Skip to main content

Automating CPS 230

What is CPS 230?

APRA Prudential Standard CPS 230 (Operational Risk Management) and the corresponding APRA draft Prudential Practice Guide CPG 230 are designed to strengthen the management of operational risk in the Banking, Insurance and Superannuation industries. The changes come on the back of Royal Commission observations regarding the importance of oversight of non-financial risks in these industries.

The aims of CPS 230 are to

  • strengthen operational risk management within APRA-regulated entities, including requirements to test internal controls to ensure they are effective in managing operational risk;
  • improve business continuity planning within those entities, including setting clear maximum levels of disruption for critical processes, so they can continue to operate in the event of a disruption; and
  • enhance third-party risk management of all material service providers that those entities rely upon for critical processes, rather than just processes that have been outsourced.
 

APRA CPS 230 applies from 1 July 2025 or at the next renewal date of existing service providers. APRA CPG 230 is a set of good practice expectations from APRA but are not enforceable. 

How to become CPS 230 Compliant

In the case of service provider oversight, compliance with CPS 230 will require at least:

  • A third-party risk management policy with directives corresponding to CPS 230 and CPG 230 requirements.
  • Processes to direct, manage and evaluate that policy and manage the interdependencies between people, technology, data, facilities, and service providers.
  • A comprehensive supplier, service, and cyber security GRC platform like HyperGRC™ to implement and automate those processes.
 
The implementation of CPS 230 may be easier for those entities that already have adopted a comprehensive control framework like the NIST Cyber Security Framework (NIST CSF) and a risk management framework like ISO 31000 shown below.  
 

Third and Fourth Party Management

Continue reading to see each required CPS 230 process and how HyperGRC™ can help. 

Process, Data and Service Recordkeeping

Under CPS 230, recordkeeping of the organisation structure and processes and assessment of their criticality within a GRC is essential, as is establishing process ownership, service levels, and resilience requirements for those processes.  

Records of data assets maintained in the GRC should capture interdependencies across various sectors and have documented owners.

Similarly, IT asset records, including relationships between IT service and IT assets, should be maintained in the GRC.

3rd and 4th Party Provider Management

According to CPS 230, registers must be maintained in the GRC for service providers involved in critical processes and for the 4th parties they rely on. Each service provider must be tiered and segmented. Initial and ongoing assessment of these third and fourth parties is also required.

RISK EXPRESS® workflows and ML/AI bots developed within HyperGRC™ can automate this process giving cyber certainty.

Control Assurance

CPG 230 recommends control assurance, taking into consideration linked issues and incidents. Control assurance will require control test plans, and potentially site visits. 

 

HyperGRC™ contains all the required control frameworks and in-built as well as custom control assessment questionnaires that you need to be CPS 230 compliant. Control assurance can be automated using RISK EXPRESS® workflows, and more and more components of the audit and assessment process can be automated using the ML/AI bots in our GRC as their capabilities increase over time.

Today, our GRC can workflow security testing, risk and control evidence management, internal and external control report reviews, control maturity determination, and more. HyperGRC™ can also convert between frameworks for reporting, aggregate control assessment, and streamline the risk determination process. 

CPS 230 Risk Management

CPS 230 has risk management process obligations that need to be demonstrated in order to comply. 

Identifying Service Risk

CPS 230 and CPG 230 emphasise the recording of IT services in a GRC, with a focus on correlating risks from multiple third-party dependencies on a single fourth party, and documenting interdependencies across various components. 

With HyperGRC™ you can manage IT service records including IT service ownership and contact details, as well as record technology, data, hosting and support service provider relationships. 

With HyperGRC™ you can also manage IT service records including IT service ownership and contact details, and record technology, data, hosting and support service provider relationships. 

You can also add your own custom fields to the included good practice risk and issues registers that have documented owners (including third party owners) as recommended in CPG 230. Under CPS 230 these registers need to include incidents and near misses as future risks.

Risk Treatment

CPS 230 requires the formal management of risks including end-of-life or end-of-support technology risk. HyperGRC™ implements the full risk management process, including detailed risk treatments, which can be workflow enabled, integrated into IT service management systems and include automated follow ups. 

CPG 230 recommends that risk treatments consider both tactical (or temporary) controls until a strategic solution is implemented, as well as the strategic (or final) solution. It also recommends actions include timing, costs, leading indicators, and a linkage to the service risk profile.

Monitoring and Communicating

CPS 230 requires the Board to set clear roles and responsibilities for senior management oversight over BCP and third-party risk management. This will involve creating cyber risk profiles at the IT service, business process, business unit and organisation / service provider level and monitoring them within a GRC platform.

