Regulatory Resilience and the Tick-Box Trap

The new wave of operational resilience regulation — CPS 230 in Australia, DORA in Europe, the FCA's equivalents in the UK — finally drags continuity out of the basement and puts it in front of the board. That is a genuine victory. It is also, in the wrong hands, a fast track to a thicker compliance pack and a weaker organisation.

The mechanism is familiar. A regulator publishes a principles-based standard. A consulting firm publishes a maturity model against it. Internal audit publishes a control catalogue. Within eighteen months the original principles have been translated into 400 controls, each of which can be evidenced, none of which add up to a service that survives a Tuesday outage. The board sees green. The CRO sleeps. The CTO knows better.

The standards themselves are not the problem; they are unusually well-written. CPS 230's core idea — that an APRA-regulated entity must identify its critical operations, set tolerance levels for disruption, and prove it can stay within them — is exactly the right framing. The trap is treating tolerance levels as a documentation exercise rather than a system property that has to be engineered for and tested under load.

The way out is unglamorous. Pick the critical operations honestly, set tolerances that the executive would actually defend to a customer, and then spend most of the budget on the boring middle: third-party concentration risk, end-to-end testing across vendors, the playbooks that nobody likes writing. The pack will be thinner. The organisation will be stronger. The regulator, in my experience, will notice.