As the financial services sector in Australia prepares for the imminent implementation of CPS 230 Operational Risk Management regulations by the Australian Prudential Regulatory Authority, resilience has emerged as a pressing concern for board-level executives.
Australian banks, insurers, and superannuation funds are likely to need to meet the Australian Prudential Regulation Authority’s (APRA) newly established consolidated CPS 230 standard for operational risk management, thereby ensuring a higher level of prudential oversight and resilience in their operations. Entities classified as crucial financial institutions have until July 2025 to comply, while non-essential financial institutions have been granted until July 2026 to adhere to specific business continuity requirements and scenario analysis standards.
Companies’ resilience obligations are at stake. Businesses must ensure the uninterrupted functioning of critical processes amid organizational upheavals. Organisations must closely align compliance with their knowledge assets, ensuring the preservation of operational know-how that enables them to deliver critical services even during extraordinary circumstances such as pandemics and other disruptions?
According to Jamie Simon, Director of Banking and Monetary Services at Amazon Web Services, the APRA-regulated industry is well-prepared to meet the upcoming year’s new requirements, as stated in an interview with TechRepublic.
“We’ve had sufficient time to understand the intent and start engaging with clients, helping them prepare for this development – they’re well-established in their respective industries.”
As the world continues to grapple with the complexities of an ever-evolving landscape, the importance of cultivating resilience cannot be overstated. From the ravages of climate change, which have left entire communities reeling, to the quiet desperation of individuals struggling to make ends meet in a rapidly shifting economic landscape, the need for resilience has never been more pressing.
Consider, for instance, the tale of the small-town farmers who, in the face of devastating droughts and unpredictable weather patterns, refuse to give up on their land. Or think about the young entrepreneur who, after facing rejection and failure multiple times, refuses to let setbacks define them. In these cases, resilience is not just a personal trait, but a vital component of community survival.
In other instances, it’s the healthcare professionals who, despite witnessing unspeakable tragedy and heartache on a daily basis, find ways to heal and support those in need. It’s also the first responders who rush into harm’s way without hesitation, driven by an unwavering commitment to helping others.
The examples are endless, yet one thing remains clear: resilience is not just about bouncing back from adversity; it’s about building a stronger, more resilient world for everyone.
Resilience has emerged as a top priority for boards at APRA-regulated institutions, ranking alongside cyber security as a crucial area of focus. Regulatory pressure has intensified at every level to ensure corporations fulfill their responsibilities effectively.
One major catalyst behind this transformation is Cybersecurity Policy Standard (CPS) 230, which effectively holds governing bodies responsible for ensuring the proper oversight of operational risk management, as well as enterprise continuity planning and supply chain preparedness.
Recent public crises within the sector have starkly highlighted the importance of resilience, providing boards with tangible case studies on potential pitfalls and underscoring the necessity for proactive oversight to mitigate risks.
In October, a significant technical issue at Australia’s second-largest superannuation fund, the Australian Retirement Trust, caused around 100,000 pension recipients to wait five extra days for their benefits. In the same month, technical issues at Westpac’s systems resulted in a prolonged disruption, leaving customers unable to access their bank accounts or transfer funds for nearly three consecutive days.
When a public event unfolds, it amplifies awareness and visibility on multiple levels, Simon observed. “To guarantee effective safeguards, the regulator ensures that all aspects – posture, position, design, and working methods – are robustly established to mitigate or prevent potential issues from arising.”
A bell curve exists when preparing a market for regulations corresponding to CPS 230, influenced by each entity’s capacity and functionality in understanding and compliance preparation. Notwithstanding his comments, certain influential organisations that stood to gain significantly from the regulations’ implementation were already developing risk management protocols that surpassed APRA’s guidelines.
“With their performance far exceeding regulatory standards, Simon believes this is a highly encouraging trend for the Australian financial services industry as a whole.”
SaaS system observability emerges as a crucial strategy to enhance resilience.
The observability of software-as-a-service (SaaS) supply chains is an area where the financial services industry is pushing forward. Under APRA’s CPS 230, financial institutions must ensure that risks associated with material service providers are properly mitigated through effective management processes.
“The regulatory adjustments suggest that companies must assume additional responsibilities for comprehending and overseeing their entire supply chain,” Simon said. “It’s the location where many seem to be pushing boundaries; they’re putting in immense effort to visualize the entire end-to-end process and collaborating closely with vendors.”
Simon noted that a notable trade advancement is the widespread uptake of software-as-a-service (SaaS) offerings from external providers. Suppliers are being asked by establishments to manage the physical infrastructure supporting “potentially critical workloads”, a departure from traditional practices where infrastructure was owned and operated in-house.
Ensuring seamless integration across all methods and third-party events is crucial, according to Simon. Having the right tools in place enables organizations to proactively detect and mitigate risks within their own operations and those of third parties. Establishments are further required to collaborate with primary cloud service providers such as Amazon Web Services (AWS).
“AWS is proactively addressing this by ensuring that customers have complete transparency into the system’s visibility capabilities, thereby fostering confidence in the security and integrity of their entire supply chain,”
The capacity for resilience may serve as a catalyst for driving innovative thinking.
In light of the profound impact disruptions can have on both companies and their customers, a resilient approach to deals seems justified.
“Significant and prolonged outages in visibility can have devastating consequences, causing buyers to abandon their providers,” Simon cautioned. If we don’t address this issue promptly, it could lead to significant buyer discontent, potentially impacting our overall revenue. Not to mention, this principle applies universally across various sectors.
Despite this, he clarified that conventional methods often equate business resilience with stifling innovation, suggesting that “it’s commonly seen as a trade-off – finding equilibrium between these two factors.”
Notwithstanding his assertion, AWS is convinced that a sturdy foundation in resilience and security enables organisations to transition more rapidly with confidence as they pioneer innovations such as AI-driven process automation and enhanced customer experience.
“That allows for the seamless integration of critical automation into resilience and safety protocols, thereby fostering a self-reinforcing cycle that propels organizations forward in a positive direction.”
Rather than viewing resilience as a counterbalance to innovation, he posited that the two are intimately connected, enabling faster, more reliable advancements through the synergy of increased resilience and safety.
