CPS 230 and Why Bank Boards Are Now Thinking About Supply Chain Resilience
There’s a moment that keeps popping up in board and executive discussions across Australian financial services.
It’s not the usual operational risk slide: red/amber/green dots, a few KRIs, and a reassuring note that “BCP testing is on track”. It’s a more pointed question, often asked after a headline, an outage, or a close-call inside the business:
“If that supplier failed tomorrow… what would we actually do on day one?”
For years, many organisations treated operational resilience as a combination of IT disaster recovery, a business continuity plan, and a set of vendor questionnaires. That era is ending. APRA’s CPS 230 makes it clear that operational risk and resilience are board-accountability issues, and that material service provider dependencies need to be understood and managed continuously.
And here’s the twist: once you take CPS 230 seriously, you quickly realise it’s not only about internal controls. It’s about the service chains you rely on—including the ones that don’t look like supply chains at first glance.
In banking, “supply chain resilience” isn’t just cards and terminals. It’s cloud hosting, payments rails, telecoms, data providers, identity services, outsourced operations, cash distribution, property services, and specialist partners. Some of these are digital. Some are physical. Many are both.
Which brings us to the most tangible example of all: cash.
CPS 230: why it changes the board conversation
CPS 230 is APRA’s prudential standard designed to lift operational risk management and improve operational resilience across APRA-regulated entities. While every organisation will interpret and implement CPS 230 slightly differently, several themes are driving common board-level questions.
1) Critical operations and tolerance thinking
CPS 230 pushes organisations to define what must keep running (critical operations) and to be explicit about how much disruption is acceptable (tolerances). This forces clarity: what services matter most, for whom, and under what scenarios?
Boards are increasingly wary of vague definitions like “critical system” or “important process”. They want to see the customer and community impact, the regulatory impact, and the practical operational thresholds that define success under pressure.
2) Material service providers become a first-class risk topic
It’s no longer enough to have a supplier register and an annual risk review. Boards now want to understand:
- which suppliers are genuinely “material” (and why)
- what concentration risks exist (including market structure constraints)
- how exposed the organisation is to the supplier’s own vulnerabilities
- what realistic exit, substitution, or transition pathways exist
3) Resilience is not just “BCP”
Many banks already have strong business continuity and risk management programs. The shift is that supply chain resilience is not a substitute for BCP—it’s the precursor. If you can’t anticipate and quantify upstream risks, you end up relying on heroic recovery efforts and improvised decisions during incidents.
Put simply: BCP is the response playbook. Supply chain resilience is the set of design choices that makes the playbook workable.
4) Evidence beats comfort
Boards are moving away from “paper confidence”. They’re looking for credible evidence:
- scenario tests that include material suppliers
- operational walkthroughs that reflect how services really run
- practical playbooks that can be executed under pressure
- governance rhythms that surface issues early, not months after the fact
CPS 230 is pushing resilience out of the “assurance” corner and into strategy, operations, procurement, and supplier management.
“Supply chain” in a bank: it’s bigger than people think
When most people hear “supply chain”, they picture trucks, pallets, warehouses, and ports.
Banks do have physical supply chains (including cash), but they also run non-physical supply chains: flows of data, decisions, outsourced processing, and digital services.
A practical way to frame it is:
Physical supply chains in banks
- branches and offices (facilities management, security, maintenance)
- ATMs and cash devices (procurement, servicing, replenishment, repair)
- cash logistics (cash-in-transit providers moving notes and coin between sites)
- physical documents and mail (secure print and distribution where still required)
- equipment and hardware (POS terminals, office equipment, on-site infrastructure)
Non-physical (digital and service) supply chains in banks
- core banking and payments platforms
- cloud and infrastructure services
- telecommunications and networks
- customer channels (digital banking and authentication services)
- risk, KYC and AML services
- business process outsourcing and contact centres
- cybersecurity services and incident response partners
- data and analytics providers
CPS 230 doesn’t care whether the dependency is a truck route or a software API. If it affects a critical operation, it matters.
And few dependencies are as easy to explain to a board as cash: it is physical, it is time-sensitive, it is geographically dispersed, and—crucially—it has become structurally fragile as volumes decline.
The cash supply chain: the resilience lesson hiding in plain sight
Even in a “digital-first” economy, cash remains part of the Australian payments ecosystem. It also remains a crucial contingency option during outages and disasters.
At a high level, the cash supply chain includes:
- issuance and wholesale distribution settings
- cash-in-transit logistics (transport, processing, secure storage, replenishment)
- distribution endpoints (branches, ATMs, retail cash-outs, business deposits)
- customer access and acceptance (consumers and merchants, including essential services)
What boards are noticing is not that cash exists—but that the system supporting it has shifted into a new risk posture.
