by

Erin Carroll , Consultant, Business Resilience and Cyber Risk, KPMG

Shruti Kamath , Consultant, Business Resilience, KPMG

Maryam Moradi , Consultant, Tech Risk & Cyber Consulting, KPMG

Sakshi Kishore , Associate Director, Tech Risk and Cyber Consulting, KPMG

Jay Hira , Cyber Director – Financial Services, KPMG

For years, flying the plane was the only thing that mattered. The flight path was a straight line, the engines were humming, systems stable, and our focus fixed on one thing: getting the aircraft from point A to point B. We were so good at the mechanics of the flight that we almost forgot about the people in the seats behind us.

But the new era of digital financial services has changed the flight plan entirely. With an astonishing 99.3 percent of banking interactions now happening through digital channels, the journey is no longer just about flying the aircraft; it’s about protecting every passenger, every step of the way.

This shift perfectly mirrors the new operational risk requirements outlined in APRA’s CPS 230 This regulation, which came into effect on 1 July, is like a new set of flight safety protocols. It expands our responsibility from the aircraft to the entire passenger experience. The standard applies to a broad set of financial services organisations, from banks to super funds to insurers.

The Australian Banking Association’s (ABA) Bank on It: Customer Trends 2025 report is our new flight manifest, revealing that our passengers’ priorities have fundamentally shifted. Today, customers care most about data security, fraud protection and privacy. This means our new flight plan must address a new kind of turbulence: the rising tide of scams and financial crime.

What’s striking is how resilience is being reframed, not as a defensive posture, but as a strategic differentiator. The financial institutions that can maintain service, protect data and adapt under pressure will retain trust. Resilience now means seamless digital experiences, secure platforms and the ability to pivot quickly when systems fail or threats emerge.

REDEFINING ‘MATERIAL DISRUPTION’

The old flight plan assumed that a major disruption was a system outage or a broken engine. But the modern journey faces a new, far more insidious form of disruption: a high-profile scam or data breach that can erode customer confidence in minutes. The ABA report highlights that phishing, identity theft and unauthorised transactions are becoming increasingly common.

Under CPS 230, ‘material disruption’ is measured not only in terms of reputational damage but is now explicitly defined through levels of disruptions to critical operations, data loss and services.

This forces us to ask some provocative questions:

• How do we define ‘material disruption’ not just in terms of a system outage, but in the context of customer confidence?

• Should our resilience frameworks be prioritising the needs of our customers as much as the needs of the institution?

• Should we be thinking about “customer and ecosystem centric tolerance levels’ alongside our operational tolerance levels?

This is where the real ‘Aha!’ moment happens. Resilience isn’t just about recovery, it’s about reputation. No amount of backup systems can protect against a reputational crisis if customers feel their financial institution doesn’t have their best interests at heart. And in today’s environment that includes safeguarding them from scams and financial crime.

The New Flight Plan

CPS 230 is our new flight plan, and it compels us to be more than just pilots; we must become captains of trust. The standard provides a perfect platform for us to go further and build resilience that is customer entric and inclusive of the broader ecosystem.

The standard and its accompanying guidance reflect many aspects of better practice in operational risk management globally. APRA has given regulated entities more flexibility in how they achieve stronger resilience outcomes by applying a risk-based approach. The standard came into force on 1 July 2025. It’s worth remembering that non-significant financial institutions have an additional 12 months to comply with specific requirements related to business continuity and scenario analysis. This is more than just compliance; it’s about building a safer, more resilient journey for everyone on board.

PROTECTING THE JOURNEY, NOT JUST THE AIRCRAFT

The flight crews (financial institutions) that are leading the way aren’t just focused on compliance; they’re using CPS 230 as a catalyst to rethink their entire approach to the flight journey: operational risk, customer outcomes and the overall financial ecosystem. This is where we tie our proactive compliance efforts to the core themes of preparedness, resilience and effective service provider risk management.

This mission is twofold: protecting our passengers and safeguarding the entire financial ecosystem.

We can use our uplift in capabilities to:

• Elevate fraud detection. Strengthen fraud detection systems using advanced technologies like AI and machine learning to proactively spot threats and keep our passengers safe.

• Empower our passengers. Improve customer education about scams, ensuring our customers are equipped to recognise and avoid fraudulent activities.

• Coordinate with ground crew . Strengthen collaboration between banks, regulators and law enforcement to combat financial crime, much like coordinating with air traffic control to ensure a safe journey for all.

This is a fundamental shift in our role. We’re not just flying the aircraft; we’re safeguarding trust at every altitude. As we chart this new course, it’s clear that resilience in the CPS 230 era isn’t just about following a checklist; it’s about making deliberate choices at every altitude. Choices that protect not only the aircraft, but every passenger on board, and the trust that keeps our industry flying.

PRE-FLIGHT CHECKS

Before take-off regulated entities are expected to complete some key pre-flight checks to ensure resilience is operational, customer focused and inclusive of the financial ecosystem. This isn’t a checklist to pass an audit, but the foundation for being a captain of trust.

• Identify critical operations. These are the functions that, if disrupted, could materially impact customers or the financial system. They include, at a minimum, payments, deposit-taking, custody, settlements/clearing (for ADIs), claims processing (for insurers), investment management and fund administration (for super funds) and customer enquiries with supporting systems. This is your essential operational footprint.

• Assess your material service providers (MSPs). Evaluate interdependencies, risk profiles and contingency plans. A chain is only as strong as its weakest link. We must know the strength of our ground crew.

• Set tolerance levels. Define appropriate tolerances for service disruptions and evaluate their impact on customers.

• Conduct scenario analysis. Simulate severe but plausible operational risk events to assess your capacity to adhere to established tolerance levels. We build resilience by learning from near-failures.

• Confirm governance accountability. Just as every flight has a captain and crew with defined responsibilities, CPS 230 makes it clear that the board is ultimately accountable for operational resilience, with senior management responsible for day-to-day execution and reporting. This governance structure ensures oversight and accountability at every level.

• Confirm incident notification protocols. Review processes to meet APRA’s requirements. Entities must notify APRA of material operational incidents within 72 hours and within 24 hours if a critical operation falls outside tolerance.

• Confirm organisation-wide alignment. Verify that CPS 230 requirements are consistently applied across all entities within the group, including risk frameworks, tolerance levels and governance structures.

CPS 230 isn’t just a compliance exercise; it is a chance to lead with trust and resilience. By embedding its principles into our organisations we move away from basic compliance checks to ensuring meaningful, risk-aware decisions that protect customers and the financial system.

This is our opportunity to not just fly safely, but to lead confidently into a more resilient financial future. Are we ready to chart our new flight plan and become the captains of trust?

www.linkedin.com/in/erinlouisecarroll www.linkedin.com/in/shruti-kamath www.linkedin.com/in/maryam-moradi-61133527b www.linkedin.com/in/sakshikishore www.linkedin.com/in/jayhira