CPS 230 also requires the Board to review risk and performance reports on material service providers, and for senior management to obtain periodic reporting on service provider performance, control effectiveness and contractual compliance.

CPS 230 requires the management of service risk, geographic location risk, concentration risk, and 4th party risk within a GRC.

CPG 230 further recommends assessment of the risk of performing business services in-house compared with outsourcing, the assessment of country and region risk, supplier risk, concentration risk, and reputation risk.

With a full relational organisational risk management and cyber risk management data model, HyperGRC™ can deliver a large number of dashboards and reports “out of the box”, or with minimal configuration. 

HyperGRC™ integration, workflows, and ML/AI bots give certainty over the ability to develop the necessary cyber metrics, KCIs, KRIs, as well a continuous control monitoring necessary to comply with CPS 230. 

CPS 230 Scenario Analysis

CPS 230 requires detailed assessment of risk scenarios.

Cyber Quantification

Under CPS 230, it is vital to aggregate IT service risks across business processes, business units, and service providers. Third party comparisons also need to be conducted.

CPS 230 mandates scenario-based threat, risk, and control assessment, and CPG 230 recommends these encompass all significant and conceivable operational risk events.

CyberQUANT™ is the risk quantification engine in our GRC. It uses multiple models like Open FAIR to measure cyber risk and optimise cyber investments. 

You can use the engine to define risk scenarios, quantify the risk using Open FAIR or your own algorithms, calculate ROI of baskets of control changes and monitor risk buy-down.

Automating CPS 230

Automating compliance for regulations such as CPS 230 and CPG 230 using a GRC platform like HyperGRC™ involves multiple steps and integration points. Here’s a comprehensive approach:

Data Integration:

  • Connect HyperGRC™ to the organization’s data sources (e.g., IT service management, procurement, ERM) to automatically import the latest organisational, service provider and control data.
 

Mapping & Configuration:

  • Use HyperGRC™ to map CPS 230 and CPG 230 requirements to specific cyber framework controls (such as NIST CSF or ISO 27001). This becomes the unified framework for IT and service audit, assurance and compliance checks. 
  • Configure the RISK EXPRESS workflow and RESITEK integration platform to recognize the specific data points and actions that align with each requirement.
 

AI & Machine Learning:

  • Leverage HyperGRC ML/AI bots to identify risks across various data points.
  • Use included or your own custom machine learning algorithms to predict potential areas of non-compliance based on historical data.
 

Automated Reporting:

  • Set up automatic generation of assurance (and compliance) reports at specified intervals or upon request.
  • Include visualizations like dashboards in HyperGRC™ to provide a quick view of compliance status. 
 

Continuous Monitoring:

  • Use RISK EXPRESS workflows to monitor cyber risks and communicate findings.
  • HyperGRC can also help implement continuous control monitoring, sending alerts for any deviations or potential non-compliance.
 

Scenario Analysis:

  • Automate scenario-based threat, risk, and control assessments as mandated by CPS 230. This could involve running simulations or using historical data to project and quantify potential scenarios.
 

Notification Systems:

  • Integrate HyperGRC with your Teams, Slack, Service Management or other alert systems to notify stakeholders when there’s a disruption to a critical process, as emphasized by CPS 230.
 

Feedback Loop:

  • Implement mechanisms to take feedback from different business units and continuously refine the compliance automation process.
 

Document Management:

  • Maintain all CPS 230 compliance-related documents in HyperGRC. 
  • Automate the maintenance of control frameworks, issuance of questionnaires, and obtaining of relevant evidentiary documents.
 

Automated Remediation:

  • For identified non-compliance issues or control deficiencies, automate remediation processes (or follow ups) wherever possible. For instance, if a particular data point is missing, the system could prompt the responsible party to provide it or obtain it from an alternative source.
 

Periodic Training:

  • Use RISK EXPRESS workflows to schedule and monitor training sessions for employees on CPS 230 and CPG 230 compliance to ensure everyone is updated with the latest requirements.
 

Audit Trail:

  • Maintain a clear and tamper-proof audit trail of all actions taken within the system. This can be crucial for proving compliance during external audits.
 

Stakeholder Collaboration:

  • Integrate HyperGRC with collaboration platforms, so different stakeholders can discuss, share feedback, and collaboratively address compliance issues.
 

Remember, while automation can greatly assist in ensuring compliance, human oversight is still necessary to interpret results, make judgments, and handle complex scenarios that might be beyond the scope of the automation.

In the Press