Concentration risk and single points of failure
Australia’s cash distribution ecosystem has consolidated significantly over time. That makes the network more efficient—right up until it becomes fragile. When there are fewer providers, fewer processing sites, and tighter route density, the system can become vulnerable to a small number of failure points.
The Armaguard example: when a supply chain becomes economically brittle
The recent public attention on Armaguard and cash transport challenges has brought a complex resilience issue into plain view: as cash volumes decline, the unit cost of running a national cash logistics network rises, and the commercial model becomes harder to sustain.
For bank boards, this is a textbook CPS 230 scenario:
- a critical service chain is delivered by a small number of providers
- the ecosystem is under economic pressure
- disruption would have customer and reputational impacts quickly
- the ability to substitute is constrained by market realities and geographic coverage
This isn’t just a “supplier issue”. It’s a system-level resilience issue—exactly the kind of dependency CPS 230 forces organisations to confront.
Declining cash volumes increase fragility
The cash system is expensive to maintain. As usage falls, it becomes more expensive to store, process, and distribute cash—yet it still needs to be available when people need it, particularly in regional areas and during disruption events.
This creates an uncomfortable loop:
- lower volumes → higher unit costs
- higher costs → pressure on pricing and service levels
- service pressure → reduced coverage or network changes
- reduced coverage → higher disruption risk and equity concerns
Boards don’t need to be “pro-cash” to recognise the point: cash is a highly visible example of a critical service chain becoming brittle because the underlying operating model is under strain.
Why this matters to bank boards (even if the strategy is “less cash”)
A common misconception is: “Cash is declining, so it’s not strategic.”
Boards are landing on a more realistic view:
1) Cash is still a contingency mechanism
When digital channels fail—outages, cyber events, natural disasters—cash becomes the fallback. A resilient organisation plans for the times when the normal way of operating stops working.
2) Cash access has reputational weight
If customers can’t access cash when they need it, they don’t blame a subcontractor. They blame the bank. That’s a board-level risk—particularly when it affects vulnerable communities or regional areas.
3) Cash disruption is a proxy for broader supplier fragility
Once you see how quickly a physical network can become fragile, you start asking the harder questions:
- what happens if a telco outage disrupts payment routing?
- what happens if a cloud region has a prolonged outage?
- what happens if a key identity provider is compromised?
- what happens if a major outsourced operations partner fails?
CPS 230 effectively forces these questions to be answered with evidence, not assumptions.
CPS 230 turns supplier management into resilience engineering
Here’s the practical shift we’re seeing in mature organisations.
The old approach: assurance-driven supplier risk
- annual reviews and questionnaires
- generic BCP attestations
- contracts focused on commercial terms, not operational outcomes
- vendor lists with limited dependency mapping
The new approach: resilience-by-design across service chains
Resilience is engineered into the operating model through practical principles like:
- designing procurement and contracts so they withstand shocks by default
- reducing single points of failure through diversification and substitution options
- contracting for capacity and surge, not just price
- building real-time performance visibility (and incident data) to detect issues early
- joint planning with suppliers to avoid surprises and test scenarios
- clear incident response and transition paths embedded into contracts
This is what boards mean when they ask for “resilience”—not a bigger spreadsheet, but a system that holds together when normal conditions disappear.
What “good” looks like under CPS 230: a practical checklist
If you’re trying to make CPS 230 real—beyond compliance—this is what we recommend boards and executives look for.
1) A clear critical operations map (not a generic service catalogue)
- defined critical operations with clear customer and regulatory impacts
- tolerances stated in operational terms (time, volume, geographic impact)
- known upstream and downstream dependencies
2) End-to-end service chain mapping for each critical operation
This is where supply chain methods matter. You map:
- process steps and handoffs
- systems and data flows
- third parties and subcontractors (including fourth parties where relevant)
- physical dependencies (sites, secure facilities, routes, capacity constraints)
- geographic concentration and single points of failure
3) A material service provider framework that matches reality
A practical framework aligns to:
- critical operation impact
- substitutability and switching time
- concentration and market structure
- financial viability signals
- operational fragility signals (labour constraints, capacity, site risk)
4) Contracting that supports resilience
Not legal advice—just what we see working in practice:
- clear service outcomes linked to tolerances
- incident notification and coordination obligations
- joint testing obligations (including scenario exercises)
- transparency on subcontracting and fourth-party reliance
- practical exit and transition mechanisms
5) Scenario testing that includes suppliers
If a scenario can’t be executed with material suppliers involved, it’s not a resilience test—it’s theatre. The best programs run at least one “hard” scenario per critical operation each year, with clear remediation actions and owners.
