S&P Global Offerings
Featured Topics
Featured Products
Events
S&P Global Offerings
Featured Topics
Featured Products
Events
S&P Global Offerings
Featured Topics
Featured Products
Events
S&P Global Offerings
Featured Topics
Featured Products
Events
Corporations
Financial Institutions
Banking & Capital Markets
Economy & Finance
Energy Transition & Sustainability
Technology & Innovation
Podcasts & Newsletters
Corporations
Financial Institutions
Banking & Capital Markets
Economy & Finance
Energy Transition & Sustainability
Technology & Innovation
Podcasts & Newsletters
Blog — 21 Jul, 2023
By Sammy Faidy
As societies adapt to the digital age, technological innovation has reached unprecedented levels. This sixth wave of innovation includes AI, IoT, robotics, and clean technologies, bringing transformative advancements. In this landscape, businesses at the forefront of innovation are collaborating with organizations seeking digital transformations.
The increasing interconnectedness of businesses through third-party relationships has introduced complexities to risk management efforts. While these relationships offer access to specialized expertise and scalability, they also expose organizations to unforeseen vulnerabilities. These vulnerabilities expose organizations to a multitude of risks, notably cyber-attacks.
In the Australian banking industry, third-party vendors have been leveraged to enhance operational capabilities and drive innovation. These vendors facilitate expedited loan applications, improve customer experiences on mobile apps, and streamline internal business practices.
However, some of these vendors, whether they are onboarded or not, may have access to sensitive information such as customer data and banking data. In some cases, they may lack robust data safety measures, business continuity planning, or exhibit vulnerabilities in their cyber framework.
Operating within a dynamic and ever-changing regulatory landscape, the Australian Prudential Regulation Authority (APRA) issues prudential standards that apply to authorized deposit-taking institutions (ADIs), including banks, credit unions, and building societies.
One such regulatory framework introduced by APRA is Prudential Standard CPS 230 - Operational Risk Management, also known as 'CPS230.' The effective date for the new standard is July 1, 2025, and its aim is to enhance the resilience of APRA-regulated entities against operational risks and disruptions. CPS230 covers various aspects of operational risks, including governance, risk management, security controls, incident management, testing, and assurance. It emphasizes a risk-based approach and the need for entities to adapt their security measures to the evolving threat landscape.
CPS230 focuses on the following key areas to improve operational risk practices:
APRA recognizes the importance of operational resilience by emphasizing the need to establish tolerance levels for disruptions to critical operations. Operational resilience deals with tangible risks that have materialized, distinguishing it from risk appetite tolerances.
Implementing CPS230 also aims to foster a stronger risk culture, creating an environment that influences risk-management behaviors and strengthens risk architecture. APRA effectively communicates these concepts through informative infographics, such as their Risk culture 10 dimensions observations. These observations highlight the significance of culture in mitigating risks and safeguarding the interests of depositors, policyholders, and other stakeholders.
To mitigate risks and protect operations, organizations must proactively implement comprehensive third-party risk management frameworks. Drawing from our financial services KY3P community, here are ten strategies and best practices:
By implementing these measures, organizations can effectively identify and address potential risks, ensuring the security and stability of their operations. The financial industry serves as an example of increased reliance on technology and digital channels, making it more vulnerable to cyber threats and data breaches. Therefore, organizations are encouraged to consult regulatory authorities and risk management experts to ensure compliance with specific requirements applicable to their operations.
It is important to note that different industries and sectors may have additional specific regulations and guidelines tailored to their context. *See appendix below
Organizations should consult the relevant regulatory authorities and industry-specific guidelines to ensure compliance with the specific requirements applicable to their operations.
KY3P® is S&P Global's comprehensive Third-Party Risk Management solution. Built upon a robust methodology, KY3P® offers a diligent and meticulous assessment approach to effectively manage third-party risks.
The KY3P® methodology is developed in close collaboration with our esteemed KY3P® user community, ensuring a consistent and industry-aligned approach.
Recognizing the diverse needs of Third-party risk management, KY3P® offers flexible tools tailored to individual requirements. Our suite of solutions includes continuous monitoring of third-party vendors, customizable due diligence questionnaires, and comprehensive assessments. Additionally, we provide validated data that supports risk-based decision-making, enabling organizations to assess suppliers at varying levels of criticality.
By leveraging KY3P®, businesses gain invaluable insights that strengthen their day-to-day operations. Organizations can embed resilience into their core practices, ensuring regulatory compliance, identifying potential threats and vulnerabilities, and proactively planning for the impact of emerging risks.
The KY3P solution effectively addresses the core elements of APRA's CPS230 requirements.
Appendix
APRA is not the only authority institution that provides guidance on third-party risk management in Australia:
These guidelines provide general principles and frameworks for organizations to follow.
Theme
Location