APRA Executive Director of Cross-industry Risk Chris Gower speech to AFIA Risk Summit 2025

Preparing for the long haul: operational resilience in a shifting geopolitical environment
 

Good afternoon and thank you for the invitation to speak here today. 

In October 1991, one of the rarest meteorological events of the 20th century was experienced, where three separate storms aligned in the Atlantic Ocean off the coasts of New England, Nova Scotia and Newfoundland. This formed what is often referred to as “the 1991 Perfect Storm”, an event that at the time caused extensive damage along the United States and Canadian coastline.

Whilst I was not invited to this event today to speak about extreme weather events, I would like to draw parallels between the Perfect Storm of 1991, and the operational resilience headwinds brewing on the horizon for financial services entities today. 

These challenges have the potential to impact the stability of the financial system and the continuity of critical financial services which the community relies upon. And like the Perfect Storm of 1991, which was driven by three converging weather events, there are three converging risks in the operating environment that I would like to highlight today:

Firstly – technology continues to become deeply integrated into every aspect of our financial system. With this integration comes a growing operational dependence on that technology and, with that, vulnerability to cyber-attacks and other operational disruption.

Secondly – reliance on third parties to provide critical operations and technology continues to increase and, with this reliance, comes exposure to disruption from entities outside the financial system, including overseas-based service providers.

Thirdly – shifts in the geopolitical environment are likely to amplify risks to the financial system, including risks posed by cyber-attacks and third-party service providers, as well as risks from other sources, such as personnel risks associated with bad actors.

For financial sector entities, operational risks if poorly managed can quickly escalate to a loss of confidence and trust and could ultimately threaten the financial viability of the entity. Well-prepared entities will be those that have invested ahead of time in their resilience and have the capability to respond to events in a manner that retains the trust of key stakeholders. At a system level, geopolitical developments underscore the importance of continuing to build the resilience of the financial system, so that it is prepared for disruption and able to continue to serve the community.

At the same time, APRA is focused on ensuring that regulatory settings in this space are appropriately balanced and proportionate, allowing for an approach to risk management that enables responsible risk-taking and does not unduly inhibit innovation. In preparing to navigate the storms that may lie ahead, the objective is not to anchor the ship in the harbour, but to be smarter in how to prepare for the voyage. 

With this in mind, I will outline today: 

• how developments in the operating environment, in particular the geopolitical context, can increase risks to the Australian financial system;
   
• the actions that APRA, together with our Council of Financial Regulators (CFR) colleagues, is taking to ensure entities are strengthening their preparedness; and
   
• the flexibility afforded to entities in designing and implementing risk management practices tailored to the size and complexity of their operations.

Learning the ropes

As we scan the horizon today, it will come as no surprise that Australian financial sector regulators are increasing their focus on the rapidly evolving geopolitical landscape. Indeed, several of our colleagues in the security and intelligence community have noted publicly the impact that geopolitical dynamics are having on the threat environment. 

Earlier this year, ASIO’s Director General of Security commented in his Annual Threat Assessment that “Australia is facing multifaceted, merging, intersecting, concurrent and cascading threats”, and acknowledged that the risk of foreign interference and espionage is “already at extreme levels”.¹ In 2024, Australia’s National Defence Strategy² recognised that malign actors – both state and non-state – are improving their cyber capabilities and increasing the risk of disruptions to Australia’s critical systems, infrastructure and networks. 

Although global developments taking place far from these shores can at times seem distant from our day-to-day business, there are various ways in which these events can transmit risk to the financial system. In some cases, this may be via traditional channels, such as credit, liquidity or market impacts, or operational events that could ultimately lead to financial impacts. In other cases, risks could materialise through less traditional routes, such as in the form of sanctions enforcement, or foreign interference via malicious insiders. 

Three recent events give us some insight into how potential risks, traditional and less traditional, can materialise:     

Earlier this year, APRA and other regulators engaged extensively with regulated entities to monitor the repercussions of significant volatility in financial markets, driven largely by shifts in international trade dynamics. For entities with significant exposures to relevant markets, there was considerable pressure both to understand the financial impacts at the time, and to plan for the longer-term implications of these policy shifts.  

Around the same time, we saw some superannuation funds fall victim to a co-ordinated credential stuffing attack, which resulted in a small number of members having their retirement savings stolen. This was one of a number of recent reminders that financial sector entities are already exposed to a range of increasingly sophisticated cyber threats from highly motivated and well-resourced actors.

Going back a couple of years further, sanctions imposed on Russia in response to its invasion of Ukraine prohibited financial sector entities from undertaking certain transactions with specified individuals and entities, and required strengthened controls to prevent these. While the implications of this for Australian financial sector entities were relatively contained at the time, it serves as a reminder of the challenges that could be presented if a similar scenario was to play-out closer to home. 

These examples, alongside lessons from other recent events such as the rapid contagion from the failure of Silicon Valley Bank in 2023 and the global operational disruption caused by the Crowdstrike outage last year, highlight the heightened dependence across financial services, services providers and technology in an ever more interconnected world.

In response, regulators globally are engaging closely with industry to inform their view of the impact of these developments on financial stability, and the calibration of appropriate minimum standards. Financial sector entities, like other critical sectors of the economy, are being expected to strengthen processes to preserve the integrity of their premises, systems, and critical information assets, as well as improve planning for the risks that could lie ahead.

Charting a course

Here in Australia, as we set the course for the path ahead, regulators and industry are working closely together to increase the resilience and preparedness of the system, with three particular areas of focus that I’d like to highlight today: 

Firstly, APRA and industry have invested considerable time engaging on the new prudential standard CPS 230 Operational Risk Management, which will go-live less than two weeks from now on the first of July. 

