Written by Peter Houlihan (IM Systems)

Familiarize yourself with these essential Ardoq solutions:

Organizations can leverage Ardoq to address regulatory requirements of the Australian Prudential Regulation Authority's (APRA) Cross-Industry Prudential Standard for Operational Risk Management (CPS230). CPS230 came into force for organizations subject to the standard on July 1, 2025.

Building on concepts from Ardoq Compliance Assurance, we provide a framework for assessing and managing compliance to CPS230 and addressing related operational risks. This guide explains how to model relationships between CPS230's regulatory requirements and existing enterprise architecture components including business capabilities, processes, applications, and other information types.

We ensure these components undergo assessment for business criticality (as defined by CPS230), receive risk assessments, establish control and reporting structures, and identify resilience requirements.

This guide offers a step-by-step approach (pattern) you can tailor to different organizational needs, enabling companies to integrate CPS230's requirements into their existing compliance assurance processes effectively.

Note: While this guide focuses on CPS230 due to its recent introduction, you can apply this approach to any regulatory standard with equal effectiveness.

To effectively implement CPS230 in Ardoq, develop a solid understanding of several key concepts and practices:

Essential Knowledge Areas:

These expertise areas form a comprehensive toolkit for successfully delivering CPS230 implementation in Ardoq.

Follow this high-level process to implement CPS230 support in your organization:

Ready-to-Use Model: We provide a working model of CPS230 requirements developed in conformance with the Compliance Assurance Ardoq Solution. Adopt these "as is" or review and model them to conform to your existing internal standards.

Business Capabilities as Foundation: We recommend using Business Capabilities as the principal concept for both planning and compliance assessment. However, we recognize many organizations either lack a widely recognized business capability model beyond the Enterprise Architecture team or have no agreed business capability model at all.

Alternative Approaches: We show how Organization Structure, Process or Functional Groupings, or your Conceptual Information Domain model can deliver similar results when business capability models aren't available.

This section explains the components and workspaces used in a CPS230 implementation. Ardoq introduces and defines these components in various Ardoq Solutions as described below.

Regulation Workspace: Create a separate workspace for each regulation implemented in Ardoq. Use the Information Artifact component type template to represent the CPS230 regulation in this workspace.

Assessment Workspace: Create a single workspace to hold all assessments. Model assessments using the Information Artifact component type template.

For assessments, create fields to track CPS230 Criticality and potential financial data being processed. Use these fields to generate reports, copy them to the subject component, and identify further actions.

Reference: Information Artifact component types are introduced and defined in the Architecture Records Ardoq Solution.

Use Category components to structure the Requirements that make up CPS230 and for categorizing assessments. Category components structure CPS230 requirements in a hierarchy of arbitrary depth, with leaf nodes being the component type organized within it.

Reference: The Category component type is described in How to use Categories in Ardoq.

A requirement represents a specific obligation your organization must meet in addressing CPS230 regulation. It may also belong to a broader collection of requirements or characteristics that belong to an information artifact, such as a policy, set of principles, or formal specification (e.g., NIST Cybersecurity Framework or ISO 25010 Quality Model).

Reference: Generic Regulation Compliance Metamodel

Ardoq defines a business capability as a logical activity or group of activities your organization performs. Unlike a business process, we define business capabilities by grouping activities that access or utilize a shared resource (like customer information) rather than in response to a particular trigger or event.

Capability Instance: Apply to Business and Technical Capabilities using the existing Capability component type with a field to indicate Atomic or Instance. Use a brief naming convention and instance workspace to suggest the component is an instance.

Reference: Patterns for Large Enterprise Guide

The Business Process component represents a series of interconnected activities or tasks that transform inputs into outputs, following a defined sequence and set of rules. It represents the operational flow of activities within your organization.

Reference: Business Process Management Metamodel

An application is the configuration of lower-level software or technology to provide specific business capability or technology capability, perform a defined task, or analyze particular information.

Reference: Application Lifecycle Management Metamodel

CPS230 (paragraph 25) states that "In managing technology risks, an APRA-regulated entity must monitor the age and health of its information assets and meet the requirements for information security in Prudential Standard CPS234 Information Security (CPS234)."

Under APRA's CPS230 and CPS234 standards, an Information Asset encompasses any information that has value to your organization and requires protection to maintain its confidentiality, integrity, and availability. These assets include both the information itself and the systems, processes, and infrastructure that store, process, or transmit that information.

Implementation: Use the Workspace Information Assets holding Information Asset components as your Information Asset register. Categorize Information Assets according to Information Domains.

An organization represents the top-level component of your organization and other organizations forming part of your broader ecosystem, such as partners.

Organizational Units decompose into business units, departments, sub-organizations, committees, teams, and groups to enable organizational hierarchy creation. Document both structural (hierarchical) and functional entities within your organization using the Organizational Unit component.

Reference: Organizational Modeling Metamodel

Create a separate workspace to hold External Organizations, particularly organizations considered Material Service Providers as defined in CPS230.

