ChannelLife Australia - Industry insider news for technology resellers
Australia
Guides
#
cloud services
#
cybersecurity
#
distributors
#
microsoft
#
partner programmes
Search
Story image
#
Risk & Compliance
#
Cybersecurity
#
Cloud Services

Strengthening operational risk and third-party management – navigating the new APRA Standards

Yesterday
By Andy Milburn, Regional Director for APJ, Datadobi, Datadobi

APRA-regulated entities across Australia face a pivotal moment as the July 1st deadline for implementing CPS230 approaches. Combined with the complementary CPS234 regulation, this new standard is designed to fortify operational and third-party risk management practices. Together, they establish a rigorous framework to help organisations respond to emerging challenges, particularly those associated with operational risk and unstructured data.

If left unmanaged, operational risk can leave organisations vulnerable to disruptions that affect their internal processes, reputation, and financial health. By addressing weaknesses in existing controls and improving third-party risk management, organisations can instead turn compliance into a catalyst for growth and resilience.

Strengthening operational risk management

In this context, operational risk management encompasses more than just IT systems—it extends to the fundamental processes that underpin financial operations and business continuity. For example, many organisations are significantly vulnerable because they use outdated or insufficiently robust controls, such as poorly defined separation of duties or inadequate oversight of general processes.

CPS230 emphasises the need for quick recovery and continuity of operations, particularly in the aftermath of disruptive events such as cyberattacks. For instance, maintaining the ability to switch to clean, separate systems quickly can mean the difference between maintaining stakeholder trust and facing operational paralysis. Yet, achieving this readiness hinges on a deeper understanding of the organisation's data landscape.

Consider the analogy of searching for a specific book in a library without an indexing system. Against the backdrop of chaotic, unstructured data management, organisations cannot effectively locate and leverage critical data. They need to organise it first. This process is crucial not only for compliance but also for enabling decisive and informed responses to disruptions.

Meanwhile, CPS234 demands that boards of directors be clearly accountable for governance and oversight, emphasising that operational resilience begins with leadership. This cultural shift pushes organisations to reevaluate their processes and streamline internal responsibilities, ensuring vulnerabilities are identified and addressed proactively.

Enhancing third-party risk management

CPS230 also emphasises third-party risk management, an area that has grown increasingly complex as organisations adopt more cloud services, outsourcing and IT vendor contracts.  "Gartner® research reveals that organisations are suffering an increase in third-party cybersecurity incidents, resulting in business interruption, loss or damage." The message from regulators is clear: pre-contract due diligence is no longer sufficient to mitigate third-party risks. Organisations must go further and embed contingency plans, incident response protocols, and clearly defined exit strategies into their vendor contracts. These steps align with the recommendations stated by Gartner to strengthen vendor management, which include:

  • As per Gartner, "Identify the necessary contractual obligations and service levels required to ensure that vendors perform to expectations, respond to incidents and have tested continuity plans."
  • Gartner also recommends to "Develop a clear plan for monitoring IT vendors, responding to IT vendor incidents and removing them in a timely manner when needed by building a capability to test, detect and respond to IT vendor operational outages."

By defining a target state and investing in integrated tools, companies can better manage their vendor ecosystems, ensuring alignment with both CPS230 and CPS234 standards. Integration of cross-functional tools also allows teams across risk, compliance, IT, and procurement to collaborate effectively, breaking down silos and improving organisational oversight.

Turning compliance into an opportunity

While complying with CPS230 and the ongoing updates to CPS234 may seem daunting, these regulations also present an opportunity for transformation. Organisations can build resilience and drive operational excellence by addressing control weaknesses and enhancing third-party risk management practices.

Organisations are under greater pressure to evaluate their readiness levels as the regulatory deadline approaches. A proactive, collaborative approach will not only help ensure compliance but also unlock potential for strategic growth and strengthen the foundation for facing future challenges.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Cyber experts warn of public Wi-Fi risks in Australia
Check Point lauded as leader in attack surface management
Commvault & SimSpace launch cyber recovery training
Thoughtworks report highlights generative AI influence & trends
Human error tops cloud security threats in Qualys report
Top stories
Neo Space partners with Uzbekistan Airways for in-flight WiFi
AVEVA partners with Databricks & Track'em for AI boost
Legrand acquires CRS to boost ANZ data centre presence
GitHub Copilot unveils new features & premium options
Calastone unveils blockchain fund distribution solution