On 18 June 2025, the Australian Prudential Regulation Authority (APRA) published a speech given at the AFIA Risk Summit by its Executive Director of Cross-industry risk, Chris Gower, who draws parallels between the Perfect Storm of 1991, and the operational resilience headwinds that are brewing on the horizon for Australian financial services entities. The speech is entitled Preparing for the long haul: operational resilience in a shifting geopolitical environment.

Headwinds

In his speech Mr Gower highlights three converging risks in the operating environment:

  • Technology – continues to become deeply integrated into every aspect of the financial system and, with that, heightened vulnerability to cyber-attacks and other operational disruption.
  • Reliance on third parties to provide critical operations and technology – continues to increase and, with this reliance, comes exposure to disruption from entities outside the financial system, including overseas-based service providers.
  • Shifts in the geopolitical environment – are likely to amplify risks to the financial system, including risks posed by cyber-attacks and third-party service providers, as well as risks from other sources, such as personnel risks associated with bad actors.

Charting a course

In terms of navigating these risks Mr Gower discusses three areas of focus for regulators and industry working together to increase resilience. This includes the new prudential standard CPS 230 Operational Risk Management, which will shortly go-live on 1 July 2025.Secondly, in the area of cyber preparedness, building on the principles in CPS 234, APRA continues to remind entities of their responsibilities to lift cyber resilience and strengthen response capability.Most recently, APRA has provided a reminder to superannuation funds, as Mr Gower warns, ‘As the cyber clouds continue to darken overhead, entities must ensure they have battened down the hatches properly.’ Thirdly, at the system level, the Council of Financial Regulatorsis monitoring current and emerging vulnerabilities that could lead to, or amplify, financial instability in Australia and its work includes a joint initiative with APRA to develop ageopolitical work program which sits alongside related initiatives, including the implementation CPS 230 and the new crisis management powers for financial market infrastructure.

Steering the ship

For those business leaders steering their ship through this very uncertain outlook Mr Gower makes the following points:

  • Via the recent engagement on CPS 230, APRA has seen those entities that adopt a “resilience” rather than a “compliance” mindset rise to the challenge far more effectively.
  • When making investment decisions on digital transformations there are a number of questions entities need to ask from a risk management perspective. These include – Are appropriate cyber security controls in place to deal with AI-enabled threats? Has the entity considered AI risks introduced by third parties? Is data protected from misuse or theft, and do the right people have access to critical information and systems?
  • APRA routinely undertakes “pulse checks” of the risk culture of entities, and its insights consistently reinforce the importance of training and awareness programs, creating a “speak-up” culture, and breaking down silos between teams to build end-to-end resilience.
  • Entities should take steps to understand how shifts in the geopolitical environment may impact their risk profile. Under CPS 230, entities are expected to conduct scenario planning for a range of events, including geopolitical shocks, cyber incidents, and natural disasters.
  • Operational disruptions will happen, so having effective and tested incident response plans is important.