According to an industry expert, resilience has become a board-level concern for Australia’s financial services industry ahead of new CPS 230 Operational Risk Management regulations from the Australian Prudential Regulatory Authority, the industry’s regulatory body.
Australian banks, insurers, and superannuation funds will be required to meet the APRA’s new consolidated CPS 230 standard for operational risk management. Those classified as “significant” financial institutions have until July 2025 to comply, while non-significant financial institutions have been given until July 2026 to comply with specific business continuity requirements and scenario analysis requirements.
The obligations focus on businesses’ resilience. Institutions subject to CPS 230 must ensure the continuity of critical operations during business disruptions. Compliance with these regulations is closely tied to technology, as organisations must maintain operational technology to deliver critical services during events such as cybersecurity incidents and other disruptions.
Jamie Simon, director of banking and financial services at Amazon Web Services, told TechRepublic that the APRA-regulated industry was well prepared for the introduction of next year’s new requirements.
“We’ve had quite a bit of time now to understand the intent and also to start to work with customers to help prepare them for it — and they’re very well progressed across the industry,” Simon said.
Real-world examples that underscore the importance of resilience
Resilience has become a top priority for boards at APRA-regulated institutions, standing alongside cyber security as a crucial focus. There is now heightened attention from the top down to ensure businesses meet their obligations effectively.
A key driver of this shift is CPS 230, which holds boards accountable for overseeing operational risk management, including business continuity and managing service provider arrangements.
Recent public incidents in the sector have further underscored the importance of resilience, providing boards with concrete examples of what could go wrong and why proactive oversight is essential.
In October, an outage at Australia’s second-largest super fund, the Australian Retirement Trust, caused nearly 100,000 pension recipients to wait five extra days for payments. That same month, system issues and outages also affected Westpac, where customers struggled to access banking and payments over three days.
SEE: Data centre outages cause focus on risk mitigation
“Any time any kind of public event happens, it raises the level of visibility and awareness at board level,” Simon said. “From the regulator, that puts more focus on making sure the posturing, positioning, design, and ways of working are really robust and well set up to minimise or avoid any such event in the future.”
He added that a bell curve exists when preparing a market for a regulation such as CPS 230, and it is influenced by each institution’s capacity and capability to understand and prepare for it. However, he said that some bigger entities that had more at stake and were due to come under the regulation first were establishing their own risk practices that exceeded the APRA guidance.
“They are actually in a significantly better position than the guidelines outline or require of them, which I think is a really positive thing within the Australian financial services industry,” Simon said.
SaaS system observability is seen as a key way to increase resilience
The observability of SaaS supply chains is an area where the financial services industry is pushing ahead. As part of APRA’s CPS 230, the financial services industry needs to enhance third-party risk management to support resilience and ensure any risks from material service providers are appropriately managed.
“The regulatory changes mean having to carry more responsibility of understanding and managing their full supply chain,” Simon said. “That’s where I think a lot of them are getting ahead of the guidelines; they are working really hard to understand what that full end-to-end looks like and partnering with suppliers.”
Simon said one industry trend is the significant adoption of SaaS third-party providers. Institutions no longer run the infrastructure themselves but are asking providers to run the physical infrastructure sitting underneath “what can be fairly critical workloads sometimes.”
SEE: Obsidian Security warns of rising SaaS threats to enterprises
Ensuring strong observability across all systems and third parties is key, Simon said. This includes having the right tools in place to monitor, understand, and pre-emptively identify risks across their own and third-party systems. This also requires institutions to work with major cloud service providers like AWS.
“AWS is really leaning into that to make sure that we’re able to provide them all the right levels of visibility in the system so they can feel really confident that their full supply chain is protected and secure,” he added.
Resilience can be an enabler of innovation
A focus on resilience is warranted, given the impact disruptions can have on businesses and the customers who suffer through them.
“Fairly high visibility outages that take down customer services for a period of time can lead to customer churn,” Simon said. “It can lead to significant customer dissatisfaction, and that can have significant top-line implications. And that’s true of all industries, not just financial services institutions.”
However, he explained that typical approaches often trade resilience off with driving innovation: “It’s often talked about as a counterbalance — like you’re trying to find a balance between those two things.”
SEE: How AWS responded to the generative AI wave of 2023
However, he said AWS strongly believes that having a strong resilience and security position “actually enables you to move faster with confidence when you start to innovate around things like AI and automation of business processes and more automation of the customer experience.”
“That in turn, allows you to drive significant automation into resilience and security practices, which then helps them uplift and it becomes this really positive flywheel effect,” he said.
Rather than seeing resilience as a counterbalance to innovation, he said the relationship between the two can be seen as driving faster, safer innovation through better resilience and security.