Risk Management

What Is third-party risk? CPS 230 explained

Risk Insights Working Group
By Risk Insights Working Group Short read 2 June 2026
Hands of businessman gesturing ideas decisions with pen pointing leadership to work colleagues in business meeting at board room conference table

Claim your CPD points

With the introduction of APRA’s new Prudential Standard CPS 230 (Operational Risk Management), third-party risk has come to the forefront for many actuaries. 

This regulatory standard makes it clear that APRA expects financial institutions to identify their Material Service Providers, keep a register of those providers and actively manage the risks that arise from relying on them.

But what exactly is third party risk? Who are our third-parties and why do they matter so much to the way financial institutions operate today? This article provides a brief introduction to third-party risk and uses a recent news event to illustrate how these risks can arise in practice and why they deserve greater attention.

Third-party risk in plain English

Third‑party risk is the risk an organisation takes on when important work, technology or services are handled by outside companies. Even though the work is outsourced, the Board and the trustee are still responsible for the outcomes and must answer to members, regulators and other stakeholders.

Some examples of third-party risk include:

  • Technology failure: Cloud provider outage, prohibiting customers from accessing online banking
  • Data breach: An external IT company loses customer data
  • Processing errors: A payroll service miscalculates super contributions
  • Service delays: A call-centre provider fails to answer member queries in time.

If a third-party fails, it can cause operational disruption, financial loss, regulatory penalties, customer/member harm and damage to the organisation’s reputation.

Recent industry events have shown that poor oversight of major service providers — especially when switching to a new provider — can lead to serious service breakdowns and direct member harm. This has resulted in regulatory action and extra licence conditions for some corporations. APRA has made it clear that the Board and the trustee must show strong governance and risk management when overseeing critical operations and key service providers, with even higher expectations when services essential to customers and members are involved.

HESTA and CPS 230: A real-world case study

APRA imposes licence conditions on HESTA after outsourced admin transition failure  

APRA has imposed additional licence conditions on HESTA after identifying major risk management and governance deficiencies in the fund’s transition to an outsourced administration provider, which was finalised in June 2025. HESTA is one of Australia’s largest superannuation funds with 1.1 million members and approximately $100 billion in funds under management.

The regulator found HESTA was not adequately prepared to oversee or manage the transition, resulting in a “severe and prolonged disruption” that left members unable to access their funds for weeks causing direct harm to members. Under the new conditions, HESTA must undertake independent reviews of both its risk management framework and board effectiveness, with the reviews covering how the transition was managed [1]

APRA has consistently stressed that outsourcing does not remove a trustee’s responsibility. Poorly managed third‑party transitions often lead to member disruption, compliance failures and regulatory action.

Around the world, regulators have introduced new standards to strengthen outsourcing practices, recognising that growing reliance on external providers brings higher risks that must be addressed through stronger frameworks, controls and clear accountability.

In Australia, CPS 230 raises expectations for the governance of critical service providers and operational resilience. Similarly, in Europe, the supervisory authorities (EBA, ESMA, and EIOPA) have introduced the Digital Operational Resilience Act (DORA), which requires real‑time evidence of operational resilience, continuous monitoring and the ability to withstand disruptions originating deep within digital supply chains.

This article is just a starting point

This article is just the starting point. Third-party risk spans a broad and evolving landscape — from identifying Material Service Providers and building registers, to managing fourth-party exposures and meeting the real-time resilience requirements of frameworks like DORA.

Future articles from the Risk Insights Working Group will go deeper on each of these areas. In the meantime, if you're working in this space and want to contribute to a future article, we'd love to hear from you

References

[1] https://www.abc.net.au/

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivatives CC BY-NC-ND Version 4.0.

About the authors
User.svg
Risk Insights Working Group
The Risk Insights Working Group (RIWG) is a group of Actuaries Institute members examining the risks shaping the profession and the communities actuaries serve.

How actuaries approach risk management

Actuaries help organisations identify, quantify and manage risk. Explore our latest thinking on risk management.

Discover more articles on Actuaries Digital
Hands of businessman gesturing ideas decisions with pen pointing leadership to work colleagues in business meeting at board room conference table

1 CPD Point

What Is third-party risk? CPS 230 explained

APRA's CPS 230 puts third-party risk front of mind for financial institutions. Here's what it means, why it matters and what the HESTA case study reveals.

Risk Insights Working Group
Risk Insights Working Group

2 June 2026

Cybersecurity specialist reviewing data breach alerts

1 CPD Point

Plastics, deepfakes and regulators: The risk stories you need to know

The Risk Insights Working Group shares must-reads risk stories and why these matter.

Risk Insights Working Group
Risk Insights Working Group

15 April 2026

Businessman and businesswoman in meeting using digital tablet and discussing business strategy

1 CPD Point

From geopolitics to claims inflation: Global conflict and the financial resilience of health insurers

Global geopolitical tensions can affect health insurers through claims inflation, investment volatility and affordability pressures with implications for stress testing and Financial Condition Reports.

Andrew Matthews
Andrew Matthews

31 March 2026

A collage of Risk Insights Working Group members Peter Yeates, Daniel Cheng, Kipp Freeman and Irene Yui

2 CPD Points

What risks are actuaries watching right now?

Geopolitical disruption. Cyber threats. Climate change. Data integrity. These are the risks the Risk Insights Working Group is tracking — and they affect real people. Meet the team and find out how to get involved.

