The Australian Prudential Regulation Authority (APRA) is set to introduce new prudential standards, including CPS 230 Operational Risk Management (CPS 230), which will impact APRA-regulated entities across the banking, insurance, and superannuation industries. These new regulations aim to strengthen operational resilience and ensure that entities can effectively manage operational risks. The new standard will commence from July 1, 2025.

What does this mean for Salesforce customers? In essence, having just a backup of Salesforce data is no longer enough. 

The mandate was that organisations had to demonstrate they could recover from disruptions. Under this new standard, regulated entities will now need to demonstrate they can recover data, and quickly, from disruptions in a world where black swan incidents are all too common. 

Now, you must prove your recovery plan.

This high standard of operational resilience has always been Odaseva’s approach. If Salesforce is essential to delivering services to your enterprise’s customers, Odaseva’s technology and expertise secures and protects your critical Salesforce data. 

The 10 reasons proving your recovery plan helps achieve compliance with CPS 230

Here are 10 reasons that a proven, field-tested Salesforce data recovery plan is essential for compliance with CPS 230:

1. Operational Resilience: CPS 230 emphasises the importance of an entity’s ability to withstand operational disruptions. A Salesforce data recovery plan is a critical component of this resilience, as it sets out the processes for restoring services following a disruption.
2. Business Continuity Management: The standard requires that entities must have a business continuity plan that includes strategies to recover and resume business operations. This recovery plan must be commensurate with the size and complexity of the entity and the nature and scale of its operations.
3. Impact Tolerance: Under CPS 230, entities need to set impact tolerances for disruption to critical business services. The recovery plan should be designed to restore these services before exceeding the set impact tolerances to ensure that they stay within acceptable levels of disruption.
4. Testing and Scenario Planning: The standard mandates regular testing and scenario planning to ensure recovery strategies are effective and feasible. A Salesforce data recovery plan is not just a document, but a tested and validated approach to handling incidents.
5. Information Security: CPS 230 (alongside CPS 234) highlights the need for information security as a part of managing operational risk. The recovery plan plays an important role here by ensuring that data can be securely restored, and that the integrity and confidentiality of information are maintained during a recovery process. 
6. Third-party Dependencies: For entities reliant on third-party providers like Salesforce, CPS 230 requires the management of risks associated with these relationships. Recovery plans should account for, and detail, the processes involving third parties in the recovery of operations and services.
7. Governance: The standard outlines that the board and senior management are responsible for ensuring that the entity maintains a sound operational risk management and governance framework. Part of this framework is having a credible and comprehensive recovery plan that the board is confident in.
8. Clarity: The standard emphasises the importance of defining roles, especially the relationship between the board and senior management. But practically, when a disruption happens, who’s responsible for putting Humpty Dumpty back together again? 
9. Audit and Review: Regular review and auditing of the operational risk management framework, including recovery plans, are required to ensure its ongoing appropriateness and effectiveness.
10. Managing Technology Risk: An APRA-regulated entity must monitor the age and health of its information assets and meet the requirements for information security in Prudential Standard CPS 234 Information Security (CPS 234). 

Odaseva: your partner in CPS 230 compliance

Odaseva has a proven track record of helping companies achieve compliance with complex regulatory requirements. Our Prove Your Recovery Plan approach can help you:

• Develop a comprehensive and compliant Salesforce data recovery plan that aligns with CPS 230 requirements
• Effectively test and validate your recovery plan to ensure its effectiveness
• Integrate your recovery plan into your broader operational risk management framework
• Provide ongoing support and guidance to help you stay up-to-date with changing regulations
• Gain an experienced partner that will work with you to provide the board and senior managers confidence that their current and projected Salesforce risks are understood and controls are in place to ensure operational resilience and data security

Contact us today to learn more

To learn more about how Odaseva can help you achieve elements of CPS 230 compliance, contact us today. We help you assess your current compliance status and discuss how our solutions can help you meet regulatory requirements.