Best Third-Party Risk Management Practices in Australia to Comply With APRA

Countless organisations in Australia outsource to service providers for products and services, which can reduce costs and increase efficiency. However, outsourcing also comes with its own set of risks. When organisations use external service providers, vendors, or third parties, they may face data breaches, loss of sensitive information, and reputational damage. 

Other risks include compliance and regulatory violations, operational disruptions, financial losses, and legal disputes. The process and practices of third-party risk management (TPRM) helps identify, assess, and manage these risks associated with service provider relationships to prevent harm to your organisation and customers.

TPRM is a familiar business practice in Australia, but it was mostly limited to the financial sector until the early 2000s. Nowadays, it’s an essential part of managing operational risks across all kinds of regulated and non-regulated entities. Although Australia is among the growing number of countries with formal industry-specific regulations and requirements for TPRM, this has mostly applied to the financial industry.  

The good news is that even non-regulated organisations can benefit from reviewing and understanding regulatory requirements. These requirements ensure a high standard for TPRM and, at their core, are excellent risk management practices to follow.

Best Third-Party Risk Management Practices From the Australian Prudential Regulation Authority 

It's essential to realise that regulators not only set standards and laws for specific industries, but they also shape TPRM best practices over time. The Australian Prudential Regulation Authority (APRA) has played a key role in establishing standards for TPRM practices in the financial industry. 

In 2017, APRA formalised prudential standard CPS 231 Outsourcing, which defined the expectations and requirements for outsourcing business activities to external service providers. More recently, APRA announced CPS 231 will be replaced by a new standard – CPS 230 Operational Risk Management. This not only builds on the foundational practices outlined in its preceding standard, but also expands them. 

Let’s look at 10 APRA regulatory requirements that are also accepted best practices in TPRM: 

1. Develop a framework for managing third-party risks. A TPRM framework is a set of policies, procedures, and practices that organisations use to create a structured and systematic approach for managing third-party risks. A TPRM framework should consider: 
   
   • Governance arrangements for TPRM oversight 
   • Effective internal controls for managing service provider risks
   • Monitoring, analysis, and reporting of service provider risks
   • Escalation processes for service provider incidents and events
   • Processes for managing service provider arrangements
2. Implement and maintain a TPRM policy. Organisations can benefit from establishing a policy that clearly defines the roles, responsibilities, rules, and requirements for identifying and managing risks associated with service providers. This policy will ensure everyone involved understands the expectations and responsibilities of managing such relationships at the organisation. Proper oversight is also necessary to ensure the TPRM policy is being followed effectively.
3. Develop and maintain a register/inventory of your service providers. It’s essential to know who your organisation is doing business with, the products and services they provide, and if they are critical to your operations (material service providers).
4. Identify material service providers. When determining if a service provider is material or not, organisations should consider the following: 
   
   • Whether the service is critical for business operations 
   • The range of services provided by the service provider
   • The nature of the services provided, including the risk of cyber threats or other operational 
     risks that may harm your business, finances, or reputation 
   • The level of difficulty involved in ending the contract and transitioning to another service provider or bringing the service in-house
   • Whether the service involves sensitive or critical information assets
5. Identify material fourth parties. It’s important to understand that the risks associated with your direct service provider relationships can also extend to their supply chain. This is because service providers may rely on other service providers, known as fourth parties, who could also rely on other service providers – all of whom you have no direct contract or relationship with. This lack of visibility can make it difficult to effectively manage risks throughout the entire supply chain. Organisations should identify and focus on the fourth parties essential for delivering material services to your organisation or its customers and implement the following best practices: 
   
   • Perform due diligence on service providers to identify fourth parties that could impact service performance
   • Add contractual provisions between your organisation and the service provider to ensure you’re informed of any fourth parties 
   • Verify your service providers have the capability to manage material fourth parties
6. Identify and assess third-party product, service, and relationship risks. Here are some key risks to identify:
   
   • Business continuity: The risk that a service provider won’t be able to maintain or resume operations as the result of an expected event such as a natural disaster or cyber-attack.
   • Compliance: This results from the service provider’s failure to comply with laws or regulatory requirements, or the failure to follow your organisation's internal policies or business codes and standards.
   • Concentration: This is when an organisation depends on a single service provider for multiple products or services. Concentration risk is also when multiple service providers are located in the same geographic location and could be impacted by the same natural disaster, power outages, civil unrest, etc.
   • Cybersecurity: Data breaches and other types of information security vulnerabilities affect cyber risk. It’s also closely tied with operational risk, especially with a dependence on technology.
   • Financial: This risk refers to the possibility of your organisation losing revenue because of a service provider relationship, or more generally, the potential negative impact that relationship could have on your organization’s financial stability.
   • Geopolitical: Risks that exist when utilising service providers in another country or legal jurisdiction. 
   • Operational: Resulting from ineffective or failed internal processes, people, controls, or systems. This could be the result of internal control failures or external service provider control failures. It’s especially significant when considering material service providers, or the risk of relying on a service provider for your essential functions to operate effectively.
   • Reputation: Considers any of the ways your service provider vendor could directly or indirectly damage your reputation, brand, or organisation's name. This harm could result from poor service, lawsuits, outages, fraud, or data breaches.
   • Financial health: Risk arising from the decline or poor financial health of a service provider, which impacts their ability to deliver quality products and services, fulfil contractual obligations, or remain operational.
   • Strategic: Occurs when a prospective or current service provider’s decisions and actions are incompatible with your organisation's strategic objectives.
   • Transactional: Present when the service provider processes or accepts financial transactions on your behalf.
7. Conduct risk-based due diligence on your service providers. Due diligence is the process of verifying that your third party or service provider has appropriate and effective risk management practices and controls to mitigate known risks. It should be conducted before entering or modifying a service provider engagement. Due diligence should be scoped both on the level of risk presented by the service provider engagement and the specific types of risks that have been identified. The higher the risks, the more intensive and robust the due diligence must be.
8. Use legally binding agreements. The use of formal and legally binding agreements is essential, especially for material service providers. Agreements should spell out the rights and responsibilities of both parties, detail service and performance expectations, require regulatory and legal compliance, require data protection and confidentiality, and outline termination clauses.
9. Periodically re-assess risk and update due diligence. The risks associated with service providers can change as new risks emerge and existing risks evolve. For this reason, it’s a best practice to periodically review the risk profile of the service provider and re-validate that their risk practices and controls are sufficient to address any changing risks.
10. Monitor your service provider’s risk and performance. Monitoring involves regularly reviewing essential information and the service provider’s engagement. It typically includes the following considerations: 
    
    • Measuring performance against agreed service levels and other expectations
    • Evaluating the control environment, business continuity capabilities, and information security 
      capabilities
    • Assessing the impact of any significant changes to the service delivery location, key personnel, use of service providers, and the control environment, as well as any disruptions and operational risk incidents
    • Identifying issues and emerging risks
    • Evaluating the service provider's ongoing financial and non-financial viability, which is crucial for ensuring the services' sustainability

It’s highly recommended that organisations follow these best practices for managing service provider relationships, even if they’re not subject to regulatory requirements. By doing so, organisations can minimize the risk of negative impacts on their operations, assets, revenue, reputation, and customers. 

Implementing these practices can also help organisations foster a culture of risk management and demonstrate a strong commitment to ensuring exacting standards of service provider management. This is particularly important for organisations that do business with regulated entities, as it will instill confidence in them by showing the organisation maintains the same high standards they’re held to.