With the 1 July 2025 deadline for CPS 230 compliance fast approaching, APRA-regulated financial institutions are under increasing pressure to strengthen their operational risk frameworks.
Speaking at the AFIA Risk Summit 2025 APRA's Executive Director of Cross-industry Risk, Chris Gower, stated:
“Geopolitical developments underscore the importance of continuing to build the resilience of the financial system, so that it is prepared for disruption and able to continue to serve the community.”
He’s right. We are operating in a more fragile, more interconnected world, and the line between geopolitical volatility and financial disruption is now impossible to ignore. Gower’s comments reinforced what many in the risk and resilience space have been saying: Australia’s financial sector needs to step up its operational resilience.
CPS 230, APRA’s new prudential standard on operational risk management, is a strong step forward — modern, principles-based, and focused. But it also leaves room for interpretation.
In markets like the UK, EU, and US, regulators have taken a more direct approach to third-party risk. For example:
...all name specific risks that financial institutions are expected to manage. These include supplier failure, service degradation, and concentration risk.
By contrast, CPS 230 leaves it to the FI to determine which risks are material and how to manage them. This can lead to important risks being deprioritised or missed altogether. When a risk isn’t named, it can be overlooked.
At Escode we work with financial institutions around the world, and one trend is constant: cyber risk dominates the conversation.
That’s not surprising. Cyber threats are high-profile, fast-evolving, and subject to intense scrutiny. But that focus often pushes non-cyber risks, like supplier failure, insolvency or over-reliance on one vendor out of the spotlight.
In our experience, FIs tend to tackle these risks too late. By the time they do, the work to catch up is often complex and costly — especially when a regulator comes asking for evidence of resilience planning.
Even in jurisdictions where non-cyber risks are clearly named, they don’t always receive the attention they deserve. In Australia, where CPS 230 doesn’t name them explicitly, the risk of them being overlooked increases significantly.
Gower made this connection clear in his speech:
“Shifts in the geopolitical environment are likely to amplify risks to the financial system, including risks posed by cyber-attacks and third-party service providers, as well as risks from other sources, such as personnel risks associated with bad actors.”
He also warned that:
“Although global developments taking place far from these shores can at times seem distant... there are various ways in which these events can transmit risk to the financial system.”
This is a critical insight. Geopolitical instability flows into the financial system and directly impacts third-party relationships. Supply chains are exposed — and if a critical service provider fails due to external instability, your operational continuity is on the line.
APRA’s CPS 230 requires regulated entities to maintain business continuity plans. However, CPS 230 stops short of requiring detailed stressed exit plans, particularly for scenarios such as supplier insolvency. Unlike some international standards, the guidance in Australia leaves more room for interpretation.
The result? This may lead to gaps in preparedness or inconsistent planning across institutions.
One proven way to mitigate these risks is through Software Escrow. Escrow enables access to business-critical systems and data if a vendor fails. It’s a practical step towards operational resilience.
With the right agreement in place — including regular verification — financial institutions can:
Software Escrow Verification proves that your business continuity plan works in practice. It confirms that the materials held in escrow are complete, functional, and can be deployed if needed.
In regions where these risks are explicitly regulated, software escrow is a growing part of compliance. In Australia, it offers a smart, proactive way to go beyond minimum requirements and align with global best practice.
Just because the regulator hasn’t named the risk, doesn’t mean the risk isn’t there.
CPS 230 creates space for leadership. Australian FIs can choose to be proactive, taking clear steps to manage non-cyber risk, rather than waiting for more prescriptive requirements to emerge.
To learn more about how Escode's escrow services can help you implement operational resilience in line with CPS 230 and global expectations, download our CPS 230 Summary Guide.