6) Board-ready resilience reporting that shows leading indicators
Boards don’t need 40 metrics. They need the few that matter:
- tolerance exposure by critical operation
- material supplier concentration risk
- substitution readiness (time-to-switch by dependency)
- scenario test outcomes and remediation burn-down
- known “red zones” where tolerances can’t be met today
The Armaguard lesson, applied: the questions boards are really asking about cash
Let’s translate the cash example into the most common CPS 230 board questions.
“If cash logistics services degraded, how quickly would we feel it?”
- ATM replenishment impacts
- branch cash service impacts
- business customer impacts (retail, hospitality, venues)
- regional access impacts
- escalation, communications, and complaint impacts
“Do we have alternatives—or just assumptions?”
- can volume be shifted between processing sites?
- are there viable alternatives in all regions?
- what is the realistic switching time for routes, secure storage, and processing?
- what contractual levers exist to prioritise critical routes?
“What is our role in system-wide resilience?”
Some resilience challenges can’t be solved by one organisation acting alone. Where the ecosystem is fragile, coordinated planning, commercial realism, and shared contingency arrangements may be required to ensure continuity of critical services.
How Trace Consultants can help: turning CPS 230 into operational reality
Trace works with organisations to turn CPS 230 requirements into practical, defensible resilience capability—without losing sight of day-to-day operational realities.
1) Critical operations and tolerance design (board-ready and operationally usable)
We help define critical operations and tolerances in a way that is meaningful to operational leaders, risk, and boards—grounded in how services actually run.
2) End-to-end dependency mapping (including third and fourth parties where needed)
We map what must work across:
- process steps and handoffs
- systems and data
- third-party and subcontractor dependencies
- physical nodes (sites, secure areas, transport routes)
- geographic concentration
This work typically surfaces the biggest “unknown unknowns” early—before an incident does it for you.
3) Material service provider segmentation and risk uplift
We support segmentation based on materiality and resilience impact, then help prioritise:
- concentration risks
- switching constraints
- contract gaps
- performance and incident trends
- supplier financial and operational fragility signals
4) Resilience-by-design remediation roadmap
Resilience uplift is usually a combination of:
- operating model improvements
- process redesign
- supplier governance rhythms
- contractual changes
- capacity and contingency strategies (where relevant)
- targeted technology uplift to improve visibility and early warning
The goal isn’t perfection. It’s removing single points of failure and improving time-to-recover against tolerances.
5) Scenario testing and playbooks operators can execute
We design and run exercises that include third parties and produce tangible outputs:
- first-4-hours playbooks
- escalation pathways and decision rights
- comms templates and triggers
- remediation actions that get funded and delivered
6) Implementation support so the change sticks
CPS 230 uplift spans risk, operations, technology, procurement, and business lines. We provide structured delivery support, governance, and practical program rhythms to turn recommendations into embedded capability.
A practical starting point: three actions that shift the conversation fast
If you’re staring at CPS 230 thinking, “Where do we begin?”, these three steps create momentum quickly:
1) Pick one critical operation and map it end-to-end
Choose something dependency-heavy and board-visible: payments, authentication, or cash services. A proper map will surface material dependencies and single points of failure quickly.
2) Run one “hard” scenario with at least one material supplier involved
Not a gentle tabletop. A scenario that reveals real switching constraints, real comms friction, and real decisions.
3) Build a one-page board view
Show tolerances, current exposure, top dependencies, and the remediation roadmap. Boards don’t need more pages—they need more clarity.
The bigger point: CPS 230 is making resilience a competitive capability
There’s a quiet upside to CPS 230 that doesn’t get enough airtime.
When you genuinely understand your service chains, you don’t just reduce risk—you improve performance:
- fewer incidents and faster recovery
- clearer supplier accountability
- more reliable customer service
- better investment decisions
- less surprise work and fewer “hero moments” during disruption
In a world where disruption is normal, that’s not just compliance.
That’s capability.
FAQ
Is CPS 230 only about IT and cyber?
No. CPS 230 covers operational risk broadly, including dependencies on material service providers and the resilience of critical operations—digital and physical.
Why are boards talking about supply chain resilience now?
Because CPS 230 forces organisations to understand end-to-end dependencies. In banking, many critical operations rely on external service chains, not just internal systems.
Why is the cash supply chain relevant?
Cash distribution is a tangible example of concentration risk, ecosystem fragility, and substitution constraints—exactly the kinds of resilience challenges CPS 230 requires organisations to manage.
What if we already have strong BCP?
Keep it—but broaden it. Business continuity is necessary, but resilience requires mapping dependencies, testing third-party involvement, and building realistic substitution options.
How can Trace help without turning this into a massive program?
We typically start with a focused critical operation, build an end-to-end dependency map, run one meaningful scenario, and create a board-ready roadmap. From there, you scale based on risk and materiality.
.jpg)