The aim of the Prudential Standard CPS 230 is to ensure that an entity regulated by the Australian Prudential Regulation Authority (APRA) is resilient to operational risks and disruptions. When put into effect on 1 July 2025, banks, insurers (general, life, and health), and registrable superannuation funds must effectively manage their operational risks, maintain critical operations through disruptions, and manage the risks arising from third-party service providers.

This blog is the first in a series that will address important issues related to third-party service providers. The series reflects Justin Laughlin-Hyde’s past experiences with risk management systems and moves away from the more theoretical papers on successful CPS 230 implementation to help readers understand what has and has not worked for others, so they can benefit from lessons learned.

Justin is Regional Director for S&P Global Market Intelligence’s KY3P^® in Asia Pacific, Middle East, and Africa, based in Sydney, Australia. Previously working in London, England, Justin was responsible for designing and building the global third-party risk management and procurement functions for Wise and the Investec Group from the ground up, covering banking, wealth, and asset management solutions, as well as developing risk frameworks and policies. He was also pivotal in the design and implementation of the architecture for two third-party risk management platforms, delivering end-to-end risk management that simplified regulatory adherence. 

Getting Criticality Right

In the pages of the CPS 230 regulation, the word “critical” is mentioned many times, making it by far one of the most important controls for organizations to get right. However, it is also one of the least prescriptive when looking at CPS 230.

What does “critical” mean for an organization that must define, identify, and maintain a register of its critical operations? When asked, the frequent response is an activity where an operation would fail if there was a significant disruption. This is a vague response, however, which is why defining criticality is so important – yet so challenging. Experience shows that it takes a long time for an organisation to understand what criticality means and realize that it is not necessarily the same across organizations.

It is essential that the criticality assessment is custom-fit for an organisation and that it can be demonstrated at audit time that a set of appropriate questions were reviewed and approved by the Board of Directors and were applied to all relationships.

Working in financial services does not mean that criticality questions will be the same as other institutions. The assessment of criticality comes down to how an organisation operates its dependencies and external relationships that keeps it up and running and, if there was a disruption, could significantly impact day-to-day operations.  

Often organisations include too many questions, which can turn into an additional risk assessment rather than providing information to understand if a relationship is in fact critical. A criticality assessment should gather enough information for a discussion to be had with key internals to decide if a third-party relationship is essential. This should include a review of backup options and whether other in-house systems can provide sufficient support in the event of a disruption. For example, if the payroll system goes down, is all the information available for manual payments to be made, and could those payments be made with speed without significantly impacting staff members?

Some of the key areas that are important to determine criticality include:

• Regulatory outsourcing. Is the third party providing a service that is a regulatory requirement?
• Transferability. How easy or hard would it be to move to a different provider?
• Continuity. If there was a disruption to services, is there an alternate way within the organisation to take over the service or the tasks that a third party provides?
• Short-term disruption. What is the risk tolerance for a short-term incident?
• Longer-term disruption. How long could the organisation operate if a short-term disruption turned into something significantly longer?

While these considerations are good for determining criticality when it comes to third parties, what should an organisation take into account for either network management or correspondent banking, as these may be critical to operations? It is useful to have a two-tiered approach. The first should look at third parties in the traditional sense, while the second should look at network management and correspondent banking separately. To date, this second tier does not have a regulatory focus in many countries, as network management and correspondent banking are seen as services versus outsourcing and fall into the category of infrastructure, which is excluded under many regulations.

This requires a different set of criticality questions from traditional third parties, such as:

• What is the number of currencies that a correspondent bank supports for daily transactions?
• How many countries are supported?
• What is the ability to move to a different correspondent bank, if needed?

It is very important to make sure that the system or platform used to collect third-party risk information also contains these two-tiers of criticality questions.

KY3P® is S&P Global's comprehensive Third-Party Risk Management solution that effectively addresses the core elements of APRA's CPS 230 requirements. Built upon a robust methodology, KY3P offers a diligent and meticulous approach to effectively manage third-party risks. The KY3P methodology is developed in close collaboration with an esteemed user community, ensuring a consistent and industry-aligned approach.