review


📌 APRA’s expectations:


  • Monitor MSP performance and compliance consistently.

  • Regularly review MSP arrangements and their risks.


🛠️ What Drova provides:


  • Real-time dashboards for performance monitoring.

  • Automated workflows for review tasks and incident management.

  • Historical audit trails to meet reporting requirements.

  • Attestation functions for MSP adherence and assurance.

  • Test and monitor MSP performance against disruptive scenarios.



7. Internal audits and Board involvement


👥 APRA requires:


Boards and senior management must have clear oversight of MSP risks, performance, and governance. Regular internal audits ensure compliance.


🛠️ How Drova helps:


  • Use Drova to schedule and track internal audits of MSP arrangements.

  • Automate regular Board updates with clear, actionable insights on third-party risks.

  • Provide Board ready reports on all critical operations and MSPs supporting the business including scenario test results and integrate risk and incident reporting.



Why this matters—even if you’re not APRA-regulated


Operational disruptions can derail any business. By implementing CPS 230 standards:


✅ You’ll strengthen resilience against service provider risks.

✅ You’ll set up governance and oversight that stakeholders trust.

✅ You’ll stay ahead of regulatory trends, avoiding costly catch-up later.


Ready to build operational resilience?


Drova GRC helps you manage every step of your MSP compliance journey—simplifying the complex, automating the manual, and giving you confidence that you’re resilient. Download the full technical guide below.



Read more

bottom of page