Actuaries Institute
Actuaries Institute

26 March 2026

Aerial view of a residential neighbourhood submerged in floodwater, with rooftops, trees, and power lines partially visible above the surface.

1 CPD Point

Upgrading disaster risk models: Beyond logic trees

Logic trees can't capture cascading climate failures. Discover how Bayesian inference and causal hypergraphs are reshaping disaster and climate risk modelling.

Alexander Pui Erick R. Velasco-Reyes
Erick R. Velasco-Reyes, Alexander Pui

28 February 2026

Rice planting

1 CPD Point

Quantum global industry challenge

Our Australian Quantum Actuaries team placed runner-up in the World Bank Group's Global Industry Challenge. Here's how quantum computing could transform climate risk insurance for developing countries.

Dr Anthony LoweRamona Meyricke
Ramona Meyricke, Dr Anthony Lowe

15 February 2026

A multiracial, multigenerational group of people sit in the clinic waiting room

1 CPD Point

Time to Rethink Risk Equalisation to Save Gold Hospital

Australia's risk equalisation system leaves pregnancy, psychiatric care and weight-loss surgery largely unfunded, driving Gold premiums higher. Two reform pathways could rebalance costs while creating new trade-offs.

Gold Product Workstream Working Group
Gold Product Workstream Working Group

3 December 2025

A female psychologist advises a client.

1 CPD Point

Using Behavioural Science to Redesign the Life Insurance Application Journey

How behavioural science can redesigned life insurance forms to improve disclosure rates.

Caitlyn ParsonsRoger Brit
Roger Brit, Caitlyn Parsons

9 October 2025

Elevated view container ship loading/unloading Port of Melbourne Swanson Dock container terminal.

1 CPD Point

Cross-Border Trade and Insurance

As Australia expands trade agreements, businesses face new risks. Discover essential insurance coverages and how tariffs impact global trade protection.

Yiyang (Anita) He
Yiyang (Anita) He

1 October 2025

A snapshot of All Actuaries Summit 2025 session attendees.

1 CPD Point

Into the Fog: Rethinking Uncertainty and Risk in the Age of AI

How actuaries can harness neural networks to quantify uncertainty and strengthen decision-making in today’s evolving risk landscape.

Xiao Xu
Xiao Xu

24 September 2025

Akihabara. The historic electronics district has evolved into a shopping district for video games, anime, manga, and computer goods.

1 CPD Point

Why a Manga-Predicted Earthquake Scared Tourists and What It Reveals About Climate and Risk Communication

When a manga artist’s fictional earthquake prediction triggered mass cancellations to Japan, it revealed how fear and storytelling can outweigh science.

Alexander Pui Maura FeddersenErick R. Velasco-Reyes
Erick R. Velasco-Reyes, Maura Feddersen, Alexander Pui

16 September 2025

The Three Lines of Defence

1 CPD Point

The Three Lines of Defence – Where Do Actuaries Fit In?

In the first instalment of this article, Brett Riley considered the background to the Three Lines of Defence (3LOD) model. Here, he considers how actuaries fit into this construction.

Brett Riley
Brett Riley

19 July 2025

Corporate women examining risks on big display screens.

1 CPD Point

Left-Field Risks in 2025 Identified by Australian Actuaries

In the second article on emerging risks in 2025 identified by Australian actuaries, we examine ‘left-field’ risks; that is, risks which might not be widely recognised but have high potential impact.

Iain Bulcraig
Iain Bulcraig

4 June 2025

Young male design professional brainstorming while working on a computer in the office. His colleague is in the background.

1 CPD Point

Emerging Risks in 2025 Identified by Australian Actuaries

From climate volatility to quantum computing threats, the actuarial profession faces an evolving risk landscape. In late 2024, the Institute surveyed members to identify emerging risks across practice areas, with strong responses from those in general insurance, life insurance and risk management. Respondents identified both mainstream and ‘left-field’ concerns. In this article, we identify top mainstream risks

Iain Bulcraig
Iain Bulcraig

16 April 2025

1 CPD Point

AI Case Studies: Smart Homes, Smarter Insurance

What if your home could prevent insurance claims before they happen? As smart home technology becomes increasingly accessible, traditional home insurance models are changing–and actuaries can be at the forefront of this revolution. In our new series, AI Case Studies, we share hypothetical examples to illustrate how AI may transform insurance processes in real-world […]

Actuaries Institute
Actuaries Institute

25 March 2025

Advisor helping a senior woman at home (or mother and son)

1 CPD Point

Risk vs. Discrimination in Life Insurance

From time to time, I find myself explaining how insurers allow for risk in insurance pricing, product design and underwriting, particularly as this can be seen as a form of direct or indirect discrimination. Indeed, there are already exemptions in anti-discrimination legislation that allow insurers to discriminate in insurance pricing, product design and underwriting in […]

Kirsten Flynn
Kirsten Flynn

20 January 2025

Never miss an article

Subscribe to Actuaries Digital for free and receive the latest actuarial analysis, research, and commentary direct to your inbox

Subscribe for free
Woman working on her laptop across the Actuaries Institute logo and blue background
Log Logo

Resources

Qualification programs

The Institute

Follow us

© 2026 The Institute of Actuaries of Australia. All rights reserved.

Privacy PolicyTerms of Use