Skip to content
Australia map outline
Australia map outline

News -

Spotlight on APRA’s Operational Risk Management Standard

The financial sector is evolving quickly thanks to rapid advancements in tech that promise new efficiencies and enhanced customer experience.

However, this greater reliance on technology brings with it an increased risk of supplier failure, service deterioration and concentration risk.

As even a minor disruption to financial services can have a significant impact on financial markets, individuals and businesses, the global regulatory landscape has to continue to adapt in response and the latest proposed standard comes from the Australian Prudential Regulation Authority’s (APRA).

Wayne Scott, Regulatory Compliance Solutions lead, NCC Group Software Resilience takes us through the key points of the proposals

What is APRA’s plan?

APRA’s objective is to introduce a new prudential standard for operational risk that will require organisations to identify their service providers deemed as ‘material’ and take steps to manage the associated risks.

What should organisations be aware of?

There are three key areas for organisations to take into consideration in order to remain compliant with the new standard:

  • They must maintain effective internal controls for operational risk, reflective of their size and complexity.
  • They must also ensure that they are able to continue delivery of their critical operations if business disruption were to take place.
  • Finally, they must prove that they can manage the risks associated with their use of service providers.

What are practical steps organisations can take to comply?

The new draft standard requires organisations to put business continuity plans in place. It also asks them to ensure, through legally binding agreements with material service providers, that those plans can be enacted.

We believe that the most effective way of managing operational risk is to embrace a ‘resilience by design approach’. This would include looking to practical business continuity solutions such as software escrow agreements.

Software escrow agreements are one of the most effective, proportional and cost-efficient ways of enabling business continuity when it comes to material service providers. They offer a minimum level of resilience through legal and technical means. This means that business operations can continue while a service is being restored or alternative options are being implemented.

Many financial services firms already use escrow solutions as part of their business continuity planning when mitigating supplier risk. Some third-party service providers themselves have also opted to build these solutions into their offer to support their customers’ compliance with regulatory requirements. Meanwhile, regulators globally are advocating the use of software escrow as part of a proportionate risk management approach.

What happens next?

After reviewing industry feedback in response to the consultation, APRA expects to release the final standard early next year, before the new standard comes into force from 1 January 2024.

There is still a lack of widespread awareness of the benefits of software and technology escrow solutions, and the role they can play in addressing regulatory requirements on outsourcing and third-party risk management.

There is a role for regulators and policymakers, including APRA, to do more to promote and educate financial firms on the benefits of cloud, software and technology escrow solutions for addressing regulatory requirements on outsourcing and third-party risk management. A more widespread awareness of this, and clear guidance on how to implement it, would align with approaches taken by other regulators across the globe.

With the UK Prudential Regulatory Authority (PRA), the Hong Kong Monetary Authority (HKMA), and the Monetary Authority of Singapore (MAS), to name a few, the financial services sector is taking leaps to manage operational risk. If regulators can keep up with the pace of advances in technology, it will be an exciting time for innovation that is as resilient as it is exciting.




NCC Group Press Office

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7976234970

Related content

NCC Group exists to make the world safer and more secure

In today’s threat landscape understanding the risks organisations and customers are exposed to is more important than ever.

Understanding the impact and how to be more resilient is key to protecting brand, reputation and sensitive customer information. Building a cyber-resilient organization can be a complex process but it’s not impossible.

With our knowledge, experience and global footprint, we help assess, develop and manage cyber resilience posture.

NCC Group Newsroom
XYZ Building, 2 Hardman Boulevard, Spinningfield
M3 3AQ Manchester
United Kingdom