What a Megaberg Can Teach Us About Service Provider Risk
Thoughts about how to approach APRA’s new standard, CPS 230, and life after 1 July 2025
The world’s largest and most poetically named iceberg, A23a, is considered a megaberg by science wonks. With a surface area of approximately 3,500 square kilometres, about twice the size of the Tokyo megalopolis, it is on the big side.
If that doesn’t impress you, remember that because ice is not as dense as water, 90% of an iceberg sits below the surface. In the case of A23a, we’re talking about something that weighs almost a trillion tons, so mega might even sound modest.
Right now, in the Southern Ocean, A23a is on a collision course with South Georgia Island. It is less than three hundred kilometres away and drifting straight towards the island. We know that collisions with icebergs don’t go well.
Collisions with regulators, like the Australian Prudential Regulation Authority (APRA), don’t go well either. And APRA’s new cross-industry prudential standard has an iceberg quality about it, possibly even a megaberg. Also poetically named, CPS 230, it is designed to better manage risks associated with material service providers, especially around cybersecurity and operational risk.
Visibility across the extended vendor base is essential
Like an iceberg, CPS 230 has a hell of lot going on beneath the surface. This is because CPS 230 requires regulated entities to take responsibility for third and fourth-party service providers. Having visibility that extends this far allows for a much more realistic assessment of the future challenges your organisation may face.
So you, as a financial services organisation, are not just responsible for the service providers that you can see in your first order vendor base but, under the new standard, you are also responsible for the businesses who supply them – these are businesses that have, up until now, been below the surface – out of your sight.
As you can imagine, being below the surface makes it much harder to see them clearly. Add to that the fact that some of your suppliers may be outside Australia, especially fourth-party businesses. Many of these will be unfamiliar with Australian laws and regulations, who potentially have no affinity with your interests. This makes finding CPS 230-compliant solutions even more challenging.
The challenge becomes greater still when we add something of a multiplier dynamic to the situation. You are now no longer dealing with one supplier who is easy to recognise and understand, but there are often several suppliers sitting below the first order service provider you have a contract with. The one supplier you have has, from a compliance perspective, multiplied. Instead of one contract to manage and vouch for, you may now have more than one contract. And, even though there may be relationships that are not contractual there may be licences and terms of use agreements that must be compliant. Equally, you may in fact have a contract with a fourth-party but are unaware of it.
Also, remember that a good amount of corporate memory, including agreements and arrangements with suppliers, is in people’s heads rather than in documents. When people leave, there is often a loss of corporate memory. CPS 230 is a further incentive to try and capture this memory.
APRA is deadly serious about this regulation, and it would be unwise to think that just going through the motions will suffice. Remembering that APRA hit Medibank with a $250 million penalty for its recent cyber breach gives us some clue as to how seriously CPS 230 will be enforced.
It is easy to see how this potential new burden may well be an overhead that, at least in part, many organisations will feel they need to pass on to their customers. But that may not be the best way to think about CPS 230.
A standardised approach will enhance compliance
Unlike South Georgia Island, we can move to deal with the iceberg. Standardised mechanisms will enforce compliance.
CPS 230 is a mechanism of good governance, streamlined processes, and access to the data of your material services providers. From a procurement perspective, it is consistent with a next generation approach, where the commercial relationships are managed much more strategically, seeking not only greater visibility, beyond the first order of suppliers, but to also seek better relationships and to create value through collaboration and drawing on expertise suppliers can bring to relationships.
Nonetheless, 1 July 2025 looms and compliance is the name of the game right now. Beyond July the issue becomes one of ongoing compliance management and this ongoing work also requires some clear thinking.
Even though CPS 230 is entirely about risk, the management of that risk is about procurement, finance and operations. Modern governance processes and quality data management are key to compliance. It will be procurement expertise that makes the difference as to how effectively an organisation manages compliance and whether or not it becomes a burden, or worse, leaves the organisation still exposed to risk because the visibility sought cannot practically be achieved.
In the same way that a glaciologist, who eats icebergs for breakfast, has the expertise to tell us everything we need to know about icebergs, especially the part below the surface, a procurement expert has the expertise on everything you need to know about your supply chains, especially the part below the surface, including the use of off-shore resources, the systems that need to be in place, and how to develop and manage contracts.
Financial services organisations with next generation procurement expertise know exactly where CPS 230 sits in the broader value chain. They know that rather than materially increasing operational costs, they can leverage technology and partner resources to manage third and fourth-party relationships more effectively. Because, for next generation procurement professionals, CPS 230 is not their first iceberg.
