Lessons and advice for CPS 230 project teams in the final stretch

In March 2025, nearly 400 financial services leaders joined an EY webcast to discuss what they must get right in the countdown to 1 July.

In brief:

• CPS 230 teams are facing implementation challenges, including managing Material Service Providers, as they prepare their regulated entities for Day 1.
• The transition from project to business as usual requires integration with existing processes and new types of data collection, testing and monitoring.
• A pragmatic approach that prioritises progress over perfection, and strengthens governance and oversight is vital for achieving operational goals.
  

As regulated entities work their way through APRA’s Day 1 checklist, CPS 230 teams are racing to get their institutions ready for 1 July 2025. Our webcast polls suggest the big challenge is to operationalise the foundations, moving from project to business as usual (BAU). With less than four months to go, 30% of participants rated this as the biggest challenge. While 23% said they were struggling with Material Service Provider (MSP) management and 13% with validating tolerance levels.

After the slow uplift to CPS 234, the regulator is emphasising the importance of getting CPS 230 right the first time. Despite this being a very challenging standard, by Day 1, entities must be able to demonstrate well-thought-through approaches and achieve minimum compliance, with ongoing efforts to further mature.

We recommend that teams focus on a number of key tasks in the next few months.

Understand what CPS 230 BAU looks like

From 1 July, APRA expects CPS 230 to integrate with existing processes. The challenge is not just operationalising compliance but building resilience into processes – resilience by design. This means making sure that the new work around Critical Operations meshes with an entity’s risk assessment framework and controls. Given the end-to-end nature of these processes, siloes may need to be broken down. New tools may also be required to empower executives and risk management teams with real-time operational data.

The acid test is whether resilience has become a strategic input in major business decisions. Teams need to think about how they will test that their work translates into greater clarity around operational risk and resilience pain points. How will they confirm that, as new systems and processes are designed, resilience is embedded automatically?

Decide how to monitor Material Service Providers

In institutions where third parties play a significant role in delivering core processes and critical operations, MSP risk assessment is one of the most challenging areas to get right. Part of the problem is that risk varies depending on the service being provided. Plus, few MSPs will be monitored in the same way because the maturity of their control frameworks is highly variable. Nor does every provider have a robust framework to monitor their own third parties (fourth parties to the regulated entity).

The industry understands change is required, and some larger suppliers are getting on the front foot. EY teams are working with other service providers to strengthen their control reporting. However, smaller providers are less prepared.

CPS 230 teams need to engage early with providers to communicate their expectations – and find out what a supplier can and can’t deliver. These companies have many clients – all asking for different types of reporting. The key is to be clear, patient and flexible and to be open to industry efforts to work with parties used by many regulated entities. Longer-term, institutions should seek MSPs that demonstrate resilience by design – where strong controls and contingencies are baked into their service delivery.

Document the rationale for identifying Critical Operations

In November 2024, our CPS 230 Benchmarking Survey found regulated entities making good progress on identifying Critical Operations, but variances on the scoping of Critical Operation across the sector remain. Some entities have excluded some of the APRA pre-defined Critical Operations, including IT systems and infrastructure, and customer enquiries. Yet others consider these to be enabling functions, given their pervasive support of end-to-end critical processes.

Some have kept close to their core competencies. Others have spread the net wide. The top Critical Operations beyond those mandated by APRA were:

• Cyber detection and response
• Managing funding and liquidity
• Fraud and customer protection

Such differences will not matter as long as an entity can defend its decisions. If an outage happens due to the failure of a process that was not identified as critical, the regulator will want an explanation as to why that process was excluded. APRA will be looking for a sound rationale that applies knockout criteria and process mapping to consider what creates material adverse client impacts and therefore confers Critical Operation status.

Test whether tolerance levels are realistic, achievable and appropriate

There’s some confusion as to whether tolerance levels need to be tested before 1 July. Rotational testing every three years is permitted. But when does that start? Our view is that desktop analysis now – ideally including third parties – is vital to test achievability, understand gaps and quickly close them. Otherwise, how will entities know they can operate within their chosen tolerance levels? This is also a good moment to find out whether it’s even possible to collect the data required to support tolerance assessment. More in-depth, scenario-based testing can follow later, noting such testing can identify further gaps in resilience requiring remediation.

Agree on board reporting metrics and timing

With the heavy emphasis on board accountability, directors are asking new questions of CPS 230 project teams. The board wants to know the cadence and nature of information directors will receive to help them respond to their new obligations. Now they’re starting to think about signing a risk management declaration with an operational risk lens to it, some directors are seeking very specific details: “How will we get an early indication of an MSP posing an increased risk? How close are we to some of our risk tolerances?”

Project teams should be engaging with the board now to agree on what information they need to make the right decisions. This conversation should acknowledge the mindset change that CPS 230 confers. The board is typically focused on strategic initiatives, but the new standard introduces an operational element. Many boards will have a strong view on the reporting metrics they require and the questions they need answered to make this shift.