Model CPS230 requirements as 'Requirement' component types in the CPS230 Workspace. We provide an Excel template containing our analysis of CPS230 requirements to assist with importing regulation requirements. Review these requirements to ensure they meet your organization's understanding.

Implementation Steps:

Integrate CPS230 regulation requirements into existing organizational standards, frameworks, and internal controls, including external frameworks like AS ISO 31000 (Risk Management), AS ISO/IEC 27001 (Information security management), or ITIL.

Integration Steps:

Create and configure an assessment workspace in Ardoq, including setting up a 'CPS230 Capability Assessment' to evaluate individual business capabilities. This process includes setting up fields to capture relevant data, establishing relationships between regulatory requirements and assessed capabilities, and using tools like surveys and scripts to manage and analyze assessment results.

Assessment Implementation:

For simplicity, we refer to the Processes, Applications, Information Assets, and Organizational structures that realize a Business Capability as the Capability Ecosystem.

To prioritize effort effectively, understand which Ecosystem parts directly support CPS230 Critical Business Capabilities. For CPS230 critical capabilities, assess all supporting Ecosystem parts that enable those capabilities within your organization.

Ecosystem Assessment Steps:

CPS230 defines a Material Service Provider as:

"Material service providers are those on which the entity relies to undertake a critical operation or that expose it to material operational risk."

Our model interprets Material Service Providers as entities external to your organization that provide:

Material Service Provider Implementation:

Conducting CPS230 Vendor Assessments:

While Ardoq doesn't directly address incident management, you may already have an ITSM process for incident management and response. Use Ardoq to manage your processes and model processes relevant to your organization in this area.

Following Ardoq's business process management solution guidance, create each process relevant to your organization to demonstrate to external auditors how you realize your incident management process.

ITSM Integration Benefits:

While Ardoq doesn't directly address application resilience testing or business continuity plan production, you can easily manage documentation for these efforts and create groups to report on current resilience test status and business continuity plan existence.

Expand Application Component Fields:

Use broadcasts to notify application owners annually to review and conduct resilience tests and update business continuity plans as necessary.

CPS230 highlights the need to report internal and external information related to critical incidents, threats, and vulnerabilities.

External Reporting: Compile External Incident Reports in Ardoq including organizational impact and information relating to connected components' capabilities, applications, and vendors specific to incidents. Create reports and presentations to share with external regulators.

Internal Reporting: Compile Internal Incident Reports in Ardoq including organizational impact and details about capabilities, applications, and vendors connected to incidents. Create reports and presentations to share with internal stakeholders.

Process Documentation: Model internal and external information-sharing processes within your organization to demonstrate how your organization shares or will share information as necessary demands require.

Note: Ardoq recommends tracking threats and vulnerabilities in other systems and summarizing them in Ardoq.

We recommend using Business Capabilities as the principal concept for both planning and compliance assessment. However, we recognize many organizations either lack a business capability model widely recognized beyond the Enterprise Architecture team or have no agreed business capability model at all.

You can use Organization Structure, Process or Functional Groupings, or your Conceptual Information Domain model as the organizing principle to deliver similar results with minor modifications.

Strategic Alignment: CPS230 emphasizes operational resilience from a strategic perspective. Business capabilities represent what your organization needs to be able to do to deliver value to customers and stakeholders, directly aligning with the standard's focus on maintaining critical operations during disruption.

Risk-Based Approach: The standard requires entities to identify and manage operational risks that could materially impact business operations. Business capabilities provide a higher-level view helping identify dependencies and single points of failure across multiple processes supporting the same capability.

Service Delivery Focus: CPS230 fundamentally ensures continuity of service delivery to customers. Business capabilities map more naturally to customer-facing services and outcomes, while processes are often internal and fragmented across different organizational silos.

Tolerance Setting: The standard requires setting operational risk tolerances. Define these more meaningfully at the capability level (e.g., "ability to process customer payments") rather than at granular process or application levels.

If you're a process-oriented organization, use the process hierarchy you've already documented or a common model such as APQC to act as your Business Capability equivalent. Create references to Applications and Information Assets to represent the "Realized By" relationship in our metamodel.

Many organizations have an existing Information or Data Domain model and conceptual data model. Use this as a proxy for Business Capability (if you're adhering to the Business Architecture Guild approach to Business Capability modeling, there may be 1-to-1 alignment). Then follow the guide as above.

Many organizations have structures that are functionally or capability-aligned. If no other architectural models are available, use Organization Structure as a proxy for a Business Capability model to implement this guide in Ardoq. Keep the lowest organization levels as process or service equivalents and use Application to Organizational Unit ownership to represent "Is Supported By" in our CPS230 metamodel.

CPS230 requirements imply maintaining several information registers. The metamodel presented above allows us to identify and manage three of these registers (Operational Risk, Critical Operations, Material Service Provider, and Information Asset Register). You can extend the solution to include management of all registers required by CPS230 for compliance if these aren't already managed elsewhere.

Maintaining these items as formal organizational registers implies: