Operational resilience unpacked: Safeguarding your business in a complex world.

The Operational Resilience Ecosystem

Insight
9 minute read
November 01, 2024

Operational resilience — an organisation's ability to continue operating through disruption while still meeting its commitments to customers — is a universal concern. It has become a fundamental priority, not just in financial services, but across all industries, transcending industry specific regulatory obligations. Regulations are now creating the need for non regulated entities to support the ability of their customers in complying with the regulatory requirements. The interconnected and increasingly complex risks we face today demand a comprehensive approach to identify and bridge risk silos. Adopting an end-to-end view of operational risk and resilience will help your organisation more effectively prepare for and respond to disruption.

This paper, part of our ongoing series on operational resilience, offers insight into the current regulatory environment and what’s ahead, and focuses on the essential ecosystem of third-party suppliers, vendors and related parties that comprise critical operations. We explore the challenges, opportunities and pragmatic strategies for managing your supply chain risk.

The compliance countdown: a new regulatory landscape

In July 2023, the Australian Prudential Regulation Authority (APRA) released Prudential Standard CPS 230 Operational Risk Management, set to take effect on 1 July 2025. We’re now over halfway through the pre-compliance period, with many organisations ramping up efforts to meet these new requirements. CPS 230 aims to strengthen operational risk management within the APRA regulated banking, insurance and superannuation sectors, and minimise the impact of disruption to members and the financial system.

Similarly, the Security of Critical Infrastructure Act (SOCI) strives to protect and ensure the resilience of critical infrastructure assets across sectors vital to Australia’s society, economy and security. Compliance audits commencing 2024-2025 are designed to drive improvement in the adherence of regulated entities.

We find ourselves in a unique period where the need for greater resilience intersects with new regulatory demands, impacting critical and financial services — and their third-party suppliers. Many are facing dual obligations under both CPS 230 and SOCI.

Where we stand today

As we progress through APRA’s high-level timeline, organisations should have identified their critical operations and material service providers (MSPs).¹ Tolerance setting should also be well underway to meet APRA’s expectations. The focus now shifts to integrating CPS 230’s resilience principles from program design into line 1 ‘business as usual’ operations.

In the regulator’s view, this transition period should be well-planned and completed prior to 1 July 2025:

“We expect regulated entities to be proactive in preparing for implementation, rather than waiting until the last minute to get ready to meet the new requirements.”

APRA,APRA finalises new prudential standard on operational risk

For SOCI-compliant organisations, having completed their first year of compliance, lessons will be learned and improvements will be made. This experience offers an opportunity to refine resilience measures and adapt governance practices for more robust, effective compliance moving forward.

Regarding third-party suppliers, organisations must implement fundamental changes in how they manage them through their procurement and vendor management lifecycle to effectively manage operational risk.

A shift to managing third parties

As organisations transition to more resilient operations, third-party risk management becomes a focal point, driving greater demand on vendor relationship managers and internal teams, including procurement and risk management functions. In addition to regulatory changes broadening the scope of critical or material third parties for monitoring (i.e. CPS 230 moves beyond the scope of performance monitoring under the existing CPS 231 to managing operation risk), the practices of third-party risk management will also likely change. Thus, impacting the procurement and third-party risk operating model as the scope of their work expands.

The breadth of these changes impact both the regulated organisation, as well as the third-party landscape. Procurement functions must consider how to work with your third-party suppliers differently throughout the procurement lifecycle to embed the requisite compliance practices. Viewing this change through a ‘Procurement Levers’ lens can help procurement and third-party risk functions effect the change in a sustained manner.

Some third-party risk management practices may be new for organisations aiming to meet operational resilience standards, such as:

Consideration of fourth parties — and beyond:
Previously fourth parties — those subcontracted by primary vendors — were often contractually invisible. Regulatory changes now require organisations to understand the role of fourth parties and in turn other nth parties in delivering critical operations.
Enhanced resilience monitoring:
Traditional attestations or questionnaires from service providers are no longer enough. In some jurisdictions, we have seen a move towards detailed sharing of business continuity and disaster recovery (BCP/DR) arrangements and test outcomes, along with formal, audited, assurance opinions over operational risk management arrangements. Where formal assurance reporting is not available, there is also the potential for direct testing of MSPs operational risk practices.
Mapping services to critical operations:
Processes and tooling to map specific third-party services to the critical operations they support, identifying any fourth parties involved in these service deliveries.

APRA has released guidance that includes both a checklist and a template for a material service provider (MSP) register. Both highlight the following:

Identify the key dependencies on third parties in critical operations, including fourth parties, where reasonable.
Maintain a MSP register and notify APRA of changes.
Have clear accountability in place for MSPs.
Incorporate third-party considerations into scenario definition and testing.

Operational resilience programs would be wise to capture sufficiently granular information during the initial implementation phase to effectively scale resilience monitoring and arrangements to match the risk presented by a third party. This precision allows for clearly defining MSP scope and sub-service risks, ensuring that ongoing compliance efforts are appropriately directed toward the most significant risks.

For instance:

Identify specific sub-services supporting a critical operation.
Understand the detailed failure scenarios relevant to these services – including where a fourth party is involved.
Analyse these failure scenarios. Is there a single point of failure? Will service levels drop, by how much? Are alternative arrangements available?
Tailor the resilience response accordingly, including fourth parties where relevant.

A deep-dive on ‘fourth parties’

Fourth-party identification is seen as a particularly challenging component of third-party resilience. It’s essential to pinpoint why these fourth parties matter: what specific sub-services do they provide that your critical operations depend on? This helps to narrow the aperture of scenarios and services in your scope.

APRA’s CPG 230 refers to taking ‘reasonable steps’ for identifying fourth parties, signalling that organisations should make an effort to recognise these dependencies. However, even if a fourth party isn’t named, the primary goal remains the same — confidence in the resilience of your critical operations. Achieving this relies on strong oversight and a clear understanding of your third party’s own resilience and vendor management practices.

Bringing this to life – an example

Take a data centre provider as an example: while a facility’s loss is typically mitigated by a geographically diverse secondary location, other sub-services, such as fourth-party telecommunications and network devices that link the sites, may also present failure risks. Additionally, has your provider tested their failover capabilities under full load, and is there sufficient capacity for your services at the alternate location?

Are you a Material Service Provider? Are you ready?

There are inevitably cross-dependencies in the financial services ecosystem across banking, superannuation and insurance. Some regulated entities are also grappling with being deemed as MSPs to their user organisations. This is especially prevalent in the wealth management space, but also in payment providers that double as banks. Further, with the inclusion of SOCI considerations, the scope of critical and major third-party suppliers becomes even wider and more interdependent.³ Within this framework, organisations must now consider their own obligations and resilience arrangements, as well as their customers’ obligations and resiliency of the services provided — not to mention where they may also be a fourth party to an MSP.

Is your organisation ready to meet these layered responsibilities head-on?

Take the example of a telecommunication provider:

While user organisations have, or will soon, be reaching out to third- party suppliers that are deemed in-scope for regulatory resilience obligations, what’s clear is that there is a step-change in the level of resilience governance across the ecosystem.

Here are the key resilience requirements and best practices for strengthening your critical supply chain:

Implement comprehensive risk management frameworks to identify, assess and manage risks associated with their services.
Establish robust programs of control testing and self-assessment across the end-to-end value chain.
Conduct rigorous due diligence prior to engaging service providers to ensure they meet the necessary standards and requirements.
Design effective business continuity plans to ensure services and critical assets remain operational during disruptions.
Establish incident management processes to identify, report and resolve incidents that could impact service delivery/critical infrastructure assets.
Define clear Service Level Agreements (SLAs) to clarify the expectations and responsibilities of both the service provider and the customer.
Share key resilience artefacts to user organisations, such as business continuity plans, scenarios considered and testing outcomes.

Assuring your customers with confidence

Third-Party Assurance (TPA) reports are more than just formalities — they’re powerful tools. They help service providers strengthen trust and confidence and provide greater transparency to their customers and the market regarding the operational resilience of their services.

These reports are independent evaluations that provide an opinion over the accuracy, reliability and compliance of a service provider’s processes, systems and controls. Typically issued once a year, they limit the business disruption that can arise for a service provider in responding to multiple customer questionnaires or onsite reviews and audits.

For service providers, this presents an opportunity to get on the front foot and offer a standardised, transparent way of demonstrating their operational resilience to their regulated client base.

Even if a provider isn’t regulated by APRA, TPA reports establish a strong, market-aligned position to meet common customer needs. As these reports become more widely adopted, they help reduce the volume of individual data requests — a win-win for both the provider and the customer.

For organisations that provide services to customers subject to regulatory requirements, the controls framework for the TPA report should be designed to integrate various regulatory requirements (both existing and emerging), such as APRA’s CPS 230 Operational Risk Management Prudential Standard, APRA’s CPS 234 Information Security.

Prudential Standard, Security of Critical Infrastructure Act (SOCI) and emerging ESG standards. As these standards often overlap, TPA reports ensure a single-touch approach to testing controls once as part of your external reporting regime.

The framework for TPA reports on operational resilience should cover essential areas to support your customers’ regulatory needs, such as:

Operational risk management
Business continuity planning
Internal control testing
Operational risk incident management
Service provider management
Information security risk management

By using TPA reports, service providers showcase their operational resilience and position themselves as reliable partners in a regulated environment.

What's next?

The industry-wide shift from reactive disaster response during recent years to proactive resilience in operations and services is firmly underway. With APRA's 1 July 2025 deadline, this evolution is not just a goal — it's an expectation. By embedding resilience into everyday processes and enhancing third-party management, organisations can confidently navigate disruptions, safeguard critical operations and strengthen relationships with customers, boards, and regulators. As regulatory demands grow, those meeting these challenges head-on will lead the way in operational excellence and stakeholder trust, fortifying their value in an increasingly complex world.

How we can help

At PwC, we work across this ecosystem of regulated entities and third- party suppliers, with our multidisciplinary teams blending expertise in procurement, operational risk management, third-party trust, disaster recovery/business continuity planning (DR/BCP), and industry-specific knowledge. We help organisations build trust with boards, regulators, customers and third-party suppliers.

_{^1.Under CPS230, an MSP is one on which the entity relies to undertake a critical operation or expose it to material operational risk.}

_{^2.APRA, APRA finalises new prudential standard on operational risk, July 2023}

_{^3.Under SOCI, critical and major suppliers are those that provide essential/significant goods or services to critical infrastructure. A "critical supplier" is an entity that provides essential goods or services directly to critical infrastructure assets. These suppliers are vital for the functioning, security and resilience of the infrastructure they support. This can include suppliers of utilities, information technology services, telecommunications, and other essential services. A "major supplier" encompasses entities that provide significant goods or services to critical infrastructure but may not be as integral as critical suppliers. They are crucial for the overall supply chain and operational continuity.}