Building resilience that lasts beyond compliance

The CPS 230 Operational Risk Management (CPS 230) Standard from the Australian Prudential Regulation Authority (APRA) took effect on 1 July 2025 and sets a new baseline for operational resilience across banking, insurance and superannuation. The Standard directs every APRA-regulated entity to manage operational risk, maintain critical operations within Board-approved tolerance levels, and manage the risks that arise from material service providers.

While the priority of regulated entities’ may have been to meet compliance requirements, true value lies in building resilience that is forward looking and well embedded into the organisation.

In a dynamic risk and regulatory environment, organisations must move beyond minimum compliance expectations and build resilience as a strategic capability.

Investing in resilience now not only protects your license to operate but drives measurable business value. Maturing your resilience posture through better data, automation and testing can tangibly reduce the cost of disruption.

Unlocking the value of resilience

Where to from here?

So now that you have met the CPS 230 requirements – you might be wondering, where to from here?

Depending on the maturity of your organisation, we have outlined some key considerations to unlock the value that resilience can bring based on our experience locally and globally. It highlights how organisations can move from foundational compliance to integrated resilience and ultimately, to a technology enabled capability that enhances agility and protects key stakeholders.

We see that in Horizon 1 (building the foundation), organisations should focus on embedding and refining compliance requirements. However, it is the transition to Horizon 2 (scale and simplify) and 3 (intelligent resilience) that delivers meaningful returns. These horizons focus on embedding resilience into the fabric of operations to improve efficiency, predict and prevent disruptions, accelerate response times, and enable smarter decisions under pressure.

By taking a phased, outcomes-driven approach, it helps build the confidence of the Board and key stakeholders by demonstrating clear accountability, improved data driven oversight, and effective service provider governance. As the risk environment becomes more complex and interconnected, resilience must go beyond compliance. It must be integrated into how the organisation operates, prioritises, and invests. The time to shift from meeting minimum standards to achieving operational advantage is now.

Contact us

Peter Malan

Partner, Cybersecurity & Digital Trust, PwC Australia

Contact form

Susanna Chan

Partner, Cybersecurity & Digital Trust, PwC Australia

Contact form

Nicola Costello

Partner, Digital and AI Trust Leader, PwC Australia

Contact form

Noel Williams

Banking and Capital Markets Leader, PwC Australia

Contact form

Natasha Kan

Senior Manager, PwC Australia

Contact form

Horizon 1 Building the foundation	Horizon 2 Scale and simplify	Horizon 3 Intelligent resilience
Embed operational resilience into operating models to demonstrate clear accountabilities, linked to Financial Accountability Regime (FAR) through ongoing change activities, including training, that help stakeholders adopt and own resilience activities Ensure you have the capabilities in the first line, for instance operational risk, business continuity and service provider management expertise, to support accountable executives and critical operation owners Refine reporting and dashboards that you went live with to ensure they effectively inform management and the Board. These should support timely decision making on the resilience of critical operations Continue documenting your technology landscape and dependencies (e.g. infrastructure) particularly where existing information and documentation is incomplete or inconsistent Enhance service provider management contracts to align with the updated requirements, ensuring all contractual terms are revised by 1 July 2026. Organisations may have already updated their risk and due diligence assessments, however these enhancements, often necessitating additional documentation, should be integrated into contract renegotiations Identify and implement uplifts to non-critical operations and non-material service providers to manage holistic resilience across your organisation	Integrate scenario testing across your organisation to bring together multi domain scenarios covering cyber, data integrity and material service providers disruptions, while aligning with other regulatory requirements, such as CPS 234, CPS 190 and CPS 900 testing requirements Provide real-time reporting and insights on operational resilience to management and the Board through implementing observability platforms over critical operations to provide transparency over the resilience of critical assets supporting critical operations. For more information see here Streamline service provider risk assessments by using automation, including artificial intelligence (AI), to automate response reviews, identify risks, and prioritise critical issues. For more information see here Utilise technology, including AI, to automate the documentation and updates of business impact analysis (BIAs) and where applicable, process maps	Leverage machine-learning models to enable predictive resilience. For example, identifying anomalies in supplier performance, potential cyber threats or unexpected data access, allowing for proactive mitigation Apply technology such as AI to strengthen resilience practices to enable faster detection of resilience impacts and near real time response to emerging threats or material changes Automate continuity and crisis playbooks to support dynamic response and consistency in execution across teams Enhance service provider resilience monitoring by integrating performance alerts into supplier governance for more real-time oversight Establish adaptive thresholds for operational risk indicators using AI and data analytics to enable real time risk posture adjustments