Skip to content

Is your vendor risk management program ready for the regulator?

Financial services regulators impose strict expectations when it comes to management of third-party risks. While fever runs hot across the economy over cyber risk exposures and information security, firms are expected to manage all types of risks that their vendors pose.

In July 2023, APRA finalised its CPS 230 Operational Risk Management standards, alongside draft practice guidance[1]. While it considers operational risk management broadly, the management of material service providers is a key pillar of the standard.

While CPS 234 Information Security[2] was not consolidated into CPS 230, it is mentioned, and there is overlap in requirements between the two standards. I’d suggest that in practice, APRA’s regulatory approach will consider both in conjunction. So how does your vendor risk management program stack up?

Let’s look at some of the key elements that relate to service providers, and how they link together.

Subscribe to our Knowledge Hub to make sure you catch the rest of our Vendor Risk Management blog series:

Subscribe now

Operational risk management profile

The concept of critical operations is foundational to the standard. To understand its operational risk profile, entities are expected to identify and document the processes and resources (information, systems, people and facilities) needed to deliver critical operations – including those provided or managed by service providers. This deeper understanding of critical operations enables identification of the associated risks, obligations and key controls.

The prevalence of third parties that provide systems, provide or process information, or otherwise have access to critical information, provides a bridge to the requirements to CPS 234 Information Security.

Service provider management policy

The standard requires a policy that sets out how the entity will identify and manage service providers arrangements, including those that are not considered material. Regulated entities will likely have existing policies to support existing outsourcing standards (which are being replaced by CPS 230), but will need to be updated to account for the more comprehensive definition of material service providers.

It should be already, but the standard serves as a reminder that accountability for third party risks ultimately rests with the board. If they aren’t already, ensure the board have sufficient awareness and oversight of how material service providers are managed, including their obligations under the standard. If you currently have separate outsourcing and third-party risk management policies and other artifacts, take the opportunity to consolidate them.

Register of material service providers

Entities will be required to maintain a register of its material service providers, and manage risks related to those providers. In practice (and suggested as better practice in APRA’s guidance), it makes sense to capture all service providers in a single location, and appropriately identify those that are material. This takes into account that the materiality of a service provider may change over time (and is easily updated), while also enabling centralized management and oversight of all service providers.

Initial due diligence and risk assessment

Before entering into an agreement with a material service provider, sufficient due diligence must be conducted, alongside assessing the risks from relying on the service provider. This includes an assessment of whether the service provider has sufficient capability to provide the services, has required authorisations, and can assist the entity to meet regulatory obligations.

APRA expects these assessments to be considered against risk appetite. While the standard was driven from operational risk failures and disruption, this should also include risks to all the entities objectives. Given the nature of some arrangements, assessing due diligence responses may require effort from multiple teams. This might include:

  • Information security teams if information is being shared or systems are being integrated
  • Business continuity teams to ensure appropriate integration with the entities (particularly with business continuity being another pillar of CPS 230)
  • Risk teams to assess specific risks as needed, or provide advice on controls that could be implemented
  • Compliance teams to assess service provider policies and their ability to meet obligations
  • ESG/sustainability teams may be required to assess vendors alignment with the entity’s ESG strategy

You’ll need to ensure that your vendor risk management program can tier your vendors based on their materiality, which can inform the level and types of due diligence and risk activities you need to take.

Particularly for IT-related services or where customer data is shared (CPS 234 is again relevant here), this due diligence may be comprehensive. Having a standard set of questionnaires and a consistent way to assess responses is essential. Initial tiering and the nature of the arrangement can allow you to focus on the set of questions relevant to each particular arrangement while enabling consistency. You might be comfortable evidencing a third party simply has a business continuity program; for material service providers, you will likely dig deeper into evidence into testing.

Manage material service provider risk

For each material arrangement, entities will need to manage risks related to the service providers ability to provide the service, other risks related to the service provider that might affect the entity, and ensure business continuity plans related to the arrangement can be executed.

This means that your vendor management program will need:

  • Ways to track risks related to the vendor, including incidents, issues and actions
  • Identification of controls to manage the identified risks, whether owned by the entity or the service provider
  • Documentation of those controls to enable monitoring and testing
  • Testing of business continuity plans that include the service provider

Monitoring, notifications and review

Entities must monitor and ensure that senior management receive reporting on material service arrangements. This must include assessment of:

  • Performance under the service agreement against agreed service levels
  • Effectiveness of controls to manage risks associated with the supplier
  • Compliance of both parties with the service provider agreement

Monitoring should also include updating risk assessments, and identifying any potential changes at the service provider, or internal processes, that have changed the nature of the relationship.

APRA’s guidance suggests that assessment of controls can include reporting, interviews, survey, testing, certification, attestations and independent assurance.

In order to be able to efficiently deliver this reporting, your vendor risk management program needs to capture this information systematically. This requires:

  • Scheduled control reviews to ensure their effectiveness is consistently assessed
  • Monitoring and workflow escalations when activities are not performed
  • Automated due diligence questionnaires to continuously collect required information from service providers
  • Efficient tools for service providers to upload or provide that information directly

While CPS 230 doesn’t require it explicitly, I’d also suggest that reporting on the performance of the vendor risk management program itself provides insight into how well these risks are being managed, and whether there are adequate resources to monitor service providers effectively. Are scheduled risk assessments being completed? Are due diligence questionnaires lingering? Are identified gaps or control weaknesses being addressed?

Key questions and next steps

Here are some key questions to ask about whether you are regulator-ready:

  • Do you have processes in place to identify the resources required (people, information, systems, and other assets) to support your critical operations, enabling you to effectively identify those owned or managed by service providers?
  • Is your due diligence sufficient? Do you have standards and processes that define the level of detail needed for each type of engagement? Do you make it easy for third parties to respond to due diligence enquiries?
  • Not all service providers are created equal – is the frequency of your risk assessments commensurate with the risks posed, driven by a standard risk management process and automation?
  • Are roles and responsibilities clear to enable effective governance? Is it clear who owns each third-party relationship, and who is responsible for specific tasks throughout the service provider lifecycle?

If you want to know more about your vendor risk profile, download our Vendor Risk Management eBook for a detailed step-by-step guide of to build an effective vendor risk management program.

Subscribe to our Knowledge Hub to make sure you catch the rest of our Vendor Risk Management blog series:

Subscribe now




About the author

Michael is passionate about the field of risk management and related disciplines, with a focus on helping organisations succeed using a ‘decisions eyes wide open’ approach. His experience includes managing risk functions, assurance programs, policy management, corporate insurance, and compliance. He is a Certified Practicing Risk Manager whose curiosity drives his approach to challenge the status quo and look for innovative solutions.