Operational Resilience¶
| Domain ID | D09 |
| Owner | Chief Technology Officer / Chief Operating Officer |
| Jurisdiction | NZ + AU |
| Applicability | Platform — The platform IS the resilience service delivered to tenants. BCP, DR, incident management, and change management underpin the service level commitments the SaaS provider makes to Track 2 tenants. |
Business continuity, disaster recovery, incident management, and third-party resilience.
CPS 230 key requirements (AU)¶
APRA CPS 230 (effective 1 July 2025): Board must approve tolerance levels for disruption to critical operations. Annual operational resilience testing. Notification to APRA within 24 hours of a material incident. Register of critical service providers reviewed annually.
Policies¶
| Code | Policy name | Status |
|---|---|---|
| OPS-001 | Business Continuity Policy | Draft |
| OPS-002 | Disaster Recovery Policy | Draft |
| OPS-003 | Incident Management Policy | Draft |
| OPS-004 | Operational Risk Policy | Draft |
| OPS-005 | Third-Party & Critical Service Provider Policy | Draft |
| OPS-006 | Change Management Policy | Draft |
Policies in this domain¶
| Code | Title | Status | Owner |
|---|---|---|---|
| OPS-001 | Business Continuity Policy | Draft | Chief Operating Officer |
| OPS-002 | Disaster Recovery Policy | Draft | Chief Technology Officer |
| OPS-003 | Incident Management Policy | Draft | Chief Technology Officer |
| OPS-004 | Operational Risk Policy | Draft | Chief Risk Officer |
| OPS-005 | Third-Party & Critical Service Provider Policy | Draft | Chief Risk Officer |
| OPS-006 | Change Management Policy | Draft | Chief Technology Officer |
| OPS-007 | Financial Processing Resilience & Idempotency Policy | Draft | Chief Risk Officer |
Compiled 2026-05-22 from source/entities/risk-domains/D09.yaml