What is APRA CPS 230 and how does it affect third-party management?

CPS 230 (Operational Risk Management), effective from July 2025, requires APRA-regulated entities to identify material service providers, maintain a register of all service provider arrangements, conduct due diligence before engaging material providers, include specific provisions in contracts, and monitor provider performance. It represents a significant uplift in third-party risk management expectations for financial services.

How should third parties be risk-rated?

Third parties should be rated based on the criticality of the service they provide, the sensitivity of data they access, their financial stability, their security and compliance posture, concentration risk, and geographic/jurisdictional risk. A tiered approach (critical, high, medium, low) allows proportionate risk management effort.

What should be included in vendor contracts to manage risk?

Key contractual provisions include service level agreements, data protection and privacy obligations, security requirements, audit rights, business continuity and disaster recovery obligations, insurance requirements, incident notification obligations, subcontracting restrictions, termination and transition provisions, and regulatory compliance obligations.

Book Free Assessment Calculator

Third-Party Risk Management

Also known as:TPRMvendor risk managementsupplier risk managementoutsourcing risk management

The process of identifying, assessing, and managing the risks that arise from an organisation's relationships with external vendors, suppliers, contractors, and service providers.

In-Depth Explanation

Third-party risk management (TPRM) is the systematic approach to evaluating and controlling risks introduced by an organisation's external relationships. As businesses increasingly rely on outsourced services, cloud providers, and complex supply chains, TPRM has become critical.

Categories of third-party risk:

Operational risk: Service disruptions affecting business continuity
Cyber security risk: Data breaches through vendor systems
Compliance risk: Vendor non-compliance affecting the organisation
Financial risk: Vendor insolvency or financial instability
Reputational risk: Association with vendors engaged in unethical practices
Concentration risk: Over-reliance on a single vendor
Data privacy risk: Vendor handling of personal information
Geopolitical risk: Vendors in politically unstable regions

TPRM lifecycle:

Planning: Defining vendor management strategy and risk appetite
Due diligence: Pre-engagement assessment of vendor risks
Contracting: Including appropriate risk controls and obligations in contracts
Onboarding: Implementing operational controls and monitoring
Ongoing monitoring: Continuous assessment of vendor performance and risk
Issue management: Addressing identified issues and non-compliance
Offboarding: Secure termination of the vendor relationship

Regulatory expectations in Australia:

APRA CPS 230 (Operational Risk Management) includes specific requirements for material service providers
The Privacy Act requires organisations to take reasonable steps to protect personal information disclosed to third parties
ASIC RG 104 provides guidance on outsourcing for AFS licensees
The SOCI Act addresses third-party risks for critical infrastructure

Business Context

Third-party failures can directly impact the organisation through service disruptions, data breaches, and compliance violations. Effective TPRM protects against risks that are outside the organisation's direct control.

How Clever Ops Uses This

Clever Ops implements third-party risk management systems for Australian businesses, including vendor assessment frameworks, automated due diligence questionnaires, risk-scoring models, ongoing monitoring dashboards, and contract compliance tracking. We help clients manage their vendor ecosystem with confidence.

Example Use Case

"A business implements an automated vendor assessment platform that scores third-party risk across cyber security, financial stability, and compliance dimensions, with ongoing monitoring and periodic reassessment."