Australian finance sector organisations will soon have to demonstrate oversight of their service providers’ risk management practices, providing a level of transparency now considered critical in an increasingly technologically complex and digitally interconnected world. Coming into force on July 1, 2025, APRA’s CPS 230 rule will make finance sector companies responsible for their own operational resilience and require a lot more reporting, notification and monitoring of third-party service providers, says University of NSW marketing school head Professor Maggie Chuoyan Dong.
“Right now, it’s not that transparent,” she says. “Usually, the suppliers are not visible to the regulators, so that certainly adds to the risks.”
The standard requires APRA-regulated entities to “effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements and robust monitoring”.
It essentially means “third-party risks are no longer someone else’s fault”, says a new white paper by AFR Intelligence, in partnership with PagerDuty, Ahead of the curve: the challenges and opportunities of shifting to proactive operational resilience.
“While Australia’s new resilience regulations may only apply to APRA-regulated companies, in practice they will have knock-on effects for vendors throughout the value chain by focusing on a common source of operational risk: third-party service providers,” the white paper says.
It notes that entities are also expected to conduct regular testing to assess and monitor service-providers’ risk levels, and these frameworks should be formalised in policies governing how the entities engage with third parties.
Businesses and consumers rely on third-party vendors at almost every point in the value and it can be difficult and time-consuming to disentangle all the interconnected risks.
To provide a quick fix, Webjet OTA created a “circuit breaker”, according to the paper, which automatically cuts off a supplier from its main tech stack if it goes offline.
“After it trips, it will automatically re-engage our supplier to see if things have been resolved,” says Webjet chief technology officer Shashank Kaul in the white paper.
“If it happens again and again, we’ll get a signal to reach out to the provider’s support team to fix the issue properly.” He adds the circuit breaker was designed with an automated approach to reduce the burden on in-house IT staff.
For her part, Dong says it is widely agreed the private sector needs to be better prepared for disruptions by establishing processes to enable organisations to recover quickly when they occur.
The public has demanded increased accountability following multiple massive data breaches in Australia and internationally, yet achieving the CPS 230 required level of supply chain transparency will be challenging.
“It is ideal to have a transparent supply chain, but in reality, very few companies have that transparent supply chain,” Dong says. “Usually, they are aware of their first-tier suppliers, but then second-tier, third-tier: they’re invisible to them. So they need to collect this information, and they need to get the service providers’ support to provide this information.”
Collecting the information might mean contract renegotiation to determine how and to whom service providers furnish the information, how risks are shared and how monitoring is conducted, she says.
Clayton Utz special counsel Lyndal Sivell, who has written about and advised on CPS 230, says “a real, renewed interest in digital operational resilience” is currently a hot topic around the world following a range of failures.
With CPS 230, Australian finance sector businesses will be required to set up and maintain, on an ongoing basis, systems, processes and relationships to boost supply chain resilience, she says, adding that accountability ultimately rests with the board and senior management.
According to the regulation, an APRA-regulated entity must “identify and maintain a register of its material service providers and manage the material risks associated with using these providers”. These material service providers include “core technology services” – at the heart of protecting client and customer data.
In this “hyper-connected world” it’s important to remember that ensuring the protection of this data along the supply chain is essential, Sivell says.
“We really need it to be in a resilient and compliant operational environment, it’s kind of key,” she adds. “Otherwise, you just lose everything. You lose trust. So much is dependent on that, I think, both here and abroad.”
KPMG lead partner for supply chain advisory, Sari Mackay, says the visibility of stakeholders and processes along the end-to-end chain is crucial for maintaining full compliance.
“Best-in-class organisations are increasingly leveraging technology to map and monitor their supply chains, adopting a real-time approach to shift from reactive to proactive supply chain planning,” she says. With the current complex and shifting global landscape, effective supply chain systems and processes are essential for building resilience.
Sivell says preparing for CPS 230 is a matter of building on existing frameworks and adapting as the situation changes.
“I see CPS 230 as modernising in a way,” she says. “We’ve got these old standards, and we’re trying to move forward.”