Home / Use cases / Operational risk

APRA

Operational risk reporting under CPS 230.

Output: CPS 230 incident register entry

Incident detection and classification with reviewable rationale, RTO/RPO mapping, and APRA-ready submission.

The scenario

Who: For APRA-supervised entities; most Fydis practices meet us through the advice and audit use cases. The scenario here is a Tier-2 ADI subject to CPS 230 from 1 July 2025.

The problem: Incidents are scattered across ServiceNow, Slack, on-call PagerDuty pages, and an ops Slack channel. Classification is inconsistent, and the board asks why severity numbers shift between reports.

Without Fydis

Manual roll-up by the risk team, inconsistent classification, board pack reflects narrative not data.

With Fydis

Each incident classified by rule, severity computed from policy, two-eyes sign-off logged, board pack regenerates from the trace.

What it produces

CPS 230 requires operational resilience evidenced through structured incident management. Fydis classifies operational incidents from event data, maps each to the relevant policy and severity rule, captures sign-off from named approvers, and produces the CPS 230 register entry. The board pack rolls up trend, severity distribution, and recovery-time performance from the same trace.

Verified output · APRA

Severity and recovery time for incident #4118?

Severity 2 · RTO 4h

Open · sign-off pendingCPS 230 §32
RetrieveServiceNow incident #4118 · 17 events
VerifyService-provider AWS-AP-SOUTHEAST-2
EvidencePending COO sign-off · escalation timer 4h
EvidenceRegister entry ready on sign-off

The analysis, step by step

  1. 01RetrieveEvents ingested from ServiceNow, PagerDuty, observability stack
  2. 02VerifyIncidents classified by policy rule (not LLM judgement)
  3. 03VerifySeverity computed from configurable rule library
  4. 04EvidenceRTO/RPO breach timer attached, escalation routed
  5. 05EvidenceCompliance officer or COO sign-off on submission-eligible incidents
  6. 06EvidenceCPS 230 register entry exported · APRA-ready pack on demand

Frequently asked

Does this replace our SIEM/incident management?

No. Fydis reads from your incident management of record and produces the CPS 230 artefact. Your SIEM stays your SIEM.

How are severity rules configured?

Per-customer policy library. We start from the APRA guidance and tune to your concentration profile and service catalogue.

Run this on your data.

The live demo runs this exact analysis on sandboxed data. Book a 30-minute briefing and we’ll show you the same chain on your data, your approval policy, and your regulator clause map.