How to turn doubt into board-level proof.

CPS 230 makes you accountable for critical operations delivered by every vendor you rely on, and every subcontractor in their chain. The board expects evidence, which is hard in
practice, because dependencies run deep, evidence is scattered and contracts don’t always give you the rights to verify.
This guide shows how to turn vendor uncertainty into board-ready proof: five questions to ask, the evidence to collect, and a pragmatic plan to close gaps.

Why vendor gaps derail sign-off

Where CPS 230 programmes stumble is rarely technical. It’s operational:

Contracts that don’t give you rights to see, test or assure.
Without audit/assurance clauses and clear notification timeframes, you can’t produce evidence when it matters.

Untested tolerances between you and the vendor.
Internal RTO/RPO targets are great—until a third party can’t meet them, or you’ve never rehearsed a joint failover.

Blind spots in the supply chain.
Fourth parties (your vendor’s vendors) are often where outages or breaches ripple from.

Evidence that isn’t board-ready.
Emails and scattered PDFs aren’t a resilience argument. You need a single view that ties vendors to critical operations, tolerances, testing and remediation.

The result? Delays to board sign-off, extra scrutiny, and time-consuming remediation plans, right when you need to be running the business.

5 questions to ask your vendors (and the evidence to request)

You’ve identified which providers are material. Next comes the conversation. Use the five questions below to structure those calls and follow-ups. For each one, ask for specific
artefacts—attachable, dated, and owned—so you can file them in your supplier register and lift them straight into the board pack.

1) What part of our critical operations do you support?
And is that “material”? Board oversight starts with traceability from your process, to their service, to their dependencies. Ask for: a clear service scope, data flows, and a map of any subcontractors.

Quick example: You thought your “small” ETL tool was just reporting. Surprise: it feeds pricing used for same-day trades. That’s not “nice to have”; that’s material.

2) What resilience tolerances have you committed to?
And when did we last test them together? Your RTO/RPO are customer promises; they must align with the vendor’s targets and proven tests.

Ask for: documented RTO/RPO (or equivalent), recent test reports (table-top + technical), findings and remediation status. Quick example: You target one-hour recovery; the vendor’s last restore took four. Better to find that in a rehearsal than in production.

3) How do you manage your third/fourth parties?
CPS 230 accountability extends down the chain; a strong vendor can still mask a fragile fourth party that becomes your weakest link. Ask for: supplier register, materiality criteria, substitution/approval process, and the audit/assurance rights they hold downstream.

Quick example: “We host in the cloud” sounds robust, until you learn it’s a single region with no cross-region backup. One maintenance window later… hello, board questions.

4) How will you notify and escalate incidents that affect us?
Speed and clarity turn a bad day into a contained one. APRA and your board will ask who knew what, when, and what you did next. Ask for: notification timelines, named roles (humans, not just shared inboxes), and an escalation playbook that matches your own incident framework.

Quick example: “ASAP” isn’t a plan. “If a P1 affects you, we call your incident lead within 15 minutes and provide updates every 30 minutes until it’s resolved” is.

5) What’s our exit plan if you fail?
Resilience includes reversibility. Without tested portability and step-in/dual-run options, you’re stuck when you need flexibility most.
Ask for: data export format and timelines, runbook for reversibility, step-in/dual-run triggers, and commercial responsibilities.

Quick example: It’s Friday 4:30pm and you need to switch. Can you actually pull your data today, stand up an alternative, and tell the board you’ve got it in hand? Or are you waiting on a mystery script “only Raj can run on Monday”?

If a vendor can’t provide these artefacts quickly, you’ve identified a CPS 230 risk, and a prioritised remediation action.

Recap: what good evidence looks like

Keep artefacts structured, dated, and owned.

Minimum set:
• Supplier register: named owner, link to critical operations, materiality rationale, fourth- party dependencies, RTO/RPO, last/next test, issues & actions.
• Testing: scenario, date & participants, results vs tolerances, gaps + remediation IDs, planned retest.
• Contract: audit/assurance, incident notification, data portability, exit/reversibility (Y/N), renewal date, re-paper triggers.
• Incident readiness: notification flow (named roles), timelines, escalation thresholds, pre-approved templates.

A Step-By-Step Plan to Vendor Evidence

Start small, move fast: don’t boil the ocean. Begin with your top 5-10 material providers tied to your most time-sensitive operations, get crisp evidence in place, then expand across the
stack. The aim is simple: credible, board-ready proof that your vendors—and their fourth parties—meet your CPS 230 bar.

Step 1 — Set the ground rules
Define critical operations and materiality criteria, agree what “good evidence” looks like, and confirm sign-offs across Ops, Risk, Legal, Procurement and the business.

Step 2 — Build a single supplier register
List providers, link them to critical operations, note fourth-party dependencies and renewal dates/change triggers.

Step 3 — Standardise minimum contract clauses
Embed audit/assurance rights, testing/verification, incident notification SLAs, data portability and exit/reversibility. Prepare template addenda.

Step 4 — Run the 5-question evidence request
Send to all material providers, track responses centrally, assign owners and dates; turn refusals/partials into remediation items.

Step 5 — Score and prioritise
Use Green / Amber / Red for completeness, recency and quality. Prioritise Reds on critical operations; note interim controls.

Step 6 — Test with priority vendors
Table-top key scenarios; perform technical restores/failovers where feasible. Agree pass/fail criteria up front; log findings and owners.

Step 7 — Report to the board
Show coverage (critical operations → vendors → fourth parties), tolerances vs results, open risks and the remediation plan, with clear exceptions and dates.

Step 8 — Remediate and make it routine
Execute contract/service changes, rehearse escalations, and set a refresh cadence (e.g., quarterly evidence check, annual joint tests). Trigger reviews after major incidents or
supplier changes.

A platform built for board-ready proof

Turning CPS 230 requirements into attachable, dated evidence across your vendor chain is the hard part; our solution Alloq makes it routine. Alloq is a cloud platform for automating and governing investment-operations workflows for asset managers and super funds. It’s built for auditability and operational resilience. Alloq supports CPS 230 compliance on two levels:

Organizational level:

At the organisation level, we’ve recently completed our annual ISAE 3402 Type II audit (SOC 1 Type II equivalent) and maintain documented oversight of our own third-party
suppliers, so their controls can be explained and evidenced as well. Besides, we are ISO 27001 certified, which means we follow a globally recognised information security framework to manage and protect data, ensure ICT resilience, and reduce cyber risk through ongoing risk assessments, controls, and continuous improvement. Together, these certifications provide independent assurance of our operational reliability and digital resilience, enabling you to demonstrate strong third-party risk management and meet key CPS 230 obligations.

Application level:
In the application, access is governed by roles and rights with audit trails and a four-eyes approval pattern, portfolio data sits in a single source of truth with automated links to your data warehouse, calculations are transparant via backtrace and configuration is flexible enough to meet complex mandates.

What this gives you
These certifications and application features provide independent assurance of our operational reliability and digital resilience, enabling you to demonstrate strong third-party risk management and meet key CPS 230 obligations.