Breaking down the six components of CPS230 and how they apply to all organisations

Complying with CPS230 ‘s updated standards from July 2025 onwards is front of mind for all APRA-regulated financial institutions this year. But what can organisations outside of APRA’s remit learn from the standards?

The goal of CPS230 is for organisations to better manage disruption and operational risk. The key word? Disruption.

Given the amount of disruption in the last five years alone - COVID, recessions (to name a few), it’s easy to see how focusing on resilience is relevant for all organisations. We’ve seen these events impact all industries, often causing long-lasting damage. Strengthening your organisational stability is a secure defence against these shockwaves. After all, prevention is better than a cure.

Let’s dissect the six key components of CPS230, extracting the essential learnings for your organisation’s collections.

1. Operating model

Analysing your operating model means putting your risk management framework under the microscope:

• What mechanisms do you have in place? Are you adopting a three lines of defence model?
• Who is responsible for your critical risk management framework? Are individual responsibilities clearly outlined, all the way up to your Board?

You should look at how your operating model is evolving, and how adaptable it is to new requirements. This may mean making changes or refinements, ensuring that your risk management is appropriate for where your organisation is now - and will be in the future.

2. Critical operations

Identifying your critical operations, their dependencies and measuring processes is next. As a critical operation, your collections and recoveries operations play a significant role in how prepared your organisation is for a risk event.

If you’re handling your collections internally, start by considering how your current setup would manage a significant increase in volume. Would additional headcount be required? What about technology or systems, how scalable are they? Placing your existing operations in the context of a crisis can quickly unearth gaps - that are better addressed now, rather than later.

The same questions apply if you’re outsourcing recoveries to a collections partner. Begin by asking how they manage sudden influxes in referrals, or try analysing their previous performance with volume increases. You should be confident that your partner could scale operations during any critical event - without compromising on customer experience, compliance or performance.

3. Material service providers

Material service providers are those you rely on for critical operations. These include core technology services, insurance providers and collections agencies. For operational resilience, APRA is requiring organisations to:

• Undertake thorough due diligence and ongoing assessments of your partner’s capability. Think about the last time you evaluated your collection agency, are those results still accurate or could it be time to reassess?
• Assess the financial and non-financial risk of relying on your partner. For example, do you only work with one collections partner or do you have several?

Another factor worth considering is the supply chain of your collections partner. Especially if they’re relying on traditional channels such as outbound dialling or mail, their scaling capacity will be fairly limited. Understanding their dependencies is crucial here, as their blockers will impact your services - and your customers.

4. Your business continuity plan

Think of your business continuity plan (BCP) as the backbone of your operational resilience. They provide a much-needed blueprint for keeping your business functioning during challenging times. While other priorities can often get in the way, ensuring your BCP is regularly updated and fit for purpose is essential. It needs to reflect any recent organisational changes, as well as be tested regularly.

It’s also worth asking your key providers about their BCP, and any protocols they have in place for crisis events. For example, would your dedicated point of contact change? Or would monitoring look different? After the pandemic, McKinsey found that 2 in 3 leading companies ask their key suppliers if they have BCPs in place. It’s one thing having your own processes in check, but ensuring that your essential partners do too is an extra layer.

5. Incident management

When was the last time your organisation faced a significant incident? Identifying, monitoring and reporting on any incidents is an essential part of operational resilience. Providing an ongoing source of learning, this demonstrates a sophisticated approach to overall risk. Making sure to not only log incidents, but ‘near misses’ too is also key here. You want to be thoroughly analysing these situations to understand preventative controls and supportive measures.

From a collections provider perspective, considering their handling of any historical incidents is crucial. Maybe they’ve had a previous server outage, impacting their ability to manage recoveries. How was their communication during this period? How long did it take them to get up and running again? What updated protocols have they put in place to ensure better management if this was to occur again? Do they take a mature approach to incident reporting overall? Assessing this in detail will give you a good idea of how resilient your partnership truly is.

6. Controls

Hand in hand with incident management, effective controls are the final part of CPS230. Here you want to understand:

• What controls do you currently have in place, including their design, monitoring and reporting?
• The adequacy of those controls, are they fit for purpose? When were they updated? Do they need refining?
• How are you using your controls to support your overall risk management framework? How can they help you evaluate your resiliency?

As with the other factors, ask your collections partner about their ongoing controls management. If there are gaps or weaknesses, remediating these should be a top priority. You should feel comfortable that your partner is minimising disruption wherever possible.

Shifting attitudes from managing disruption, to prevent disruption

When it comes down to it, CPS230 is far more than a new set of standards. It’s about shifting organisational culture to be more reflective and adaptive to the current macro environment. With crisis events requiring quick decision making and tight services, preparing now is more than justified - it’s fundamental.

Creating holistic layers of protection to your service delivery means requiring the same of your key partners, especially collections. When your ability to support customers and retain revenue becomes more important than ever during a crisis, it’s better to be prepared now - rather than later.