CPS 230 works to ensure that banks, insurers and superannuation funds have a comprehensive understanding of their supply chain vulnerabilities and develop contingency plans to mitigate potential disruptions. This includes conducting thorough risk assessments, establishing strong partnerships with key suppliers and implementing robust monitoring mechanisms to ensure continuity of operations.

CPS 230 is not “starting from zero” but rather building on foundations that have been in place for some years, through APRA’s soon-to-be-superseded prudential standards on Outsourcing and Business Continuity Management (CPS 231 and 232), as well as our enduring standards on Risk Management and Information Security (CPS 220 and 234). Continuous improvement is paramount to mature risk management and APRA adopts the same approach in our own prudential framework. 

Secondly, in the critical area of cyber preparedness, building on the principles in CPS 234, APRA continues to remind entities of their responsibilities to lift cyber resilience and strengthen response capability. Recent events have highlighted that baseline cyber resilience across many APRA-regulated entities is not at the level it needs to be given the rapidly evolving threat environment. 

Last week, APRA wrote to all superannuation funds reminding them of the requirements for robust authentication controls, including requiring faster and more holistic implementation of multi-factor authentication or equivalent controls for high-risk activities and privileged access. As the cyber clouds continue to darken overhead, entities must ensure they have battened down the hatches properly.

Thirdly, at a system level, the CFR continues to monitor the range of current and emerging vulnerabilities that could lead to, or amplify, financial instability in Australia. Heightened tensions, which are likely to fundamentally characterise global affairs for some time, are already leading to economic and financial fragmentation, and a further deterioration in the international security environment remains a risk for the global economy and financial system.

Against this backdrop, APRA and our CFR colleagues have this year commenced work on the CFR’s geopolitical work program, supporting member agencies and industry to strengthen the resilience of the financial system. This work sits alongside related initiatives, including the implementation CPS 230 and new crisis management powers for financial market infrastructure.

Running a tight ship

So, for those business leaders who must steer the ship through this very uncertain outlook, what advice would I give and what does better practice look like? 

Through our recent engagement with industry on CPS 230, APRA has seen those entities that adopt a “resilience” rather than a “compliance” mindset rise to the challenge far more effectively. Indeed, we have generally heard from entities about the broader benefits of the CPS 230 process to risk management frameworks, with one CRO remarking to me that when dealing with a recent material event, they wished the standard was already in place, as they would have been better informed and able to make effective decisions. 

On the technology side, leaders will no doubt face many critical investment decisions as they undergo digital transformations and seek to utilise the unprecedented advancements of AI. But as APRA noted at this forum last year, the fundamental risk management questions for leaders to ask themselves remain broadly the same. Are appropriate cyber security controls in place to deal with AI-enabled threats? Has the entity considered AI risks introduced by third parties? Is data protected from misuse or theft, and do the right people have access to critical information and systems? As technology advances and becomes more complex, so too no doubt will the threats, emphasising the need for entities to continuously review their understanding and refresh solutions to these fundamental risk management questions. 

More broadly, I would point towards the enduring importance of an entity’s risk culture in helping to embed a sustained focus on operational resilience at all levels. APRA routinely undertakes “pulse checks” of the risk culture of entities, and our insights consistently reinforce the importance of training and awareness programs, creating a “speak-up” culture, and breaking down silos between teams to build end-to-end resilience. 

Looking outwards, entities should be deliberate in the steps taken to understand how shifts in the geopolitical environment may impact their risk profile. Under CPS 230, entities are expected to conduct scenario planning for a range of events, including geopolitical shocks, cyber incidents, and natural disasters. Through this important strategic activity entities can identify weaknesses and implement corrective measures to enhance resilience. 

Finally, of course, in this environment it is inevitable that operational disruptions will happen, so having effective and tested incident response plans is also important. Across the financial system and its key stakeholders, clear communication and established relationships are critical to ensuring a coordinated and swift response during a crisis.

Maintaining an even keel 

As entities navigate these choppy waters, APRA is acutely aware of the need to strike the right balance between safety and stability, and competition and efficiency considerations. 

APRA embeds a risk-based and proportional approach to prudential regulation, including differentiating between Significant Financial Institutions (SFIs) and non-SFIs within the prudential framework, something we have committed to review to ensure this continues to strike the right balance.

APRA’s objective is not to layer on more regulation but to enable smarter approaches to risk management. Through its focus on critical operations and the third parties who support those critical operations, CPS 230 is inherently proportionate to the relative complexity of an entity’s operations. APRA has also sought to adopt a balanced and proportionate approach to implementation by delaying certain parts for non-SFIs until 1 July 2026 and providing early visibility on our posture towards supervision of the new standard. 

Equally, APRA’s principles-based and technology-neutral approach to new innovations including AI, is mindful of striking the right balance between capturing the productivity enhancements of these innovations, while maintaining awareness of the inherent risks associated with new technology.

Preparing for the long haul

As those facing up to the 1991 Perfect Storm may have felt, today’s geopolitical landscape seems to present an unprecedented convergence of uncertainty and threats, which are likely to remain with us for some time to come. Wars, tariffs, economic sanctions and cyber-attacks can have immediate and profound impacts on financial markets, supply chains, and cross-border transactions. 

Setting out to sea in any storm, let alone the Perfect Storm, requires a well-prepared and experienced crew, and in reflecting on this, I was reminded of a quote from Franklin D. Roosevelt in which he said: “A smooth sea never made a skilled sailor”. FDR, an avid sailor, believed in the importance of facing and overcoming challenges head-on. This is a sentiment that we can all draw inspiration from today. 

While the period ahead undoubtedly presents unique challenges, it also offers us, as leaders, the opportunity to face these challenges head-on, sustaining a long-term focus on operational resilience, and in doing so strengthening the overall ability of the financial system to serve the community.