Thinking differently about risk

CPS 230 is live — has anything really changed?

APRA's CPS 230 has been in force since July 2025. There's been a lot of activity: new forms, new registers, new reporting lines. But looking across the industry, there's a question worth asking honestly — did we use this as the catalyst to reorganise around critical operations, or did we shoehorn extra framework requirements into existing processes and policies?

The real opportunity with 230 was never about compliance packs. It was about genuinely rethinking how organisations identify, manage, and build resilience across the operations that matter most. The institutions that reorganised their activity around critical operations — connecting business continuity, operational risk, and third-party management as facets of the same question — are the ones seeing real value. The rest have a thicker compliance pack and the same underlying vulnerabilities.

For boards and executives, APRA's next wave of scrutiny will test whether these frameworks perform under pressure. That's where the difference between genuine capability and compliance theatre becomes visible — and it's not too late to course-correct.

The risk professional of tomorrow isn't a framework expert

For two decades, the operational risk profession has been built around frameworks: taxonomies, registers, heat maps, and reporting cycles. That foundation matters, but it's no longer enough. The risk professionals who will thrive in the next decade are the ones making the shift from framework custodian to process expert — people who understand how work actually gets done, not just how it's documented.

This means developing technical capabilities that most risk teams don't yet have: understanding how processes are performed and where they can genuinely break, working at the intersection of human decision-making and AI-enabled operations, and being able to materially change how processes are designed and controlled — both within the business and within risk management itself.

The profession needs people who can sit with a process owner, understand the operational reality, and co-design controls that actually work in practice. People who can evaluate how AI is changing process execution and what that means for the risk profile. People who see their role as improving outcomes, not filling in templates. That's the evolution — from framework guardian to outcome-focused operator.

The scams landscape is changing faster than the frameworks

Scam prevention in Australian financial services has moved from a reputational concern to a regulatory imperative. Mandatory scam prevention obligations mean institutions can no longer treat fraud and scams as purely a customer education problem. They need embedded, process-level controls that detect and disrupt scam activity in real time.

The challenge is that scam typologies evolve faster than traditional risk assessment cycles can keep up. This is where technology-enabled risk management becomes essential — not as a replacement for human judgement, but as a way to keep pace with threats that move at digital speed. Institutions getting ahead are building adaptive control frameworks: process-based assessments that update rapidly, monitoring that triggers on behavioural patterns, and governance that can approve control changes in days rather than quarters.